Original URL: http://www.theregister.co.uk/2006/12/06/vista_or_xp/

Christmas shopping: Vista over XP?

Security pros have their say

By Federico Biancuzzi

Posted in Security, 6th December 2006 11:09 GMT

Anti-Virus vendors

Carmen Maierean (BitDefender product manager): Microsoft Vista from a security standpoint is above Microsoft XP mainly because of the new rights management system which will prevent unauthorised applications from running with administrator privileges. Nevertheless, the customer has to take in consideration that the newly developed operating system will not protect him from malware and hackers and a proper integrated security solution is required. BitDefender is working on a new version that will support Microsoft Vista and plans to ship it at the beginning of the next year.

Mikko H Hypponen (F-Secure's chief research officer): Vista won't be out for the consumer market during this Christmas season. So people can't buy Vista computers for Christmas even if they wanted to. If you want to buy a system with fairly few security issues, get a machine which runs Ubuntu, OSX, FreeBSD or SuSE...

Ryan Sherstobitoff (Panda Software's product technology officer): Windows XP and Windows Vista differ in regards to their security architecture. Windows Vista does not ship until January 30th, 2007. Therefore, Windows XP will be the pre-dominant operating system during the Christmas shopping season. Some manufacturers may have Vista as an OEM on some systems which will be available to consumers; however, most major anti-malware security products will not be compatible with Vista during the first period of December and [most AV companies] have indicated specifically to have support after the release. It is recommended a user purchase a system with Windows XP with the intention to upgrade to Vista.

Carole Theriault (Sophos' senior security consultant): For the average home user, Vista is a good option. There are some excellent security enhancements in it that will make it far more difficult for hackers and malware writers to attack these machines. Of course, there may be some niggles in the initial release, but even so, it will be far more secure than XP.

Vista may be of concern to those users who would like to use old applications (some of them will not run in Vista by default), but users need to balance the pros of having better integrated security versus running older applications. XP users who feel cautious about running Vista initially will want to make sure that they run SP2 on their machine. SP2 offers far better security than running XP alone.

Laura Yecies (general manager of Check Point's consumer division - ZoneAlarm): We wouldn't advise consumers to center their computer purchase around an operating system. If you purchase a Windows XP system, you can always choose to upgrade later. Either way, with XP or Vista, you'll still want a good independent software solution to protect you from today's attacks. While Vista marketing touts increased security, we also expect a new OS be analogous to waving a red cape in front of a bull...hackers won't be able to resist the challenge. That may result in even more vulnerabilities for a consumer to patch.

Olga Kobzareva (Kaspersky's head of corporate communications): From a security point of view, of course Windows Vista has several improvements which make it more secure than Windows XP SP2. But still there can't be any 100% safe operating system, and we have to remind the users that migrating from XP to Vista doesn't mean there's no need for antivirus software. Windows Vista will still need separate antivirus solutions to be installed.

David Perry (Trend Micro's director of global education): Microsoft tells us that Vista will have the best security ever, but a lot of that security will come not from the Vista OS itself. Much of the new security is tied to the 2007 release of applications like Outlook and Internet Explorer (inside Microsoft these are commonly called the "2k7" releases). Our testing (at Trend Micro) shows that, with proper Internet Security software, Vista is actually safer.

The end user really can't lose right now -- any modern name brand computer you buy right now will come with a free upgrade to Vista -- so you can get that new computer for Christmas, and wait to see how things shake out.

Brian Trombley (McAfee's product manager): From a security perspective, it doesn't matter whether you choose a new PC with Windows XP or Vista. It's critical, however, that you use up-to-date security software and that you enable automatic updates.

Most new computers include pre-installed security software, but that software is out-of-date when you first start the computer. Hence, the security software should be updated right away. If security software is not pre-installed, make that your first priority when you start your computer.

