Windows Vista delivers on some of the security improvements Microsoft promised for it, but there are still a host of ways attackers can exploit the OS and leave users open to threats, according to findings by Symantec.
The security vendor’s Security Response Advanced Threat Research group Wednesday released four reports on the security implications of Vista — with two more to come next week — and found that while the underlying OS is more secure, there are still unplugged holes that will allow malicious code to penetrate a user’s system, said Oliver Friedrichs, director of Symantec’s Security Response Emerging Threats group.
“There are areas where they are to be commended [because] they have eradicated certain types of threats,” he said. “But there are areas where Microsoft falls short and continues to create exposure for consumers and enterprises.”
Microsoft has done a good job at locking down the core OS against memory-manipulation threats, such as buffer overflows that were used by worms such as Blaster and Sasser to attack Windows, Friedrichs said. This security improvement has spurred attackers into changing their tactics and target third-party applications that run on the OS rather than the OS itself, he said.
It’s in protecting applications where Vista falls short, Friedrichs said. “Third-party applications are still exposed,” he said.
Third-party application drivers running on the 64-bit version of Vista are especially vulnerable due to the ability to disable the driver-signing feature of the 64-bit kernel, Friedrichs said. Symantec security researchers were able to disable this new feature — which requires all kernel drivers to be signed digitally by a reputable party in order to load into the kernel — in just one week.
Other new 64-bit kernel features — patchguard and code integrity — also could be disabled in a week, he added. Patchguard protects the kernel from direct threats such as rootkits, and code integrity enables the OS to protect itself and its applications from external manipulation.
Another feature in Vista that was supposed to improve the security of the system actually poses a new security threat, Friedrichs said. User account control, a feature that can be set up so a Vista user has limited privileges to access an application or an administrator function, actually can be bypassed by hackers to allow someone to gain full and unrestricted access to the OS, he said.
“Originally it was considered to be one of the most notable security technologies in Vista,” Friedrichs said. “More recently, because of research done both by Microsoft and third parties, we found that the technology is not as effective as originally envisioned.”
Friedrichs acknowledged that it may be self-serving for Symantec, which offers add-on security products for Windows, to publish findings that the OS is not secure. But he said that his group conducted its research by a legitimate scientific method. Moreover, the research is intended to provide recommendations to Microsoft for improving Windows security in the future.
In a statement through its public-relations firm, Microsoft defended its position that Vista is the most secure client version of Windows to date. But the company said it will take into consideration research by Symantec and other parties about Vista and make changes if necessary to make the OS even more safe against possible threats.