“On November 30, Sophos issued its monthly report on the top ten threats reported to them in November of 2006. As a part of this, Sophos also studied Vista’s vulnerability to these malware threats. I found the information and press discussion confusing, so I thought I would clarify what this really means for customers. In order to understand what was really going on here, I asked the team to go look at the technical facts behind the story, and that started in the lab. We began by observing first-hand how these various forms of malware affect a Vista system using a machine that was configured with the default settings and without any additional security software. What we found was that if you are using only the software in Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited.”
Sure, Vista is Windows, and Microsoft has enough history of holes that it seems likely sooner or later there will be exploits for malware… but maybe, just maybe, if you don’t use another browser or other web software not included with the OS, you may be quite safe (note I didn’t say “perfectly”) within the limits of your knowledge of “Don’t DO that!” which seems all too rare, due to people’s impatience, curiosity, and willingness to be manipulated by social engineering.
Remember, for any system, the weakest point tends to be between the chair and the keyboard!
For those too lazy or too bored to read the full text. Here’s the abridged version:
“If you get all your software from Microsoft, you will be safe. Hell, it may even be cheaper for you, since you may not need anti-virus software.
And you can get a firewall elsewhere, but we do give one away for free. Just so you know”.
Yes, that’s the subtext of that “blog”.
Strategy: Product bundling and using a monopoly in one area to extend your presence to every corner of the software market till you are the only company left standing.
I pity companies that have decided to bet their livelihood on Windows exclusively. While its market presence is huge, I think cross-platform apps (Qt, wxwidgets or web-based ones) are a surer bet for anyone trying to make a living in the software world. You know, just in case, Microsoft decides to assimilate your functional area into its next service pack.
Edited 2006-12-20 21:31
If this were AnOtherCompany, many here would be applauding this strategy for their efforts to control all elements of the user experience, and deliver an end to end integrated solution.
We would hear a chorus of people saying approvingly, they are after all in the business of providing complete solutions. They are not just an OS house…
Minus the hardware of course, which they, unlike AnOtherCompany, do not control….
Need to be intellectually consistent about integration and the end to end solution. If its a good thing in general, its good for MS to integrate OS and applications. And its good for Apple to integrate iTunes and OSX, and Pages and OSX, and OSX and Apple hardware.
If its not a good thing, all these things are bad, and equally bad.
In terms of logical consistency, you do have a point and you make a decent argument.
In legal terms, however, your point is without merit. There are certain constraints that come with owning a very large portion of the market. It is the role of the government to make sure that there is healthy competition so that a vibrant marketplace remains indeed vibrant. Many of us believe that the quality of Microsoft products leaves much to be desired and that they have been able to afford to produce substandard products because Microsoft had total certainty about its ability to dominate complete segments of the software world.
Hell, the only remaining proprietary company of any import, emphasis on the word proprietary, which is trying to produce and sell a desktop solution, Apple, is one that Microsoft was forced to salvage in the late 1990s to avoid being sanctioned by the Justice Dept.
I am talking about the Just Dept. of the Clinton era that actually seemed to care a bit about illegal monopolies.
Need to be intellectually consistent about integration and the end to end solution. If its a good thing in general, its good for MS to integrate OS and applications. And its good for Apple to integrate iTunes and OSX, and Pages and OSX, and OSX and Apple hardware.
I call oversimplification and false dichotomy. The MS pattern is one of putting out a product, waiting for people to develop on it, seeing what’s successful, and then taking over that market. (WordPerfect, anyone?) With Windows Media, for example, they were further able to hoist the Internet away from people using non-MS-approved platforms with the promise of a media format that wouldn’t require end users to install anything. They supported WMP for Mac for a while, then they didn’t for a while, and now that a third party’s made a codec for Quicktime to play it, WMV is actually a better experience on a Mac than it is on Windows… unless it’s DRMed, in which case, it won’t play at all, anywhere, ever, unless you have Windows.
