Vista: No Silver Bullet for Security

If your vision of Microsoft's new Vista operating environment involves a nice, quiet second Tuesday of the month, snap out of it: The new OS is better, not perfect.

Microsoft's upcoming Vista operating system will be more resistant to attacks than previous versions of Windows, security experts say. But the new OS still offers a big target, a few weak spots, and plenty of room for patching.

Applications -- particularly existing, non-Vista apps -- will be the weak link for Vista, says Thomas Ptacek, a researcher with Matasano Security. Vista's security dilemma is no different from that of any other OS, Ptacek says. "The OS is just there to run the programs, and if the programs themselves are not secure, the whole system is insecure."

Apps that weren't written to run on Vista are indeed at risk, says Mark Shavlik, president of Shavlik Technologies.

Attackers are increasingly targeting applications, and existing programs ported to Vista won't be any safer there than they were on Windows XP or its predecessors. "If an application has a flaw that can be taken advantage of, something will gain access to it," says Eng- Wee Yeo, senior security consultant with Shavlik.

Security researchers say they've been impressed with Microsoft's work thus far to secure Vista. But no one knows for sure what other holes may emerge once enterprises start loading older apps from Microsoft, third-party developers, and legacy vendors to the new Vista environment.

"In any OS, there are always some unknown security flaws that will show up," says Chris Wysopal, chief technology officer for Veracode. "But these will be minor for Vista, compared to the risk of different apps running on it, especially the older ones that are three- to four years old. The majority of apps aren't written with security in mind."

Vista comes with several key security features built in. One key capability is its user account control, which eliminates the old default mode in which users were given administrative rights. "So even if a user is running a machine with administrative rights, if malicious code gets on the system, they'd get a pop up that says, 'I'm about to do this and do you want me to,'" says Steve Kleynhans, research vice president for Gartner. It's still up to the user to say yea or nay, but at least the OS records that the user accepted the action, he says.

The account control feature also prevents users from installing third party software without an administrative password. This restriction should not only prevent unauthorized apps from getting onto the system, but it will also slow the proliferation of malware, says Yeo. "If malware gains access to the system, and a user has administrative rights, so does the malware."

Microsoft also changed some defaults with Vista, such as ports. "You now have to explicitly turn on or set group policy for sharing or network discovery," says Gartner's Kleynhans. "That alone means you're not going to have a lot of extraneous, dangerous stuff waiting around to be exploited."

Another key security feature is Vista's enforcement of signed, third-party drivers for devices such as printers and network cards, Yeo says. Third-party driver software vendors must be certified with Vista. "That prevents unqualified drivers from being executed," says Yeo. Researchers demonstrated ways to exploit the current Windows device driver vulnerability at Black Hat this month. (See Device Drivers at Risk.)

And Vista is already in the hands of hackers. Microsoft last week handed out the latest beta version of the OS to over 3,000 attendees of the Black Hat conference so they could try to hammer at the code. And Joanna Rutkowska, senior security researcher for COSEINC, demonstrated her proof-of-concept code that let an unsigned driver slip into the Vista kernel undetected. (See Hacking the Vista Kernel.)

So what are the most at-risk apps for Vista? Any apps that require full access to the system, Shavlik's Yeo says, such as systems management software and tools that "push" apps to the desktop, which typically require a high level of system privileges. "I'm sure these vendors must be working very closely with Microsoft for patches" to work with Vista, he says.

Ironically, one of the most risky pieces of software for Vista will be security applications, such as antivirus and anti-spyware apps, which require high levels of system privileges, says Veracode's Wysopal. Until such apps are modified for Vista, they will have to be run in a lower security mode, he says. Microsoft has an application verifier toolkit designed for an expert user or software vendor to modify apps to use Vista's features, he says.

Microsoft officials declined to be interviewed for this story.

Vista certainly won't hurt older, third-party apps -- they just won't reap all of the same benefits as apps specifically written for Vista, says Jeremiah Grossman, CTO of WhiteHat Security.

Rob Enderle, principal consultant with Enderle Consulting, says an older app could also pose a danger to Vista. For example, an app running under Vista's XP emulator function could infect the OS with a virus, he says. "The emulators in Vista are the best I've ever seen, because they allow older applications to run. But they are also a way to bridge older viruses onto the new platform," Enderle says. "Once you launch an emulator, there is an increased opportunity for a virus to uses that emulator to infect a Vista system that otherwise would remain immune."

Another potential problem lies in the relationship between high-performance apps such as CAD and some financial modeling apps that access the hardware –- such as a video card -- directly, Enderle says. "Whenever you drill through an operating system to access hardware directly, you are creating a security vulnerability," he says. "And while you can limit this to the application with Vista by running in XP mode, it lowers the overall security of the platform."

So how can you be sure you're getting all the security benefits of Vista? Enderle says you should aggressively move your apps to hosted resources or to native Vista. And make sure your apps have been reviewed on Vista, says Matasano's Ptacek.

Don't count on Patch Tuesday going away, either. Security aside, Vista doesn't have much more functionality than XP, says Marc Maiffret, CTO for eEye Digital Security. "There are almost zero new functionality features in Vista besides the security stuff," Maiffret says. "But Microsoft is doing all the right things with security they can. But eventually, bugs will be a given."

— Kelly Jackson Higgins, Senior Editor, Dark Reading