Review: Vista, Xp Users Equally At Peril To Viruses,exploits

[Guest Reimar]

Have read an very interesting review about the security Vista vs XP and I do believe that this will be interesting for the ThaiVisa members as well!

Review: Vista, XP Users Equally At Peril To Viruses,Exploits

After a week of extensive testing, the CRN Test Center found that users of Windows Vista and Windows XP are equally at risk to viruses and exploits and that overall Vista brings only marginal security advantages over XP.

One of Microsoft's big promises with Vista was a more secure operating system. But when stripped to the bare bones and thrown into the wild, wild Web, Vista's security failed to impress Test Center engineers.

Vista remains riddled with holes, despite its multilayer security architecture and embedded security tools. Besides providing no improvement in virus protection vs. XP, Vista brings little or no security gains over its predecessor against such threats as RDS exploits, script exploits, image exploits, VML exploits, malformed Web pages and known malicious URLs, the Test Center found.

Armed with two notebooks -- an HP Compaq 6515b notebook running Windows Vista Business 32-bit Edition with the 256-bit encryption version of Internet Explorer 7 and an HP Compaq nc6400 running Windows XP with the 128-bit encryption version of Internet Explorer 6 -- Test Center engineers probed both OSes with some of the most dangerous exploits known today.

To even the playing field, all of the HP ProtectTools Security Manager tools on both notebooks were shut down. None of the encryption tools and the password-protect options were initialized. In addition, HP's ProtectTools Application Protection Service was not activated. Only the default security features and settings on both OSes were kept.

The Test Center selected Finjan's RUSafe appliance to analyze all HTTP traffic going to both notebooks. RUSafe is more than just a sniffer; it can analyze code behavior and identify malicious files. Engineers used RUSafe's report engine to compare the OSes and, with the help of Finjan and other experts, visited several known hacker sites.

Since the notebooks were running without any security suites, engineers were only able to visually inspect the behavior of each OS after going to a site. No code tracing techniques were used in the OSes. Instead, Finjan's RUSafe appliance provided the records of what passed to each notebook.

Read the full story here

[cdnvic]

So let me get this straight. You take an operating system and remove it's security features, intentionally download malware using the most insecure browser on the planet, and the test machine got infected?

I suppose these guys throw cars off cliffs to prove seatbelts don't work as well.

[A_Traveller]

So let me get this straight. You take an operating system and remove it's security features, intentionally download malware using the most insecure browser on the planet, and the test machine got infected?

I suppose these guys throw cars off cliffs to prove seatbelts don't work as well.

I read it that they disabled the HP additional security features but retained the OS default set-ups.

Regards

[cdnvic]

So let me get this straight. You take an operating system and remove it's security features, intentionally download malware using the most insecure browser on the planet, and the test machine got infected?

I suppose these guys throw cars off cliffs to prove seatbelts don't work as well.

I read it that they disabled the HP additional security features but retained the OS default set-ups.

Regards

But when stripped to the bare bones and thrown into the wild, wild Web, Vista's security failed to impress Test Center engineers.

Would be a more realistic test if they ran them as they are generally configured.

[higgy88]

I find this subject very interesting, and would like to add a little automotive analogy to it. A car manufacturer comes out with a new model that they claim to be safer. In actuality, all they did was just make the seat belts a little stronger. Would that car really be safer? I would have to say no. Or maybe they just made the air bags a little better. Would that make the car safer? I would also say no to that too. Now maybe they added higher strength impact beams to the door panels. Now IMHO that would actually make the car safer, not the other "add on" safety stuff. So, my hypothetical question to any computer guru (of which I definately am not) who would care to answer is, how would they isolate and test only the OS without any of the other "add on" security stuff that could influence the results, and/or would that kind of comparison even be worth making?

[A_Traveller]

I find this subject very interesting, and would like to add a little automotive analogy to it. A car manufacturer comes out with a new model that they claim to be safer. In actuality, all they did was just make the seat belts a little stronger. Would that car really be safer? I would have to say no. Or maybe they just made the air bags a little better. Would that make the car safer? I would also say no to that too. Now maybe they added higher strength impact beams to the door panels. Now IMHO that would actually make the car safer, not the other "add on" safety stuff. So, my hypothetical question to any computer guru (of which I definately am not) who would care to answer is, how would they isolate and test only the OS without any of the other "add on" security stuff that could influence the results, and/or would that kind of comparison even be worth making?

The 'add-on' in this case is the HP software which is included in US shipped models to provide additional security for the user. The aim here was to turn off the 'quicker air-bag' so they could concentrate on the 'side intrusion beams' built into the two different OS's {XP & Vista}. I have sympathy with Vic's point that this is not necessarily a reflection of true life, but it's problematic {a sceptic would say intentionally} to compare XP & Vista security responses.

Regards

PS I think the article makes a valid point in that from a security perspective Vista is not quite the great leap forward that some expected. As an OS it does, for example, manage multi-core system better than XP and the breaking out of Internet Explorer is a good move. Though of course by upgrading to IE7 on XP aspects of this protection are then available.

[cdnvic]

And the fact remains that after five months no big Vista specific exploits have surfaced. Something no previous Windows version could ever claim.

[nikster]

And the fact remains that after five months no big Vista specific exploits have surfaced. Something no previous Windows version could ever claim.

A - Only the default security features and settings on both OSes were kept. That's pretty clear, doesn't need further explanation now, does it?

B - What do you mean by Vista-specific exploits? I would mostly be interested in whether or not all the exploits for IE / XP work on IE/Vista as well. Do they or don't they? I usually read about new exploits and they talk about which IE versions are affected - all, mostly - but they don't say something like BTW Vista's not affected. Which leads me to believe that Vista usually _is_ affected.

I find it quite disappointing. I dislike Vista for other reasons but I did think that sandboxing IE would be a good idea. Now it looks like that doesn't work all that well...

I read an article by a security researcher a very long time ago and he made a convincing argument that sandboxing is the only way to make a web browser, or any other app, secure. Java has had a sandbox concept from the beginning, and it's worked relatively well for them, there were only a handful of breaches over the years. Edit: Make that a handful plus 2, they just found two new ones :b

Edited June 1, 2007 by nikster

[nikster]

OK I did some digging. And here is an example, 6 critical security fixes for IE7, info on the official Microsoft website, scroll down to "Appies To" - all Windows Vista versions are affected.

http://support.microsoft.com/kb/931768

So Vista is more secure how, exactly?