I’d be the first to agree that Apple would behave the same way if they were in first place, but I’d also be cheering on the lawyers trying to get them to be more cooperative. And it’s not just the industry on the whole where Microsoft integration is a problem, but also for the individual user’s computer. Go ahead. Delete Windows Movie Maker. See what happens. I’ll tell you what happens: it springs right back into existence. If you uncheck it in add/remove programs? Deletes a shortcut. Same with Outlook Express or IE. You CAN NOT GET RID of Microsoft-supplied programs without going to someone else for a hack. If I wanted completely to purge Quicktime from my Mac, I’d just delete the .app, then go into Library, authenticate, and clear out some extensions. I’d be missing Quicktime functionality, which I wouldn’t like, but the system would still boot and work and it would never tell me I’m not allowed to do something perfectly within reason. Seamless integration is fine and dandy as a user experience concern and even as a competitive advantage, but when it comes in a form that interferes with choice, it’s gotta go.
you have it almost correct.
it does not matter if you are using a different browser or not though.
vista has too many “are you sure” dialogues for everything.
users will get bored after a few hundred pop-ups like this and start blindly clicking ok on everything.
security is then hosed.
Problem with XP or Windows in general the user account of administrator was the biggest problem of all because users used it as default. Then anything under the sun can install and the whole system becomes clogged up like welfare line on handout day.
In Linux you are a regular user, installing software using root (su – root) and so on. Why can’t Windows use a similar system instead of all of the prompt boxes all over creation?
Edited 2006-12-20 22:18
“In Linux you are a regular user, installing software using root (su – root) and so on. Why can’t Windows use a similar system instead of all of the prompt boxes all over creation?”
Actually that is the same. I find no difference between those dialogs or the constant password prompts in Linux. The dialogs in windows are only there when you are installing software, or attempting to run a system tool. people make it sound like it comes up every 5 minutes, when in fact after about 3 days of use it stops because you have installed all your software and have the machine configured to your liking.
Yup. This complaint is usually made by the sort of people who actually spend 90% of their time fiddling with their systems and 10% actually doing real work with it.
Most users will spend a day or so having to deal with it, then that’ll be the last they see of it.
Yup. This complaint is usually made by the sort of people who actually spend 90% of their time fiddling with their systems and 10% actually doing real work with it.
You’re talking to OSAlert. There’s a pretty good chance that any given reader’s work is fiddling with the system. Systems testing can be just as legitimate an occupation as data entry, I assure you — not that even that’s narrow enough in scope to avoid the spam completely.
Vista does, and actually so does XP, win2k3, win2k and NT. It was sabotaged by the fact that by default, new accounts were created as admin at setup, and so app developers never had any incentive to write thier apps so they didn’t need admin access to function. I run as a normal user in XP, and it is always a real pain in the ass to get everything working, because a lot of apps write to the wrong place in the registry(hkey_local_machine) or to program files instead of documents and settings. The added peace of mind is worth it, however, at least I think so
Sure, Vista is Windows, and Microsoft has enough history of holes that it seems likely sooner or later there will be exploits for malware… but maybe, just maybe, if you don’t use another browser or other web software not included with the OS, you may be quite safe
If that’s the case, I’m sure the ABM’ers won’t be happy about it. They’ll hafta find another reason to bitch, and I’m sure they will find something. But not hearing the constant rants about ‘Windows is insecure’ from the anti-MS crowd would be a refreshing change
Well it’s hard not to be a little skeptical when XP was proclaimed to be the most secure Windows ever when it first came out.
Here’s the problem. Big OS’s are hard to secure. Windows is extremely big and complicated but they have tons of $$$ to work on problems. linux is also now big and ccomplicated with all kinds of different configurations. But they have lots of bug fixers because it is open source. So it’s not so simple to say one OS is necessarily more secure or less secure than the other.
Well it’s hard not to be a little skeptical when XP was proclaimed to be the most secure Windows ever when it first came out.
This statement seems to get trotted out pretty regularly, and it doesn’t actually make any sense.
When Windows2000 came out, it was the most secure Windows ever. Then they made improvements to security for XP, so that became the most secure Windows ever. Then they overhauled the OS for Vista, so now this is the most secure Windows ever.
Basically, they improve security with each release; the new release is more secure than the last.
When a car manufacturer brings out a new car and says this is our best model ever; no-one says ‘well you said last year’s model was the best ever. So why should we believe you?’
