Harry
03-01-2007, 06:14 PM
Vista, pegged by Windows as their most secure operating system yet, has been under the scrutiny of many in the security industry even before it hit the market.
Only a month after its commercial release, researchers are raising specific concerns about the new operating system's security.
On the heels of Microsoft's latest Patch Tuesday, which included the first fix that will involve Vista (a critical flaw in the Microsoft Malware Protection Engine that affects the Windows Defender security package), new security holes are now being questioned.
According to reports, Security Researcher Joanna Rutkowska claims to have found a "gaping hole" in Vista's User Account Control (UAC) security functionality.
As one of its security features, Vista runs in a normal user account by default and pops-up dialogue boxes before it performs administrative functions, like modifying system files. The concern raised is over the Vista assumption that all application installers should be run with administrative privileges.
When users attempt to install a new program, they must choose to give the installer complete system privileges or not run the program; when an installer is run as administrator, it has access to the file system and registry. Rutkowska has pointed out several security problems this opens up.
A blog response from a Microsoft security manager stated that accommodations had been made to consider both security and usability in Vista, and that it was not a matter of "security bugs."
Rutkowska does not seem to believe that explanation answers the security questions that have been brought up. "If Microsoft won't change their attitude soon, then in a couple of months the security of Vista (from the typical malware's point of view) will be equal to the security of current XP systems (which means, not too impressive)," a statement on her blog said.
The trend of malware writers to target widely used Microsoft applications and services could mean more threats are in store in Vista's future as more and more users switch to the operating system.
"Malware authors continue to find unknown or unpatched vulnerabilities in popular applications and services which are then used in zero-day attacks," Dave Marcus, security researcher and communications manager at McAfee, told vnunet.com.
This tendency highlights the need to use third party software as an additional security measure in place to protect yourself from malware. In order to support your need to control what products secure your computer and protect your privacy, Lavasoft has made sure that Ad-Aware 2007 will be Vista compatible and Vista certified.
Only a month after its commercial release, researchers are raising specific concerns about the new operating system's security.
On the heels of Microsoft's latest Patch Tuesday, which included the first fix that will involve Vista (a critical flaw in the Microsoft Malware Protection Engine that affects the Windows Defender security package), new security holes are now being questioned.
According to reports, Security Researcher Joanna Rutkowska claims to have found a "gaping hole" in Vista's User Account Control (UAC) security functionality.
As one of its security features, Vista runs in a normal user account by default and pops-up dialogue boxes before it performs administrative functions, like modifying system files. The concern raised is over the Vista assumption that all application installers should be run with administrative privileges.
When users attempt to install a new program, they must choose to give the installer complete system privileges or not run the program; when an installer is run as administrator, it has access to the file system and registry. Rutkowska has pointed out several security problems this opens up.
A blog response from a Microsoft security manager stated that accommodations had been made to consider both security and usability in Vista, and that it was not a matter of "security bugs."
Rutkowska does not seem to believe that explanation answers the security questions that have been brought up. "If Microsoft won't change their attitude soon, then in a couple of months the security of Vista (from the typical malware's point of view) will be equal to the security of current XP systems (which means, not too impressive)," a statement on her blog said.
The trend of malware writers to target widely used Microsoft applications and services could mean more threats are in store in Vista's future as more and more users switch to the operating system.
"Malware authors continue to find unknown or unpatched vulnerabilities in popular applications and services which are then used in zero-day attacks," Dave Marcus, security researcher and communications manager at McAfee, told vnunet.com.
This tendency highlights the need to use third party software as an additional security measure in place to protect yourself from malware. In order to support your need to control what products secure your computer and protect your privacy, Lavasoft has made sure that Ad-Aware 2007 will be Vista compatible and Vista certified.