There is a nice article, where Symantec talks about Windows Vista: http://www.vnunet.com/vnunet/news/2184521/symantec-clears-vista-malware

They quote the Symantec report and then talk to a person from Sophos. 

Let's look at a few quotes:

Graham Cluley, senior technology consultant at Sophos, said that the User Account Control in Vista is an important enhancement designed to prevent the installation of malware.

I like that statement (obviously).

"However, it is also very intrusive with a high number of alerts that end users need to respond to, so there is a strong likelihood of it being disabled unless they are trained in how to use it," he added.

This is somethign I simply do not get. I am running Vista at home on all the PCs. Everyone is User and - obviously - on every machine UAC is enabled. When you install applications or initially set the machine up, I agree, there are prompts. Well, I want there to be prompts as an installation task needs elevation! Looking at my wife and my kids - they never get any prompts anymore. I am sometimes wondering what people do wiht their machines when they complain about UAC. OK, if you are a geek, installing and uninstalling software, you get a prompt for each of these tasks but think about it - does it not make sense to get these prompts?

Symantec's study found that between 96 and 98 per cent of malware such as spyware and Trojans is also blocked.

I start to like the report even more :-) - and this is without AV.

However, the firm warned that malware writers could decrease those percentages by making only minor changes to their code.

Cluley agreed that Vista is the most secure operating system yet from Microsoft, but pointed out that it will still be targeted.

"Better security does not mean perfect security. The only 100 per cent secure computer is probably one without an internet connection, and with the keyboard and all disk drives disconnected," he said.

Well, we never said that it is a "secure" OS, we said that it is the most secure OS ever. There will be malware, there will be vulnerabilities and there will be Security Updates, no doubt. But we expect it to be much, much less. And this is a trend we already see: The attacks are moving up the stack into the applications and to target the end-user. Not that this is a very good thing as it moves the problem to a new level but it shows that the measures taken in XP SP2 and Vista start to pay off.

Symantec originally mauled Vista back in August 2006, pointing to security flaws that would allow computers to be easily overtaken by malicious parties.

"During this research we discovered a number of implementation flaws that continued to allow a full machine compromise to occur," the 2006 report said.

"By exploiting these flaws, a low-privilege, low-integrity level process can bypass User Account Protection, and ultimately execute code at a high-privilege, high-integrity level."

However, those tests were carried out on early release code and Symantec said that security would continue to be addressed until the final release, with some of the holes already plugged by Vista Beta 2.

Let's just leave that as it is. We see this happen often in other products as well: People compare a Beta with other (final) products and complain....

 Cheers from the Helsinki airport (BTW: They have snow compared to us in Switzerland)

Roger

Well, we are discussing about Trojan Horses and targeted Trojans all over the place. There is an excellent video showing how Trojan horses work :-)

 http://www.youtube.com/watch?v=Xs3SfNANtig

Roger

We launched Windows Vista for Businesses End of November and for the public just a little bit more than one month ago - and now, it started, what had to be expected. The press, the analysts, and the community discuss about the security of Windows Vista, which is a great thing. There are - however - a few things I cannot understand and it might well be that you can help me:

I understand that it is in the core interest of security software vendors to give the impression that Windows Vista is flawed and needs a lot of additional work (aka tools, software) to protect. This leads to the the question:
Is Windows Vista resilient against all Viruses, Worms, Bots, Trojan? Sure not! Nobody ever claimed it to be.
Is Windows Vista more resilient against Virus attacks? But for sure!
Does Windows Vista need additional software to be protected? Well, look back: We always said, in order to protect a system you need 1) a firewall 2) Software Updates and 3) An Anti-Virus software which is updated. This has not changed with Windows Vista.

The second point that strikes me, is the discussion about vulnerabilities. Everybody waits for Windows Vista bulletins in order to use this as a proof point that Windows Vista is not secure. This is nonsense. It is absolutely clear that there will be vulnerabilities in Windows Vista. Nobody ever made a different statement. But we are convinced that there will be significantly less critical and important vulnerabilities in Windows Vista - which has to be proved first, I have to admit.

Before we launched, I said that I was expecting the first 0day on Windows Vista to be published within the first few weeks. Not because the OS is flawed but because somebody has it ready and will publish it the moment we launch to show that we again did not get it. Well, we are now three months down the line and have not seen any :-)

Roger

You remeber for sure the Root DNS Attacks earlier this year, where a DDoS attacked different root servers. There is a pretty good analysis paper by ICANN published now: http://www.icann.org/announcements/factsheet-dns-attack-08mar07.pdf

Gives some insights

Roger

It is really interesting to see: At the moment there seems to be a big race to find the first real Windows Vista vulnerability and to go public with it. I know that there are some reports out there claiming that the found THE single biggest issue in Vista. Let's look at one of them:

http://www2.csoonline.com/blog_view.html?CID=32441 - the "vulnerability" in StickyKeys: Well, by exchanging sethc.exe, you can make Vista to launch an application other than StickKeys by pressing five times the Shift-Key. sethc.exe (the file you would have to replace) is located in the windows/system32 directory. In order to replace a file in this directory you have to be - administrator. So, if you are an admin on the box, what sense does it make to replace sethc.exe and wait until the user invokes StickyKeys... You could do whatever you want from this point on.

Let's face it: When you are Admin of the box, you can do all sorts of bad things and UAC does not prevent you from doing whatever nonsese you want to do. Therefore: All the so-called vulnerabilities, where you have to be Admin in order to "exploit" them are nothing more than fuzz. If the attacker is Admin on your box beforehand, you lost anyway. We have to make sure that he/she does not get to this state at all. Afterwards, the show is over

Roger