Why? Because in an industry where you improve or go under, the statement makes no sense.
…. and I’ve posted this under the wrong message!
Sorry!
Edited 2006-12-21 05:37
coming from windowsvistablog I do not feel assured that there was not a tiny bit of one-sidedness …
read the fine print
this has been a paid advertisement
The problem with IE7 is that you cannot turn off the security alerts, and you cannot turn off the security settings. It is taking the control out of the user’s hands and forcing you do follow in a line. Exploits will be written to bypass all of these new features, still yet it would be nice if they allowed the option to turn this off. Since I have been using Linux since 1999, I have seen it mature but it still has its drawbacks.
Vista will be rolled out, it will become the main operating system for the general public and business world.
What we found was that if you are using only the software in Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited.”
Never take your PC out of the box – also keeps you immune.
And who will believe MS that this protection will work? Propably there will be more funny screenshots on the net showing that this protection is blocking something totaly diffrent then is should
Anytime that I read such things like in that article I like to recall these three two-word jokes:
windows server
secure windows
microsoft works
What do You want to Spyware today?
“What we found was that if you are using only the software in Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited.”
Same goes for my Mac.
But this is good news. I know some actually *want* Vista to be insecure (I’ve even seen posts here and elsewhere saying, “I can’t wait for all the Vista malware that will be released the first week of its release!!”), but reasonable people want all OSes to be as secure as possible.
Indeed. I’m a Linux enthusiast, but since I’m often called on to fix Windows computers of friends and family members I can’t wait for better spyware protection (as most of the boxes I have to clean are infected by it these days).
Also, it’s nice to see Windows coming to par with *nix security – though I do think it’s too soon to tell yet. We’ll talk in six months. Proclaiming victory over the spyware makers at this time is a bit premature…
It’s always kinda funny to see how much Windows advocates insist on MS’s renewed security efforts each time a new version of the OS comes out. I always see this as a tacit admission that the security record was less than stellar in the previous one.
I’m certain Vista won’t be as bad as WinXP, though. That’d be hard to beat, after all it only takes minutes for an XP machine (without service packs) to be hacked when connected directly to the Internet. I know MS have learned a lesson from this, but I also know that spyware and malware makers are a smart bunch as well (if despicable).
In other words, I also think (and hope) that Vista will be a lot more secure…but I’ve also learned to always take Microsoft’s security initiatives with a grain of salt…
That’d be hard to beat, after all it only takes minutes for an XP machine (without service packs) to be hacked when connected directly to the Internet.
It only takes minutes for unpatched Linux’2001 distro to be hacked when connected directly to the Internet. So your point is?…
It only takes minutes for unpatched Linux’2001 distro to be hacked when connected directly to the Internet. So your point is?…
Actually, the last honeynet report I saw said it took about 5 to 10 minutes for an unprotected WinXP machine to get compromised. The fastest case was just a few seconds.
On the average, Linux distros from the same time period took over two hours before being hacked (when they were – only part of them actually got compromised), with the fastest one being at around 15 minutes. We’re talking about more than an order of magnitude in difference.
Come on, now, we can all agree that Vista is going to be more secure, but you’ll have to admit that WinXP pre-SP was a clear embarassment to MS as far as security was concerned.
Actually, the last honeynet report I saw said it took about 5 to 10 minutes for an unprotected WinXP machine to get compromised. The fastest case was just a few seconds.
On the average, Linux distros from the same time period took over two hours before being hacked (when they were – only part of them actually got compromised), with the fastest one being at around 15 minutes. We’re talking about more than an order of magnitude in difference.
Sure the average time would be greater for linux, considering it’s market share is 1/100 of Windows. But that doesn’t change the fact, that unpatched Linux distro can be rooted in seconds, the same as with unpatched Windows.
Come on, now, we can all agree that Vista is going to be more secure, but you’ll have to admit that WinXP pre-SP was a clear embarassment to MS as far as security was concerned
I’m not sure Linux would have been performed better with the comparable market share.
I’m not sure Linux would have been performed better with the comparable market share.
