-
The report may not be completely fair, but it does point out that Vista’s new security model isn’t a “slam dunk”.
-
Tools are now available that can help with making legacy applications work with Vista.
-
You can get a pretty crazy looking interface with this tool, which is now Vista compatable.
-
As I’ve been saying all along, you’ll see wide scale rollouts of Vista starting in 2008, with most universities (including ours) shooting for the fall of 2008 semester for their Vista roll outs.
-
I would agree with most of the points on this list. Fix all of these and Vista would be taken far more seriously.
-
For such a huge and rich company, I’m always suprised at how poor their advertising is. ‘WOW’? How much did they pay for that? Was that from the same source that recommended a ‘Start’ menu that leads to the shutdown function?
Get notified of new posts for FREE via RSS or E-mail
Subscribe to ITsVISTA!
Start
About
FAQ
Blogroll
Shop
Digg
Mixx
Propeller
Slashdot
Stumble
Tips and Tricks
Windows Updates
Hotfixes
Keyboard Shortcuts
Vista's Services
Vista's Commands
Product Reviews
Glossary
Videos
Web Links
Comments
mik
Oct 24, 2007 at 3:12 am
I would like to respond to this article. First, let me start off by saying that although I’m a full-time Microsoft employee (as of a few months ago), this is not an “official” Microsoft response. I’m responding as a 20-year Windows security veteran, author of 7 books on computer security, and long-time user of several other OSs besides Windows (e.g. OpenBSD, Linux, AS/400, etc.). Overall, the conclusion of the article is not supported by itself or the facts of every other independent review, even by people who dislike Microsoft.
This article stated that Windows Vista is no more secure than Windows XP. Ignoring for the moment that your own tests and printed rating system showed otherwise, there are huge reasons why I know your conclusions and tests are grossly inaccurate-and your readers should know so they can make an informed decision.
First, there is no doubt that you either disabled User Account Control (UAC), ignored its warnings, or refused to report on it. 99% of Windows malware requires elevated permissions in order to infect Windows. Vista, by default, doesn’t allow elevated sessions without a secondary “in your face” consent by the logged in user. Windows XP, on the other hand, does not give such a warning.
So in order for most of your malware tests to work, you intentionally ignored one or more (in most cases it would be two or three) warnings to intentionally execute the malware. Windows XP would either give no warnings (because it doesn’t have UAC), or just one or two (depending on the default warnings given by Internet Explorer).
How about reporting how often malware silently installed without the user receiving one or more warnings (the most serious security problem)? I know the improved delta between XP to Vista is significant, and was by your own observations. Why not share that with your readers?
I’ve run similar tests against my personal collection of over 16,000 malware programs, and I know the results. Windows Vista is significantly more resistant to malware than previous Windows versions. But this isn’t only my conclusion, it is the statement of every anti-malware vendor, dozens of world-wide hacker experts, and hundreds of other demonstrated, documented tests. Talk to H.D. Moore (of Metasploit fame), talk to Foundstone (my previous employers), talk to Joanna Rutkowska (of Blue Pill fame), or another other Windows security professional who doesn’t work for Microsoft. Some may even extremely dislike Microsoft, but to a person they will ALL tell you the same thing. Windows Vista is more secure than XP-in theory and in practice. Have you ever asked yourself why your tests are the only ones to the contrary? I suggest that it was not well conceived or implemented.
Your tests essentially measure, “If I ignore multiple warnings, how well does Windows run a program designed to run for Windows?”. Or was it how well Windows does as an anti-malware program, by itself, even though it is not designed to be a stand-alone anti-malware program? Although Windows Vista does come with some anti-malware defenses (e.g. Windows Defender), Microsoft does not recommend running Windows, any version, without additional anti-malware program installed. If Microsoft thought Vista didn’t need additional anti-malware software installed, they would say so.
Your article ignore hundreds of other new security features and settings that stop existing malware programs (disabled LM hashes, stronger buffer overflow protection, improved NetBIOS security, session isolation, mandatory integrity controls, Internet Explorer-Protected Mode, BitLocker, 800 new group policy settings, portable media control, stronger default encryption, improved EFS, IPv6, file and registry virtualization, built-in RMS client, and more). And these aren’t just some theoretical increase in security. They improve security in practical, ease to see ways. But if you ignore multiple warning prompts, malware designed for your system will always be able to exploit regardless of the OS (albeit my hat is off to OpenBSD and VAX for their stellar records).
The real answer is that all of today’s operating systems, no matter who the vendors are, are significantly more secure than the ones we used in the past. It’s still saddening that we live in such a malicious world, but that is more due to the default anonymity that underpins the Internet than any particular product. Malicious hackers wouldn’t hack near as much if we could catch them. And they are no easier to catch using Windows than they are using any other OS. Till we improve the Internet, hackers will continue to take advantage of vulnerabilities.
If you look at the number of found vulnerabilities in Windows XP (28) vs. Vista (11) this year, Vista wins again. If that seems like a lot, don’t forget Mac OS X has had 101 in the same time period. Cute commercials, but not necessarily a stellar reason to dog Microsoft about.
In conclusion, IÂ’m not sure why you choose to run a store that paints Windows Vista as no better security-wise than Windows XP?
Sincerely,
Roger A. Grimes, Sr. Security Consultant
Microsoft ACE Team
Author of Windows Vista Security: Securing Vista Against Malicious Attack
Michael
Oct 26, 2007 at 11:56 am
I disagree with almost every point in “TechBlog: 10 Things Microsoft should do to fix Windows Vista”
That guy should just “Get a Mac”, he seems to be in love with it.
I firmly believe that OS preference is purely personal. My recommendation: Stay with the OS you love. You can try the others, and if you find a new love, good for you. But for the most part everyone is biased to a particular OS and finds little or nothing redeeming in the others.
Dwight Silverman’s views are subjective and betray a personal bias. He offered no hard facts to support anything he said, and this gives very little weight to any of his points.
Now, I agree with items 4 and 10, but only because I happen share the same subjective view. (4:One-stop driver shop & 10:Rework Vista marketing) In other words, I feel the same way but I don’t have any concrete reasons for my feelings (and neither did he).
(BTW, neither points 4 or 10 had anything to do with the OS itself. 4 is the state of the world, regardless of the OS. And 10 is about how MS fails to create a good “Get Vista” campaign.)
I can’t believe he wrote a book about an OS that he clearly has little respect for. Well, I will make sure his book never ends up on my shopping list!
(However, the fact that he wrote the book means that he was obviously happy to make a profit off of this “less than a Mac” OS. Hypocrite!)
Leave a Comment