In my last post, I briefly touched on different features of Windows Vista, which I think are important with regards to the view on Windows XP vs. Windows Vista. Let’s take a different approach now: I recently was on a panel in Eastern Europe where I was asked, which model generates more secure software: The shared source (like ours) or the Open Source. I asked back, whether they could define “more secure” for me. It turned out, that we were talking about vulnerabilities.
Let’s look at some statistics now and let’s start with vulnerabilities:
In Jeff Jones’ Desktop OS Vulnerability Report we published figures on vulnerabilities between Desktop OS Vendors and it turns out that this view already gives you a reason to migrate to Windows Vista:
But this is the view on an industry problem giving us confidence that our Security Development Lifecycle works. But how is the comparison between Widows XP and Windows Vista? He has a really interesting chart in there:
If we compare Windows XP and Windows Vista, we see different things:
So, this picture shows very well that defense in depth in Windows Vista (with technologies like ASLR, DEP, UAC etc.) actually pays off.
An other view on this is the attack/malware side. In our Security Intelligence Report v5 we talk about browser-based exploits and where the criminals attack the victims on Windows XP and Windows Vista. If you look at the XP picture you see the following:
With regards to browser-based exploits, 58% of the time, Microsoft software was attacked and 42% 3rd party. This changes drastically in Windows Vista:
Here our software drops to 6%!
In the Security Intelligence Report we have some other figures as well (like the malware infection rate on the different OS) but I want to leave it with that.
We once discussed in our community an interesting question: If we could give our customers just one advice, what would that be? I think it would be to stay on the latest versions of all your software. The reason is not license fees or anything like that. The reason is that this is the only way to cope with the changing threat landscape!
My impression was that Vista faired better then XP with respect to the MS08-067 bug mostly because of the DEP/ASLR combination. I'm not sure UAC really figures into it.
I went into this in more detail in this blog: http://blogs.pcmag.com/securitywatch/2008/11/why_vista_looks_good_after_the.php
it is interesting to me how many people (and I do not refer to you) are writing something but not really reading the reliable sources, which have insights. Again, I am not referring to you – I just got a lot (and I really mean a lot) of questions around this vulnerability and most of it referred to some sources which I doubt whether they looked into the details.
I appreciate your comment as it seems that your source caused some misconceptions. I you go to the MSRC blog (Microsoft Security Response Center) which is responsible for running the process around security vulnerabilities and look at their post (Microsoft out-of-band Security Bulletin (MS08-067) Webcast Q&A ) I would like to quote:
"Q: On Windows Vista, if User Access Control (UAC) has been disabled, should this be considered critical instead of important?
A: If the UAC prompting is disabled, the integrity levels foundational work still works to require authentication. The Security Vulnerability Research & Defense blog has a LOT more information about this. It is still important though…Protections afforded by UAC enhancements are in place even if the UAC prompting has been disabled."
Additionally the SWI blog (referenced above) gives you some additional – really deep – background on the vulnerability.
"UAC mitigates even when the prompting is disabled
As mentioned above, Windows Vista and Windows Server 2008 by default require authentication. But the security callback on the RPC interface has not been changed on the more recent platforms. Instead, the UAC and integrity level hardening work introduced with Vista is forcing the authentication requirement. The anonymous user connects with integrity level "Untrusted" while the named pipe requires at least a "Low" integrity level. Since "Untrusted" is lower than "Low" integrity level, the access check fails. Note that disabling the UAC prompt does not disable the integrity level access check. In other words, regardless of whether the UAC prompt is enabled or disabled, the integrity level check will be performed. The integrity level check will fail on Vista and Windows Server 2008 if the user connects anonymously. See http://msdn.microsoft.com/en-us/library/bb625963.aspx for more information.
There is a non-default scenario where a non-domain-joined Windows Vista and Windows Server 2008 can be exploited anonymously. If the feature “Password Protected Sharing” is disabled, anonymous connections come in at “Medium” integrity level. Because "Medium" integrity level is a higher integrity level than "Low", the integrity level check will succeed. This would allow Windows Vista and Windows Server 2008 to be exploited anonymously. This feature could be disabled through Vista’s Network Sharing Center in the “Sharing and Discovery” section. "
Last but not least, DEP was already part of Windows XP SP2 – even though disabled by a lot of OEMs.
Does this help? Again, I did by far not want to insult you. I just do not like all the speculations which are not based on technical knowledge and analysis – not even sound investigation (like the link above)
Any comment from your side is more than appreciatedè!
I hadn't really thought much about UAC with respect to this vuln. As Mark Russinovich says, it's not a security barrier. If the user clicks Continiue then it hasn't done anything.
As I say in my own blog, DEP is a barrier here, but there are ways around DEP. But those ways around DEP themselves run into ASLR. There are ways around ASLR but they are long shots.
Nobody is probably going to go to the trouble of building an exploit that might, in rare circumstances, exploit a Vista system by getting through DEP and ASLR, even if it may work a small percentage of the time. The defense-in-depth in Vista, as you say, is formidable. Your odds of getting through with social engineering are much better than a technical exploit of even a serious bug like this.