The mere fact it shipped with a firewall on by default sets it WORLDS apart. And that’s not considering all the services enabled by default that should never have been.
Sure the average time would be greater for linux, considering it’s market share is 1/100 of Windows. But that doesn’t change the fact, that unpatched Linux distro can be rooted in seconds, the same as with unpatched Windows.
That assertion doesn’t appear to be supported by any evidence. In fact, it smacks of Windows fanboyism.
The fact was that, even with 2001 distros, some unpatched Linux boxes didn’t get compromised at all in the experiment’s time frame.
Popularity isn’t enough to justify this. Remember, we’re talking about servers here (this being the honeypot project), where Linux’ market share is a *third* of Windows, instead of 1/30th for Desktops (not 1/100, incidentally).
Why is it so hard for you to accept that WinXP pre-SP was a failure from a security point of view?
“The fact was that, even with 2001 distros, some unpatched Linux boxes didn’t get compromised at all in the experiment’s time frame.”
I am trying to understand this statement. In the context of the thread, this would indicate that all unpatched Windows boxes got compromised? Hate to be the bearer of bad news, but good security practices kept at least 2000 machines from not getting compromised in that time frame, namely the ones I was administering. I can’t speak for anyone else, but not one of my machines got compromised.
In the context of the thread, this would indicate that all unpatched Windows boxes got compromised?
As far as I remember from the Honeynet paper, yes (all the winboxen in their tests).
Hate to be the bearer of bad news, but good security practices kept at least 2000 machines from not getting compromised in that time frame, namely the ones I was administering.
You’re missing the point. Of course it’s possible to secure Windows boxes, even pre-SP1. The point I was raising is that there have rarely been a default setup with as bad a security record as Windows XP pre-SP1 (or even pre-SP2, as SP1 had its share of serious vulnerabilities).
Accepting this simple fact doesn’t mean that you can’t secure a Windows server, it just mean that it was an embarassment for MS from a security point of view, and they’ve learned their lesson since then (to a degree – I still think it’s a mistake to let a filename extension make a file executable, as opposed to an execute bit as is the case in Unix and Unix-like OSes).
At default install, Windows XP (without service packs) enables services for:
* Remote procedure call, which indirectly allows
** Remote access to registry
** Remote access to disk configuration
** Remote access to event log
* Disk sharing
* Internet Information Services (web server)
** With many add-ons, like remote printing
* Distributed COM (which allowed that one minute take down)
And others, running in the background without any kind of firewall.
While it’s of course normal to have bugs in software, it’s not such a good practice to open up such potential holes at default configuration.
Then Microsoft realized what they’re doing, and released SP2 to address these issues. And they did a much better job with 2K3 (which probably has better security record than most desktop Linux distributions).
Security is not a foolproof game. But your approach has a great impact on the risk.
Edited 2006-12-21 05:23
t’s always kinda funny to see how much Windows advocates insist on MS’s renewed security efforts each time a new version of the OS comes out. I always see this as a tacit admission that the security record was less than stellar in the previous one.
Actually what this really means is that is always room for improvement.
I’m certain Vista won’t be as bad as WinXP, though. That’d be hard to beat, after all it only takes minutes for an XP machine (without service packs) to be hacked when connected directly to the Internet.
Which applies to any operating system if you don’t apply the service packs. Funny how you single out XP, which is secure when patches are applied.
When I see statements such as this, I see it as a tacit admission that the Linux advocates are running scared. Desperation certainly has produced some twisted logic amongst the Linux advocates of late.
Which applies to any operating system if you don’t apply the service packs. Funny how you single out XP, which is secure when patches are applied.
Actually, as I’ve already said, *no* other OS has found as easily and quickly compromised as WinXP pre-SP when connected to the Internet. It broke all records, and no other unpatched OS has come close.
Funny how I made a reasonable concession by saying that Vista will be an improvement as far as security goes, yet Windows fanboys are incapable of recognizing that WinXP pre-SP was a dismal failure as far as security was concerned…
When I see statements such as this, I see it as a tacit admission that the Linux advocates are running scared. Desperation certainly has produced some twisted logic amongst the Linux advocates of late.
