Problem solve Get help with specific problems with your technologies, process and projects.

Does Vista mean the end of malware?

Microsoft Windows Vista could be the superhero you've been waiting for, possibly putting an end to malware as we know it, according to security expert Serdar Yegulalp. This tip explains why this may be the case, thanks to new features like UAC and Windows Defender.

There's no question that Microsoft wants people to believe Windows Vista is the most secure version of Windows yet. On Vista's homepage, security is the second-highest listed feature aside from the user experience. How can Microsoft be so sure? The company solicited endless rounds of feedback from beta testers to make sure Vista's new security functions worked well.

The end result, as I've tested it in its release candidate form, is quite promising -- but will Vista mean the end of malware worries for Windows users when they upgrade to it?

The time factor

The first thing to keep in mind is Vista's availability. The vast majority of people will only benefit immediately from Vista if they actually upgrade to it. Since most Windows licenses are sold as OEM preloads with existing PCs and are not boxed copies of the operating system (OS), that means the pace of upgrades to Vista will largely match the pace of replacements for existing PCs. If Vista eclipses XP at the rate that XP eclipsed previous versions of Windows, it may be as long as three years before the majority of Windows desktops run Vista.

Vista security bonuses
  • Debunking the "Blue Pill" Vulnerability Theory

  • End-to-end encryption for Windows Vista systems: BitLocker
  • In the meantime, most people will still be running XP -- and even if they're running the most recent and updated version of XP, that seems to have had little impact on how easily they are compromised by malware. eWeek did a deconstruction of a massive spam-sending botnet herd, and the vast majority of the infected machines were indeed running Windows XP Service Pack 2. Even if existing Vista machines can't be compromised directly by the same Trojans, they have to live in the same world as those compromised XP computers, which, in this particular case, may be bombarding them with thousands of stock-scam spams.

    Possibly, there are a few positive "back-impacts" from Vista's development that in the future may help with XP's own security, if not immediately. One of them is the more stringent code review process Microsoft adopted during Vista's gestation. Signs already point tentatively to that having been a good idea: The latest crop of security alerts for Windows and Microsoft Office do not show the same vulnerabilities in Vista or Office 2007. (This isn't to say that Vista and Office 2007 aren't going to show any security issues -- only that they aren't likely to be vulnerable to the same grade of issues.) In time, future updates to XP ought to tighten things up that much further, provided, of course, that the people who need them download them and apply them in the first place.

    UAC and Windows Defender

    The under-the-hood changes to Vista's security revolve around a few new mechanisms that make it far more difficult for an unwanted program to dig its hooks into Windows. One of the biggest changes, User Account Control (UAC), forces the user to approve certain actions manually, such as launching a program that could change certain system settings or installing an application with full administrative rights.

    By default, applications in Vista are not run as administrator, even if you log in under an admin account. You need to specifically declare that a given application will run as admin before it does. Typically, you do that by shift-right-clicking on the program in question and selecting "Run as Administrator." Most applications that are not written specifically for Vista need to be installed under admin rights to work properly as well.

    The worst-case scenario is that people will grow frustrated with unexpected application behaviors, turn off UAC entirely (which is possible and doesn't require a hack) and then re-expose themselves to many of the same issues that Vista was designed to prevent.

    Another problem is the question of what's "unwanted." Many people who install malware do not realize that what they're installing is, in fact, bad for their PC, and sometimes they jump through a fair number of hoops to install it!

    In short, UAC is only going to protect people who learn how to work with it, rather than against it. If you're responsible for educating people about the way Vista works, make it a top priority to tell people exactly how UAC works and how they must deal with it.

    Vista also comes pre-equipped with Windows Defender, a set of interlocking anti-malware and system-protection tools including a revised version of the Windows firewall that debuted in XP. Defender is turned on by default and protects a system actively against a variety of unauthorized changes, such as if an application tries to register itself to start automatically without your authorization.

    Defender can also be disabled by the user (albeit through a UAC action). One of the bigger worries I had about Defender, as with UAC, is that it would prove to be a frustration and that people would turn it off just to get regular work done. This does not seem to be the case. But, again, people moving to a Vista computer and encountering Defender for the first time would need some degree of training to understand what it implies for them. Be sure you tell them not to simply turn it off out of spite without perhaps replacing it with something else or having other programs or protocols in place to prevent attacks.

    The known and unknown threats

    One thing seems clear: The tighter Vista's native protections get, the more third parties are going to find ways to subvert the operating system that weren't even considered viable before.

    While Vista was still in beta, security researcher Joanna Rutkowska discovered that unsigned kernel code could be back-injected into the OS by modifying the page file; Microsoft's response (admittedly a bit heavy-handed) was to disallow any application from performing sector-level writes to disk without operating through a signed kernel driver.

    The presence of such possibilities was deeply troubling to security analysts because they signaled how a cunning hacker could simply perform an end-run around Vista's defenses. Using rootkits or other subversive technologies to hide their tracks, they might be able to slip through such cracks without ever coming up against UAC or any of Windows's other defenses. On the other hand, the attack was not something that had been witnessed in the wild, and now Microsoft had been at least made aware of how such things can be engineered.

    The motives behind hjiacking people's computers will not diminish. There's more incentive than ever to do this -- it's big business. Those who make use of exploits to write malware usually do so for one reason: stealing (typically from someone's bank account). Additionally, people who discover system exploits can resell them on the black market for cash -- tens of thousands of dollars each -- which are, in turn, used by exploiters to steal from unsuspecting victims.

    Vista could mean the end of malware as we have come to know it: most commonly in the form of browser plug-in exploits and AIM links that launch Trojans. This would be a great thing, and it is much overdue. But, it may be the beginning of the next wave in malware -- intrusions so subtle and difficult to detect that Vista users (and Microsoft, too) will be forced to retrench once again.

    About the author:Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

    Dig Deeper on Windows applications

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.