Tweaking out

Microsoft has added numerous other features to Windows Vista besides UAC, many of which are intended to increase the overall security of the OS. But upon closer examination these add-ons are only marginal improvements over previous versions of Windows.

Windows Firewall has been enabled by default on all new Windows installs since the introduction of Windows XP Service Pack 2. With Vista, Windows Firewall gains the capability of blocking outgoing connections as well as incoming ones -- a marked improvement, when you consider the growing threats of spyware, phishing, and DDoS attacks. Unfortunately, the filtering of outgoing packets is not enabled by default. In other words, Vista's firewall won't provide significantly more protection than the one included in XP SP2 without manual configuration.

A new program called Windows Defender adds anti-malware capabilities to Windows, but it's primarily consumer-focused and so far does not seem to be up to par with the major aftermarket options already available for XP. According to competing anti-malware vendor Webroot,

Windows Defender misses the vast majority of spyware. Worse, in February Windows Defender was shown to actually be a vector for attack on Vista, with the disclosure of an exploitable bug in Microsoft's malware detection engine. Similarly, while Vista includes a new hard drive encryption feature called BitLocker, it is not enabled by default, and whether it offers any real protection against advanced computer forensics techniques is questionable.

Worst of all, some new features added to Vista actually have proven detrimental to overall security. In January, hackers discovered that Vista's speech recognition feature could be used to gain limited access to a remote system, including the ability to delete arbitrary files. Such annoyances sound almost cute -- until they result in real data loss.

Enemy at the gates

The Vista speech recognition exploit underscores an important point. As with previous versions of Windows, by far the majority of attacks on systems running Windows Vista will come not in the form of exploits of the OS itself, but of applications running atop the OS.

Microsoft actually has made significant improvements to Windows Vista that are designed to mitigate some of the most common types of application vulnerabilities. A group of new technologies makes it more difficult for hackers to exploit commonplace bugs by obscuring the memory addressing space and protecting access to the OS kernel.

Preliminary research by Symantec suggests that Vista may still be vulnerable to some forms of attacks but concludes that "the implementation of these protections achieves many of the security goals that Microsoft had envisioned."

The rise of .Net as the dominant development model for Windows Vista also bodes well for security. The managed code and security sandbox features of the .Net platform protect developers from common programming errors that can lead to exploitable vulnerabilities.

Despite these improvements, the primary weakness of these technologies is that developers must rewrite their code to take advantage of them. Legacy applications that are unaware of Vista's new security model will remain vulnerable. Examples have already begun to surface, including a previously patched bug in Computer Associates' BrightStor backup software.

Patches to widely used commercial applications will doubtless continue to surface during the next few months, but custom enterprise software remains the big unknown. Until older applications are upgraded to take advantage of Microsoft's latest security technologies, they will gain little benefit when running under Vista beyond what is provided by UAC. Though Microsoft has made significant advances, this new OS is no panacea for a secure Windows-based IT environment.