Vista security: now prove it

Microsoft says Vista is more secure – but nobody out there will believe it. They “know” that Windows is insecure, and even if Vista really is a secure operating system, it will take a long time to change that perception.

How secure is Vista? Nobody knows as yet; though I don’t doubt that enormous effort has been put into this aspect of the new Windows. There are also some solid security advances over Windows XP. Users no longer run with local admin rights by default – even if they have those rights, they are disabled unless processes are specifically elevated, which means passing a dialog. Another key improvement is that Internet Explorer is sandboxed.

Having said which, everyone will be watching for security alerts and “Patch Tuesday” fixes after Vista’s final release. Undoubtedly when the first flaw is discovered Windows will be proclaimed as insecure as ever.

That’s not necessarily so. All operating systems have security flaws. But Microsoft’s challenge is twofold: addressing first the technical issues, and second the public perception.

The latter may be even harder than the former. For sure, it’s gleefully exploited by competitors. Apple says on its site:

Connecting a PC to the Internet using factory settings is like leaving your front door wide open with your valuables out on the coffee table. A Mac, on the other hand, shuts and locks the door, hides the key, and stores your valuables in a safe with a combination known only to you. You have to buy, configure, and maintain such basic protection on a PC.

Apple’s statement is mostly false. A new, default installation of XP with SP2 (which is how PCs are supplied) has an effective built-in firewall; although a router with NAT is safer, you can connect a cable modem directly and intruders can’t get in. I had a machine connected like this for 2 years always-on, in pre-SP2 days but with the built-in firewall enabled, and suffered zero successful attacks.

Still, Apple is correct in saying that numerous viruses target Windows and there are a large number of infected machines, largely I suspect because users run as local admin and they (or their children) cheerfully execute malicious scripts and executables. Can Vista stop this happening, even though such users will need to pass a dialog? Probably not altogether.

The best hope then is that Vista will be mostly secure for sane users. The worst scenario is that people are persuaded to turn off UAC (User Account Control), and instead put their trust entirely in ineffective third-party utilities, only to grumble a few months down the road that Windows has let them down again.

In security, nothing changes quickly. Watch this space.

Tags: