By BRIAN BERGSTEIN, AP Technology Writer
Microsoft Corp. took great pains to improve security in its newly
released computer operating system, Windows Vista, redesigning it to
reduce users' exposure to destructive programs from the Internet.
Outside researchers commend the retooled approach -- yet they also
say the changes won't make online life much safer than it is now.
Why not? Partly because of security progress that Microsoft already
had made in its last operating system, Windows XP. Also because a
complex product like Vista is bound to have holes yet to be
discovered. And mainly because of the rapidly changing nature of
online threats.
Sure, Microsoft appears to have fixed the glitches that used to make
it easy for viruses, worms and other problems to wreck PCs. But other
avenues for attack are always evolving.
"Microsoft has made the core of the operating system more secure, but
they've really solved, by and large, yesterday's problems," said
Oliver Friedrichs, director of emerging technologies at antivirus
vendor Symantec Corp.
That claim would not please Microsoft, which touts Vista's improved
security as a big reason why companies and consumers will want to
upgrade to the new operating system.
In fact, Microsoft's effort to tighten security in Vista was one
reason the software was delayed past the crucial holiday shopping
season. It's now available for businesses and will be available to
consumers Jan. 30.
"It is an incremental improvement -- it is a reasonably large
increment," said Jon Callas, chief technology officer at PGP Corp., a
maker of encryption software. "I don't think it's a game-changer."
Some of Vista's security enhancements require computers with the
latest microprocessors -- which are known as 64-bit chips, in
reference to how much data they process at once. That won't improve
things on today's standard 32-bit computers, which will stick around
for a long time.
However, most of the improvements are available in all editions of
Vista, including a stronger firewall and a built-in program known as
Defender that alerts users if Vista believes spyware is being
installed.
"Windows is going to talk to you a lot more and make sure you're a lot
more aware of what you're doing," said Adrien Robinson, a director in
Windows' security technology unit. "It's going to help consumers be
more savvy."
One of Vista's biggest changes is more control over computer management.
With previous versions of Windows, users were given by default great
control over the computer's settings -- a situation that opened the door
to nefarious manipulation by outsiders. In Vista, users are prompted to
supply a password when they make significant changes -- a security
feature long available on Apple Computer Inc.'s Macintosh and computers
running the Linux operating system.
At the same time, the software gives corporate PC administrators new
security powers, such as the ability to turn off the USB ports that
employees might use to remove data or bring in troublesome programs on
flash drives. (Some network administrators had told Microsoft they
were so desperate to stop that practice that they were filling the PC
ports with glue.)
Even with all the changes, Vista does not promise a total cure for
security headaches. Microsoft, after all, is also selling security
add-ons, competing more directly with antivirus companies than in the
past.
"Rather than having all the doors unlocked, you now have locks on the
doors. It doesn't mean it's a silver bullet," Robinson said. "If they
really wanted to get in, they could get through. They could throw a
rock through the window. But it's harder. Our goal is to make it
harder, to raise the bar."
Still, when Vista for businesses was launched in New York on Nov. 30,
Microsoft CEO Steve Ballmer promised a "dramatic" drop in "the number
of vulnerabilities that ever present themselves."
If so, that would spare Microsoft from a repeat of the embarrassing
series of "critical" security patches it had to release for the
previous operating system.
But it might not mean much against many threats Web surfers face
today.
For one thing, the kinds of large-scale, automated worms that Vista
purportedly will hinder have been waning anyway, according to security
analysts. Symantec's Friedrichs said 2006 hasn't seen any worms as
prevalent as the kinds that caused widely publicized PC outages
several years ago, with names like Slammer and Blaster.
That's partly because of enhancements Microsoft already made in
Service Pack 2, a huge set of patches for Windows XP that were
released in 2004.
"If you're looking at two versions, XP Service Pack 2 versus Vista,
I'm going to say to the average user they're both going to offer them
good security," said Michael Cherry, an analyst at Directions on
Microsoft. "Is Vista better? I don't know if it's that substantially
better."
Security experts say malicious hackers have largely moved away from
outage-causing attacks, motivated by publicity or pride, in favor of
more targeted and lucrative thefts of users' data. Those attacks tend
to exploit flaws in Web applications or employ "social engineering"
-- such as tricking people with phony e-mails into giving up
passwords.
"From that perspective, Vista is a non-event," said John McCormack, a
senior vice president at security vendor Websense Inc.
To its credit, Microsoft is fighting such "phishing" attacks by
configuring its new Internet Explorer 7 Web browser to alert users if
they're visiting a dicey-seeming Web site. Internet Explorer 7 is
already available for free download.
But IE7's phish-catching method alone is limited: It is based on a
"black list" of sites known to be up to no good. Outside security
experts say that will not stop the increasingly savvy attackers who
constantly morph their tactics, sometimes every few hours.
For example, Websense recently tracked a phishing attack that mimicked
a customer service message from Amazon.com. It passed through most
spam filters, and the phony Web site to which it directed victims
changed throughout the day. For at least the first few days, IE7
hadn't caught up to block it, McCormack said.
Perhaps one indication that security in the Vista era will be better
but far from perfect came in recent research by Sophos PLC.
The security software company determined that three of the 10 most
prevalent malicious worms circulating on the Internet in November were
able to run on Vista.
Impressively, the e-mail program that comes with Vista -- Windows
Mail, formerly called Outlook Express -- successfully found and
blocked the malware. But Web-based e-mail services let it through,
said Sophos security analyst Ron O'Brien.
For O'Brien, that finding showed that while Microsoft's efforts to
upgrade computer security are praiseworthy, there's only so much the
company can do. Not only are Microsoft's hands tied when it comes to
the security of third-party applications, but the company also is
limited in what it can do with its own software.
For example, McCormack said Microsoft might have done more to prevent
criminals from surreptitiously placing keystroke-monitoring programs
on computers to steal data. But the fix likely would have shut out
legitimate programs as well, such as those that let people operate
their PCs remotely.
"You have to find this happy medium between usability and security,"
McCormack said.
Of course, with Vista on a tiny fraction of desktops today, it's way
too early to assess how much hackers can mess with it.
"I don't know how long Microsoft is going to be able to claim the
streets are safe before a criminal decides to challenge that opinion,"
O'Brien said. "That's going to just be a matter of time."
On the Net:
Microsoft's page on Vista security:
http://www.microsoft.com/security/windowsvista/default.mspx
Copyright 2006 The Associated Press.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html
For more news and headlines each day, please go to:
http://telecom-digest.org/td-extra/AP.html
Brian Bergstein, AP (ap@telecom-digest.org)