Feeds

Vista security overview: too little too late

But some progress has been made

Seven Steps to Software Security

A few irritating details

The default folder view options could be improved for the security conscious user. One should definitely not hide file extensions, as the default file view has it, because it is possible to spoof icons and use bogus extensions that can make executables appear to be other than they are. Yes, UAC and DEP are supposed to help with this, but DEP will be set to its lower setting, and UAC will be turned off, on the vast majority of Vista boxes, for reasons we've already discussed. And since it's very likely that you will still be running your Windows box as an admin, if you're going to open a file with Windows Explorer, you'd better look to see whether or not it's an executable, because it will run with your privileges. So, at a minimum, the folder view should default to showing file extensions.

As usual, Windows enables far too many services by default. It would be a tremendous help if MS could somehow use its many wizards to enable only the services needed for each bit of hardware or software installed. That would take some effort on Microsoft's part, and on the part of device and software vendors, but the alternative so far has been to leave every single bell and whistle blaring. Unnecessary services waste RAM, and worse, those related to networking are a needless target for worms and other online attacks.

Data hygiene

The start menu now offers the option of not storing or displaying a list of recently-accessed files and programs. This used to be a real nightmare for data hygiene. Finally, it's fixed.

Oh wait; it's not fixed. In fact, things just got a lot worse. There is the new "Recently Changed" directory, which will show up as one of your "Favourite Links" in the left-hand column of your home or user directory, and in Windows Explorer. And guess what: all the files you've been fiddling with recently will show up in it. Its contents are identical to the "Recent Documents" folder that Microsoft let you think you had shut off.

But worse, the contents of your recently-changed directory will not show up in main search, even if you use advanced search, and search "everywhere". So you might not even know it's there. And still worse, you can't empty this directory without deleting all of the files it points to. You can empty your "Recent Documents" folder, and only the pointers or links will be gone; you don't lose the actual files. But with this new gimmick, you've got an archive of all the files you've looked at, regardless of where you've buried them in the file system hierarchy in hopes of keeping prying eyes off them, and you can't empty it unless you want to say goodbye to the files themselves.

The worst part of this is that by offering the option to disable the list of recent files, MS has given users a false sense of privacy and security. The reality is that privacy and data hygiene are even more difficult than before. What a blunder.

Child safety first

Now there is some good news, finally. Vista ships with parental controls that are reasonably easy to implement. You can set up accounts for the kiddies, and prevent them using all sorts of programs, like email, chat, and IM, or even deny them internet access altogether if they're too young. One thing that I like is the ability to prevent the little porn fiends from downloading files via IE7. But remember, if you have any other browsers loaded on the system, you must disable them all individually via the parental controls, because download blocking only works with IE.

The basic setup is sensible and allows for fine-tuning depending on each child's level of maturity and responsibility. And parents can schedule regular reports on their children's internet use.

Now, parental controls and filtering are all well and good, but we should beware of any false sense of security they might encourage. In a recent Today Show interview (video), Billg dilated glowingly about Vista's new parental control centre; but we should remember that it's merely a tool, not a solution. Parental controls are not a substitute for adult supervision. The internet is adult space, and so it should remain. Nothing sends my blood pressure into aneurysm territory faster than talk of legislation that would make the internet safe for children. The internet has been created by adults for adults, and children venturing online simply have got to be supervised, either by a parent or by a mature and responsible older sibling. Filtering is not a panacea.

Package deal

Now, for the Vista Security Centre. This has been controversial, involving MS in skirmishes with security software vendors who claim that Vista's built-in product is anti-competitive.

I'm not sure why anyone would worry. The Security Centre doesn't do very much except remind users, "Message: We Care". It's a little craplet with a stereotypical icon that looks like a shield, and it simply informs you of whether or not the firewall is on, whether or not you've got anti-virus software installed, and so on. It is integrated with an improved version of the malicious software removal tool, or anti-spyware tool, in the form of Windows Defender.

There's nothing much in Security Centre that XP SP2 doesn't have, except a warning that you've turned off UAC. It's something that one might wish to run or consult after installation, and maybe once a month thereafter. But it's on all the time, ready to harangue you, and it's rather difficult to make it go away.

It doesn't contain AV software, but a query for further information on virus issues will bring you to this web page, where MS recommends the vendors it thinks are ready to handle Vista (McAfee is notably absent). Nor does it have a packet filter (firewall) with many features. It's not too bad to configure, but third-party packet filters offer many more options in terms of notification and controlling individual applications. I noticed one exception in the default firewall configuration that I didn't care for, for allowing remote assistance. I don't think that should be allowed unless you're actually using remote assistance.

Windows Defender is certainly better than nothing; it monitors files for changes that can indicate malicious activity, and searches for known spyware. It is also integrated with IE7 to some extent. However, what constitutes spyware is a judgment call, and it's never a bad idea to use more than one anti-spyware/anti-adware product, in hopes that one will pick up what another overlooks. (And WD does seem to miss an awful lot of spyware.) I certainly wouldn't recommend depending solely on Windows Defender. But it's nice that it's there.

In a nutshell

So, what have we got here? An adequately secure version of Windows, finally? I think not. We have got, instead, a slightly more secure version than XP SP2. There are good features, and there are good ideas, but they've been implemented badly. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on. But MS has, in a sense, shifted the responsibility onto users: it has addressed numerous issues where too much was going on automatically and with too many privileges. But this simply means that the owner will be the one making a mess of their Windows box.

Data hygiene is still an absolute disaster on Windows. In fact, it's worse than it ever was in some ways, and that's very bad indeed. Browser traces still in the registry, heavy and complicated indexing to improve search, new locations where data is being stored. It all adds up to a privacy nightmare. Keeping a Vista box "clean" is going to be impossible for all but the most knowledgeable and fastidious users.

So don't rush out to buy Vista in hopes of getting much in return security-wise. I do like some of the changes, at least in theory, or as a decent platform on which to build an adequately secure version of Windows one day. But that day, if it ever comes, will be well in the future. ®

Correction I'm grateful to a Reg reader who pointed out an error in a previous edition of this story. I had stated incorrectly that IE7 doesn't allow blocking third-party cookies. It defaults to accepting them, but can be made to block them.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.