That’s your opinion and you’re entitled to it, but it doesn’t seem to be grounded in reality. How does correctly pointing out that Vista will be more secure than XP, which has a *well-known* record of security failures translate into “running scared”? I guess with the warped logic of some MS advocates, anything’s possible – except MS failing at anything, ever…
But this is good news. I know some actually *want* Vista to be insecure (I’ve even seen posts here and elsewhere saying, “I can’t wait for all the Vista malware that will be released the first week of its release!!”), but reasonable people want all OSes to be as secure as possible.
Allow me to offer a modest rationalization.
Monopolies are a bad thing. If Windows is secure, that’s one less grievance for Windows users to put up with, which leads to a tighter hold on their interests and, by extension, on the industry. Anyone who says they hope Windows isn’t secure is obviously talking politics, not ideals (or is just a sadist or employed in the security industry). Of course I want everyone’s computing experience to be a good one, but think of it this way: were the products that ultimately bought Microsoft’s industry dominance secure? Did most of them even work? Give Microsoft a second chance, and they’ll make a better product, but what they won’t do is abandon their legendary contempt for diversity, competition, and interoperability. Thus, giving a monopoly a second chance means denying countless more earnest upstarts and stragglers a first one. Thus, I don’t want Vista to be secure.
That’s it. Just a rational, political grudge. The Windows monoculture is bad enough now; imagine how much worse it would be if it really were the best OS on the market — or even more frustrating, a closer third in quality and a more distant first in adoption.
I want Vista to be secure. Or to put it another way, I don’t want security to be the only advantage of other OS’s and just replace Windows nonsense with their own nonsense. They need to bring better ideas to the table.
I don’t want security to be the only advantage of other OS’s and just replace Windows nonsense with their own nonsense. They need to bring better ideas to the table.
Better ideas won’t shake the monopoly. They’ll just be bought or copied by it: http://www.vcnet.com/bms/departments/innovation.shtml Biased, of course, but well-researched, and that’s all that matters.
To put my apparently quite offensive post above more simply, I have two major things against Microsoft, one being quality of product (esp. in terms of security and UI), and the other being dominance of the industry. I don’t celebrate or give kudos when the first one gets better, and I’m no hypocrite for it, because I know all it will do is make the second one worse. It didn’t convince anyone to drop them back when Windows was demonstrably a self-destructing block of swiss cheese. Now that it’s pretty decent, it’s that much more difficult to convince anyone to try anything else.
of course many linux enthusiasts are running scared, we all wanna see Redmond take a fall, we all love FOSS
actually anyone who believes winxp when patched is secure should be exiled to siberia. head over to secunia and check out how many unpatched vulnerabilities winxp has compared to Kubuntu/Ubuntu
unpatched security vulnerabilities to any product are a disgrace.
and winxp has 13, oh yeah great, i cant wait for the vista viruses to come out,
take into account these factors
windows Vista is far more complex than winxp making it harder to maintain and secure for its devels
windoze is closed source so they cannot get outside help to diagnose vulnerabilities
windows is known for its clumsy programmers (eg; 24 programmers to make a logoff menu, omg)
its a toxic cocktail for vulnerabilities and heartache
i dont claim to know much about linux/FOSS i am still a comparatively young convert
but i know Windows very well, and it is a painful wound
Sorry to answer your post, but you claim “i know Windows very well, and it is a painful wound“, but you probably don’t.
Linux is really nice, it runs on my primary desktop and I believe OSS really delivers good quality.
However bashing Windows security blindly is not mature. I’m not talking about my own experience (you should already guess that my Windows machines runs smoothly), but I want to remind you that many large enterprises use Windows without security problems.
Just read the osnews article about tens of thousands of unsuccessful attacks to Microsoft at http://www.osnews.com/story.php/16756/ . And also try to research how much money and time Microsoft spends for security development.
Nobody is perfect in security, yet making those kinds of blanket statement without any acceptable evidence, will not help OSS, but will only hurt the look of OSS advocates.
yeh same old, crap
are you in your heart of hearts trying to justify unpatched vulnerablilities
i think im being wuite reasonable measuring security by the number of unpatched vulnerabilities, please don’t comment until you address my main concern which is how will Microsoft secure a far more complex beast like Vista when they can’t even secure a less complex winxp
As much as I pity those to whom using Linux equals hating MS/Windows, and as much as I think everybody should simply secure his/her computer, I have to say the endless blathering on Windows vs. Linux security is the best way to lose all confidence in mankind.