Rowan Trollope (VP of Engineering, consumer business unit, Symantec): It is important for consumers to know that the Vista operating system is not a security solution in and of itself. It has an incomplete set of security features that are not enough to protect users from the fast-evolving threat landscape. No matter which operating system consumers choose this holiday season, they need to implement a complete security solution that protects them from today's evolving security threats.

Symantec's solutions, like Norton Internet Security, provide consumers with the comprehensive protection they need. Norton Internet Security and Norton AntiVirus Vista compatible versions will be available upon Vista's release. Any existing Norton Internet Security or Norton AntiVirus 2006 or 2007 customer will be eligible for a free Windows Vista compatibility upgrade. We currently have a Vista compatible public beta of Norton Internet Security and Norton AntiVirus that consumers can try out.

Security Companies & Researchers

Bruce Schneier: For home users, always buy the latest version. For corporate users, wait a while and see.

Joanna Rutkowska: I would definitely recommend installing Vista rather then XP and if I had to pick just one reason for that it would be the User Account Control (UAC) feature, which effectively eliminates the need to run most of the unnecessary processes with administrator privileges. I know very few people who work as restricted users on their XP machines (because many applications are designed in such a way that they assume administrative rights) and this is very disturbing, because working as an administrator effectively negates any local protection the OS might be able to provide. UAC might not be perfect and we might see some ways to bypass it in the future, but still it's a very important step toward implementing the least-privilege principle in the Windows environment.

There are also many more security improvements in Vista than just UAC, like the anti-exploitation techniques (ASLR, NX) or kernel protection which is based on allowing only digitally signed code to be loaded into kernel (the latter only in the 64 bit version).

Of course, still, some people might argue that it's more likely that one find an exploitable bug in the brand new Vista code (such as in its new network stack) rather then in the "good old" tested XP. But, in fact, no matter how "old" and well tested the operating system is, we still can never be sure that there are no bugs in there - think for example of all the kernel bugs which might be introduced by various 3rd party kernel drivers...

Vista puts much more effort, compared to XP, into making exploitation harder and limiting the damage after the unlikely event of successful exploitation.

Dino Dai Zovi: From a security standpoint, Vista would be the best choice for consumers. While Vista has not been around as long as XP, security was a focus from the ground up for Windows Vista. Vista employs a number of architectural changes oriented around security such as User Account Protection, Network Location Types, and IE7 Protected Mode. These changes make browsing the web, especially from public networks such as wireless hot-spots, much safer. I am recommending Vista to anyone buying a new PC.

Gary McGraw: I don't think there is any one size fits all answer here. It depends on what the consumer wants out of their PC experience. If the consumer wants a reliable, usable OS that is up most of the time, they might want to stick with XPsp2 until Vista is properly broken in by the brave. By this time, even the craziest of add on devices and software work with XP. If the consumer is particularly concerned with security, they should probably go with vista, which has a superior security architecture from what I understand.

Jon Ellch: I've never actually installed Vista, so I don't have too much of an opinion on it, but I think it's definitely fair to say that Vista will be more secure in the long run. Whether or not there are a few bugs that MS didn't find before release is an open question I guess. Even if that is the case it would seem kind of silly to recommend XP because Vista might have a rough start. Personally I'm pretty confident that MS found all the low-hanging fruit, so I wouldn't be worried.

Dan Kaminsky: "Well, uh, it's new" does not make a security advisory. Legacy code is almost always an order of magnitude scarier than the new stuff; security just didn't used to be the priority it is now. How did we get to this point? Between 2002 and 2003, insecurity became a serious threat to the Windows platform. Microsoft responded in two ways: first, they patched things up as best they could with XP SP2. Second, they mandated that the SDL (Security Development Lifecycle) would apply to everything and anything in-box for Vista. They were constrained with what they could put into a service pack. By contrast, Vista's a major release of the operating system, and it's pretty clear they took the opportunity to repair, rewrite, or remove a massive amount of cruft. Vista has also received almost unimaginable amounts of internal audit, vastly outstripping what XP SP2 received, and probably more than anything else available to the consumer market.

