I keep reading articles like this: Security – One of The Key Reasons to Migrate to Windows Vista (other articles from this category are for example one which breaks down the MS Malicious Software Removal Tool statistics by versions of Windows to conclude the same thing).
The problem with these? They fail to account for the fact that the biggest reason nobody is attacking Vista is because it is still rare. You could get the same (and even better) results from this point of view with Linux, MacOS, etc. From the things listed in the “Defend Against Malware” only UAC and ASLR are really new (and IE7 Protected Mode).
ASLR only mitigates exploits, not malware per se. And UAC is one of those technologies which will quickly become ineffective (and of course it’s not a security feature). The reason why it becomes ineffective are twofold: one is social – people will learn to just click ok/accept. The second one is that malware writers will learn not to touch areas which trigger UAC. You can still do a lot of damage, even when running with reduced privileges (you have access for example to all of the user’s data).
BTW, this isn’t the first time I’ve heard misinformation from Microsoft representatives. Just last weak I’ve listened to an interview with a MS UK IT evangelist where she said something like: “I cleaned up the computer with an Anti-Spyware program and then used an AV to clean up viruses” which leads me to believe that she doesn’t understand that spyware is just malware and almost all current “AV” products can handle both. This is worrying because it doesn’t seem to be intentional (so it is a lack of competence which makes you question any other information which you get from her).
To get back to Vista’s security features: lets suppose that MS manages somehow to write perfect, bugfree code. Does this mean that we solved the computer security problem? Far from it!
For one, there are a lot of very popular software packages out there with vulnerabilities (think Adobe, Flash, etc). These are present on 80%+ of the Windows PC’s, which makes still a great target for malware writers. You can check out the top used applications from Wakoopa to get an idea (although that is a somewhat biased sample – for example I don’t think that Google Chrome is the 4th most used application by the general population).
Finally, a growing problem – which currently nobody seems to address – is the vulnerability of data stored on public servers (I’m talking here about things like Webmail, Social networking, etc). You can have the worlds most secure computer system and still loose control of you data stored online if the third party service has vulnerabilities (although arguably the worlds most secure computer wouldn’t run browsers :-)).
To sum up, I think three trends will appear in the following year or so which will make it apparent that Vista is no security silver bullet:
- “Vista compatible” malware
- Malware targeted at popular software
- We will see more and more “web-based” problems
Of course the biggest problem is the human element, which no technology can fix…