So to make it all very clear to some Linux fanboys (and for the record, Linux is what I use most of the time myself): if Windows Vista would indeed prove to be a rather secure operating system, that is not bad news to Linux/FLOSS at all.
Why not?
* The last thing Linux needs is users that use it only because Vista would be bad. They should use it because Linux is good.
* Suppose Vista is secure, desktop Linux security may be challenged more heavily than is the case now. After all, malicious crackers and malware writers take the easiest way in. This will lead to better awareness among Linux users (maybe SELinux not so bad, Ubuntu?) when it comes to securing your private penguin.
* The “Linux is more secure”, or “Linux has no viruses” cliché is all over the place, and although it might be true, it is best it disappears quickly. I wouldn’t be using Linux if a few viruses more or less were the only advantage. I’d be using OpenBSD. There’s only one good reason to use Linux/FLOSS, and that’s that it’s Free (libre), it gives the user incredible Choice and the opportunity to adjust and contribute to the software.
Not to mention all the very good stuff, when it comes to the programs that run on it.
What rubbish you should use the stunningly secure MS Outlook because of AM i.e. a hack to stop you receiving attachments from emails of just about every form that’s useful, why because Windows security is awful. Welcome to MS new text only email service (Mmm the same service I could get on an Acorn in 1995). Most people will of course turn this off so that they can receive Doc files etc and be exposed to a cornucopia of other hazards.
Windows does not need AV software if you limit its functionality as described above (it will be even better if you unplug the PC and leave it that way) – however, you will still need to remove malware each month and we will provide an AV solution. Once we have driven the AV companies out of business we will obviously charge for the service
What exactly is the point of this? Are you angry about something?
OK Blocking the receiving of attachments isn’t a very sophisticated way of protecting Windows, if this was just exe, pif, com file etc it would be reasonable but no, it its also most of the file types generated by MS Office. I would say Office is a very good product, it’s not unreasonable that users would want to send Excel, Access and Word files that they have produced to friends and colleagues, but this is by default blocked, why because MS security is so poor that code can hide in a spreadsheet that can do serious damage to Windows. Same for attachments in a zip file users may want to send a few Office documents in a zip file but this is blocked, many users will turn this feature off because they need to email, doc, xls files to each other. The article suggest that this blocking feature (which I would suggest is a miserable ad hoc hack) is a marvelous improvement to MS security.
I’m pleased that MS produce a malware removal tool, but the fact that it has to exist doesn’t speak well of Widows security. I’m also pleased that MS is looking at the virus problem but am concerned that they are now going to try and put AV companies out of business. If we consider what happened to Netscape it’s also interesting to note that once Netscape had almost gone MS ignored IE until Firefox emerged onto the market, would this be the same for the AV field once Norton etc are gone?
…what that article saying is:
“Ha, ha, ha Sophos. The vulnerabilities that you say you protect people from are bogus, and for everything else there is Windows Defender. You’re going out of business.”
Sounds like the same refrain that every large ISV producing software for Windows has heard at one time or another.
Mind you, Microsoft should never have created a market for Sophos or other such companies in the first place.
Sophos will need to find some viruses from somewhere ;-).
Edited 2006-12-21 11:20
Come on, guys! 3 weeks without security problems in Windows Vista. THREE!!! Isn’t that a major improvement for Microsoft?
The only thing that Jim “forgot” to mention is that Vista hasn’t been released for Joe Sixpack yet… so we (I mean, they… I don’t intend to use Vista) can’t be quite sure yet how secure Vista will end up being.
PS The only thing he left out of the article was saying something like “Vista… as Secure as all previous Windows were meant to be“. Wouldn’t that have been lovely?
PS2 Oops… I forgot that Windows wasn’t meant to be secure ever…. just Vista.
Edited 2006-12-21 14:26
“you are immune to all ten”
Famous last words. ‘nough said.