Does Vista mean the end of malware?

The end result, as I've tested it in its release candidate form, is quite promising -- but will Vista mean the end of malware worries for Windows users when they upgrade to it?

The time factor

The first thing to keep in mind is Vista's availability. The vast majority of people will only benefit immediately from Vista if they actually upgrade to it. Since most Windows licenses are sold as OEM preloads with existing PCs and are not boxed copies of the operating system (OS), that means the pace of upgrades to Vista will largely match the pace of replacements for existing PCs. If Vista eclipses XP at the rate that XP eclipsed previous versions of Windows, it may be as long as three years before the majority of Windows desktops run Vista.

Vista security bonuses Debunking the "Blue Pill" Vulnerability Theory End-to-end encryption for Windows Vista systems: BitLocker

In the meantime, most people will still be running XP -- and even if they're running the most recent and updated version of XP, that seems to have had little impact on how easily they are compromised by malware. eWeek did a deconstruction of a massive spam-sending botnet herd, and the vast majority of the infected machines were indeed running Windows XP Service Pack 2. Even if existing Vista machines can't be compromised directly by the same Trojans, they have to live in the same world as those compromised XP computers, which, in this particular case, may be bombarding them with thousands of stock-scam spams.

Possibly, there are a few positive "back-impacts" from Vista's development that in the future may help with XP's own security, if not immediately. One of them is the more stringent code review process Microsoft adopted during Vista's gestation. Signs already point tentatively to that having been a good idea: The latest crop of security alerts for Windows and Microsoft Office do not show the same vulnerabilities in Vista or Office 2007. (This isn't to say that Vista and Office 2007 aren't going to show any security issues -- only that they aren't likely to be vulnerable to the same grade of issues.) In time, future updates to XP ought to tighten things up that much further, provided, of course, that the people who need them download them and apply them in the first place.

UAC and Windows Defender

The under-the-hood changes to Vista's security revolve around a few new mechanisms that make it far more difficult for an unwanted program to dig its hooks into Windows. One of the biggest changes, User Account Control (UAC), forces the user to approve certain actions manually, such as launching a program that could change certain system settings or installing an application with full administrative rights.

By default, applications in Vista are not run as administrator, even if you log in under an admin account. You need to specifically declare that a given application will run as admin before it does. Typically, you do that by shift-right-clicking on the program in question and selecting "Run as Administrator." Most applications that are not written specifically for Vista need to be installed under admin rights to work properly as well.

The worst-case scenario is that people will grow frustrated with unexpected application behaviors, turn off UAC entirely (which is possible and doesn't require a hack) and then re-expose themselves to many of the same issues that Vista was designed to prevent.

Another problem is the question of what's "unwanted." Many people who install malware do not realize that what they're installing is, in fact, bad for their PC, and sometimes they jump through a fair number of hoops to install it!

In short, UAC is only going to protect people who learn how to work with it, rather than against it. If you're responsible for educating people about the way Vista works, make it a top priority to tell people exactly how UAC works and how they must deal with it.

Vista also comes pre-equipped with Windows Defender, a set of interlocking anti-malware and system-protection tools including a revised version of the Windows firewall that debuted in XP. Defender is turned on by default and protects a system actively against a variety of unauthorized changes, such as if an application tries to register itself to start automatically without your authorization.

Defender can also be disabled by the user (albeit through a UAC action). One of the bigger worries I had about Defender, as with UAC, is that it would prove to be a frustration and that people would turn it off just to get regular work done. This does not seem to be the case. But, again, people moving to a Vista computer and encountering Defender for the first time would need some degree of training to understand what it implies for them. Be sure you tell them not to simply turn it off out of spite without perhaps replacing it with something else or having other programs or protocols in place to prevent attacks.

The known and unknown threats

One thing seems clear: The tighter Vista's native protections get, the more third parties are going to find ways to subvert the operating system that weren't even considered viable before.

While Vista was still in beta, security researcher Joanna Rutkowska discovered that unsigned kernel code could be back-injected into the OS by modifying the page file; Microsoft's response (admittedly a bit heavy-handed) was to disallow any application from performing sector-level writes to disk without operating through a signed kernel driver.

The presence of such possibilities was deeply troubling to security analysts because they signaled how a cunning hacker could simply perform an end-run around Vista's defenses. Using rootkits or other subversive technologies to hide their tracks, they might be able to slip through such cracks without ever coming up against UAC or any of Windows's other defenses. On the other hand, the attack was not something that had been witnessed in the wild, and now Microsoft had been at least made aware of how such things can be engineered.

The motives behind hjiacking people's computers will not diminish. There's more incentive than ever to do this -- it's big business. Those who make use of exploits to write malware usually do so for one reason: stealing (typically from someone's bank account). Additionally, people who discover system exploits can resell them on the black market for cash -- tens of thousands of dollars each -- which are, in turn, used by exploiters to steal from unsuspecting victims.

Vista could mean the end of malware as we have come to know it: most commonly in the form of browser plug-in exploits and AIM links that launch Trojans. This would be a great thing, and it is much overdue. But, it may be the beginning of the next wave in malware -- intrusions so subtle and difficult to detect that Vista users (and Microsoft, too) will be forced to retrench once again.

About the author:Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows Vista security How to use Group Policy to control wireless access Minasi talks Vista security, Windows Server 2008 features Windows Resource Protection (WRP) protects critical system resources The finer points of User Account Control (UAC) in Windows Vista Vista SP1 vs. XP SP3 -- upgrade or business as usual? How to secure BitLocker configurations How to recover from lost BitLocker PINs and startup keys PatchGuard defends against rootkits in Windows Vista Windows Server 2008 security aided by NAP and IPsec Windows Vista security: Top 10 tips of 2007 Microsoft Windows Vista Security Microsoft Windows Vista: Security feature reviews Windows Vista's little surprises Windows Vista tips and expert responses NTFS and the Registry in Vista packaged up BOOT.INI is gone, BCD is here Administering Windows Vista Security: The Big Surprises: Chapter 1 Administering Vista Security: The Little Surprises Remote Desktop gets a bit more secure Microsoft Windows Vista Security Center review Windows Live OneCare 1.5: How does it compare? Vista tested: Expert shares results Malware and other Windows security threats Prevent malware infection with malware detection tools Zero-day attack prevention Use patching to protect your network from threats Remove bots from your system -- a four-step process Define server roles, counterattack zero-day threats Harden your network services and contain zero-day threats Step-by-Step Guide: Finding and removing a rootkit Step 1: Is there a problem Step 3: Clean up the mess Step 2: Choose the right scanning tool Malware and other Windows security threats Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.