Vista won't have a perfect record. XP SP2 didn't either. But XP SP2 was a significant improvement, and Vista goes way beyond what XP SP2 did. There's little doubt that Vista's the most secure consumer OS released by Microsoft thus far. Security conscious customers should absolutely adopt it.

David Litchfield: All the work that went into XP SP2 and a great deal more has made it into Vista so I'd go with that. Also remember that buying a computer represents a significant investment for many people and buying a XP SP2 personal computer means it'll be obsolete sooner rather than later. All round it's better to go for Vista.

Greg Hoglund: Clearly XP has been 'battle tested' for quite some time. The parts of XP that have been cut-n-pasted into Vista will inherit that hardening, but new features and new integrations always give rise to unforeseen behavior - so yes, if you're paranoid, don't upgrade until Vista has been out for a year or so.

Mitchell Ashley (StillSecure's CTO): Consumer PC buyers will be purchasing XP with their computers this Christmas. Vista will be available for retail purchase in January. In the interim Microsoft is offering an Express Upgrade program with new PC purchases.

Microsoft's Express Upgrade allows PC purchases to choose when they upgrade to Vista and which version of Vista. Christmas consumers have a choice when they upgrade to Vista. After January, new PCs will be shipping with Vista giving buyers little choice which OS they use unless they purchase online and request XP.

Vista has some many significant security improvements but we have to be realistic. New security vulnerabilities will be found in Vista for months and years to come. It will sound like big news but we should all expect it. While Windows XP may have more scrutiny, Vista won't have large market penetration for many months. Since security updates are automated in Vista most consumers will be well protected; just don't disable Vista's security features.

Ivan Arce (CORE Security Technologies' CTO): If you are focusing on the consumer market only and not considering the corporate user I'd lean towards Vista rather than XP SP2. Allegedly most end-users tend to be much more lax about the security posture of their systems than their corporate counterparts (not because of users per-se but due to already deployed security mechanisms within corporate networks), so initially relying on the security improvements included in Vista will give them a head start against attacks. However, they should watch closely any developments of security threats in Vista because attackers will catch up...eventually (I can't forecast how fast that will happen but it is dependent on how much did Microsoft really improve their security development lifecycle process).

The corporate user environment is a different story though. There one would prefer to manage the known risk of an existing and already deployed platform rather that to attempt to obtain quick tactical security gains at the expense of assuming less-known risks, possibly at a high cost of deployment.

Finally, hardware-requirements and third party software compatibility are important factors to consider for a security-focused decision between Vista and XP SP2 in both the consumer and enterprise segments. As a consumer, if you are buying a new system anyhow I think you wont have many options but to go with Vista if you want the latest and greatest hardware, but in doing so you'll most likely put all the eggs in Microsoft's basket. Also, you'll be betting that security-wise they got it right this time (or at least much better than the previous time), the maturity of third-party security software for Vista, or even the future availability of several currently existing packages for XP/W2k/etc is a moot point.

Marc Maiffret (eEye Digital Security's CTO): Consumers buying a new PC should prefer to have Vista installed. Microsoft continues to improve code quality and Vista will be another jump forward in terms of doing more to secure their software. Additionally, we're seeing that most major PC vendors are offering a 'free upgrade to Vista' coupon with all PCs they are shipping; it doesn't make sense to not redeem the coupon.

That being said, if you are already an owner of a PC that has XP with SP2, there really aren't many compelling reasons to rush out and buy Vista, as it is not so much more secure that a consumer should shell out even more money for Vista. Add in a non-security perspective, and Vista is lacking in any real new features that makes it compelling to spend money on it.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Federico Biancuzzi is freelancer. In addition to SecurityFocus he also writes for ONLamp, LinuxDevCenter, and NewsForge.