Symantec paints less-than-rosy picture of Vista security

Symantec on Wednesday published four technically oriented studies on Microsoft Vista security in what it says is an effort to inform enterprise managers and software developers about what it views as both limitations and positive changes in the operating system.

Symantec Wednesday published four technically oriented studies on Microsoft Vista security in what it says is an effort to inform enterprise managers and software developers about what it views as both limitations and positive changes in the operating system. The four white papers reveal their technical bent in weighty titles that include “An Analysis of Address Space Layout Randomization on Windows Vista,” “An Analysis of GS protections in Windows Vista,” “The Impact of Malicious Code on Windows Vista,” and the less technical summary entitled “Microsoft Windows Vista and Security.”

According to Oliver Friedrichs, Symantec director of security response, the basic points to take away from these studies are that while Vista is designed to be more secure than previous Microsoft desktop operating systems, it is less bulletproof than some of the hype makes it out to be.

“Microsoft has made some improvements and we want to commend them for that,” Friedrichs says. “But it’s not the panacea it has been portrayed.”

Specifically, Vista is designed to make use of a Buffer Security Check option known by its flag name “GS,” to help eradicate buffer overflow and heap overflow attacks. But “it requires the software engineer to enable the functionality to prevent buffer overflows and heap overflows,” Freidrichs says. “If you don’t enable it, you can still do this.”

Symantec also says it conducted tests that show that Vista is still vulnerable to the malicious code that has plagued XP or previous versions of Windows -- though much less so.

As part of a lab test, Symantec says it took 2,000 varieties of malicious code, including types of backdoor, keylogger, rootkit, mass mailer, Trojan, spyware, adware and unsorted and watched how it performed on Vista and whether the malware survived a system reboot.

Out of 197 keylogger binaries, for example, 60 successfully executed and five managed to survive a restart. Out of 197 backdoors, 143 successfully executed, though only six managed to modify a registry key or the start-up directory allowing them to execute on a system start.

Of 113 mass mailers, 81 successfully executed and four managed to survive a system reboot. Out of 210 trojan binaries, 145 successfully executed and four survived a reboot. Out of 150 spyware and 74 adware binaries, 260 and 118 respectively managed to successfully execute, according to Symantec. Only four spyware and two adware managed to survive system restarts.

In the unsorted class of malware, out of 728 binaries, 439 successfully executed and 34 survived a reboot.

One observation Symantec made in its report about this lab test is that malicious code found in the wild that targets Windows XP and previous versions of Windows were found to be less effective on Vista mainly because of Vista’s user-access control design.

But Symantec predicts that as Vista is more widely deployed, “attackers will adapt to the new environment.”

Technical means in Vista that might be attractive to attackers in the future include registry keys created to allow legitimate programs to load during the boot process of the operating system, Symantec points out.

Attackers may also look to third-party software that contains an executable that uses one of the registry keys to launch during system start-up.

Attackers are also likely to look at an API known as SetWindowsHookEx and getAsyncKeystate to leverage them to hijack sensitive information from a user’s desktop.

In the white paper entitled “Microsoft Windows Vista and Security,” Symantec notes that in Vista, Microsoft has made IPv6 enabled and preferred by default. Microsoft has also included a protocol called Teredo, which allows tunneling of IPv6 over IPv4.

“The implication is that the vast majority of Windows Vista hosts are, by default, remotely accessible via IPv6 and Teredo,” Symantec states in the paper. “The usage of Teredo has the side effect of bypassing many firewall and network-address translation configurations. This has significant consequences for enterprises that rely on network-based protection, since perimeter security devices and other network defenses such as intrusion-prevention systems and intrusion-detection systems will need to be upgraded in order to understand and decapsulate this new protocol.”

In summary, Symantec predicts “the new security features in Windows Vista will result in fewer instances of widespread worms that target core operating system vulnerabilities.”

But Symantec adds it “does not believe that Windows Vista security improvements will stifle other classes of malicious code that have historically targeted the Windows operating system.”

Learn more about this topic

Symantec’s White papers on Vista securityMicrosoft still trying to change the game02/19/07Symantec on the attack over Vista security features

09/20/06

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies