Microsoft's interim verdict on Vista security: everything's great
Microsoft has reiterated its claim that Vista is the most secure version of Windows it has ever released. One year out, the company says the security of Vista is much better than that of XP. Among the many reasons cited for this is the introduction of User Account Control (UAC), which prevents users logged in without administrator rights constantly coming up against restrictions. If administrator rights are required, Windows will check back with the user. This is supposed to prevent malware entering the system.
Due to UAC, says Microsoft, they were able to classify twelve of the 23 security updates for Vista issued in the last twelve months as being of minor importance because, in the event of a break-in, malicious code would not have been able to run with admin rights. Microsoft surveys indicate a sixty per cent reduction in malware infections compared with XP.
Internet Explorer 7's Protected mode is reckoned to have successfully prevented even more security problems. The phishing filter, says the firm, is at the moment blocking more than a million phishing attacks a week on browser users. But things don't look quite so rosy with the Extended Validation SSL (EV SSL) Certificates that turn the browser location bar green to indicate that a page is particularly trustworthy: a year on, only 3500 providers are using them. So far Internet Explorer 7 is the only browser to support them, but it is likely Firefox will use EV SSL Certificates in Version 3.
The number of patches also appears to confirm that Vista is more secure and that Microsoft's introduction of the Security Development Lifecycle is bearing fruit. There were only fourteen updates to plug critical holes in Vista over the last twelve months, whereas 23 were issued for XP SP2. And Vista disclosed only 36 vulnerabilities in any case - half as many as XP SP2's 68.
Despite the obvious security advantages, Vista doesn't appear to be gaining as much as acceptance as Microsoft would like. High hardware requirements are blamed for deterring many users from purchasing it. On the fringe of the Blue Hat Microsoft Hackers Conference in December 2007, independent security specialist Thomas Dullien noted that security is hard to sell because users can't measure it. He said that Vista was the most difficult mainstream operating system to crack that he had yet seen. That would make it unattractive to criminals, he reckoned, for reasons of cost. Dullien says if he were a member of the nasty fraternity, he would hope Vista would flop as an operating system - because it's got a number of things right.
- Windows Vista Security One Year Later, blog entry by Austin Wilson
- Windows Vista One Year Vulnerability Report , analysis by Jeff Jones