Vista security overview: too little too late

But some progress has been made

Seven Steps to Software Security


Next up, we have the successor to Outlook Express, called Windows Mail. I always considered Outlook Express to be hands down the worst email client ever devised. Windows Mail is a little better. There now are half-decent junk mail controls and, of course, the famous anti-phishing filter. Email memos are now stored as individual files instead of in a database file, which means they can be searched faster, and email contents will show up in the Windows main search, which is either very handy, or a privacy nightmare, depending on what you get up to with your email. This type of storage also makes it easier for you to nuke messages with a wipe utility, either by wiping free space after deleting, or wiping them manually if you have the patience.

However, junk mail controls are awkward. Flagging memos as spam is a hassle; you do this in a list above the preview pane with the right mouse button, and then select from a list of actions. This can be quite tedious if you get a lot of spam, because one can't select several emails for the same action. There really ought to be a junk button that one can use to mark memos as spam and delete them with a single click, as there is with Thunderbird. It would be nice if the default rule for such a junk button were to be blocking the sender, rather than the sender's domain. One can always block a troublesome domain manually if need be.

Interestingly, an email from Microsoft Press Pass - a mailing list of self-congratulatory press releases for tech journos - was automatically flagged as spam. I find it hard to disagree with that call.

Memos can be displayed as HTML with all the risky stuff, such as online images and scripts, blocked. And Windows Mail doesn't give you a hard time about displaying all memos as plain text, which I recommend. Or rather, it displays lightly formatted text; you don't get the raw text as you do with Kmail, so links show up as they would in HTML, with the actual URL hidden. Now, with IE7, such links show up in the status bar as the full URL when you mouse over them, but in Windows Mail they don't. This should be fixed, because otherwise one is stuck relying solely on Microsoft's anti-phishing filter gimmick.

While not security related, I will note briefly that there is no undelete button or Edit menu option to undo a deletion, for those of us who tend to delete first and ask questions later.

Click yes to continue

Data Execution Prevention (DEP) is a feature from XP SP2 that shuts down programs that handle memory oddly, and it is now set to full on by default. It works with address space layout randomisation, a new feature in Vista that loads some system code in unpredictable memory locations to defend against buffer overflow attacks. Both are very good ideas, and should help reduce the impact of malware to some extent.

However, DEP, when full on, may cause a number of applications to crash, or interfere with their installation. I'm betting that a majority of users will opt for the more conservative setting, and this of course means less defense for everyone.

User Account Control (UAC) is another good idea, because it finally, finally, finally allows the machine's owner to work from a standard user account, and still perform administrative tasks by supplying admin credentials as needed on a per-action basis. You know, the way Linux has been doing it forever.

This is one way of helping protect a multi-user system from being loaded with malware by users, and for ensuring that any malware on the system runs with reduced privileges. When you are in a user account, and you wish to perform an administrative task, you will be prompted for the required credentials. Aside from the prompt, the GUI shell will be disabled during this time, to help prevent certain kinds of privilege escalation attacks where the GUI shell or elements of it are spoofed by malicious software.

Of course, it only works if everyone stays out of the admin account as much as possible, and if everyone with an admin password knows better than to install a questionable program with admin privileges. And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."

So you see that, here again, MS's security strategy involves shifting responsibility to the user.

UAC is all well and good in theory, but here's the problem: it's never going to work. And the reason why it's never going to work is because MS still encourages the person who installs Vista (the owner presumably) to run their machine with admin privileges by default. I was delighted, when I set up Vista for the first time, to be presented with an opportunity to set up a "user" account. But moments later, when I saw that I was not invited also to create an admin account, I knew that the "user" account I had just set up was indeed an admin account. And so it was.

Until MS gets it through their thick skulls that a multi-user OS needs a separate admin account and a user account for the owner, and that the owner should be encouraged to work from a regular user account as much as possible, UAC will never work as intended.

In fact, UAC is the most complained-about new feature of Vista, and most people are disabling it as soon as possible. Why? Because MS still encourages the owner to set himself up as the admin, and work from that account. And when you're running in an admin account, UAC is nothing but a bother. Every time you try to take an action, and this could be as simple as opening something in Control Panel, UAC disables your screen and pops up a little dialog asking you if you really want to do what you just did. A pointless irritant that will cause the vast majority of Vista users to disable UAC, because the vast majority of Vista users will, unfortunately, be running as admins, thanks to MS's stubborn refusal to try to put everyone into a user account to the extent possible.

And once UAC is disabled, all of its security enhancements are lost. Yes, the basic idea is good, but the implementation has been completely bungled.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.