I read this article today Surprise, Microsoft Listed as Most Secure OS. Hmm, actually I like the article (obviously) even though there are a few things I do not understand:

• To me, Microsoft is a company, Windows the OS - but this is not too important
• Then I do not get the start of the title "Surprise" - is it a surprise :-)? We worked hard on getting it done, now it is out and we always said, that Windows Vista is the most secure OS ever and I definitely like to see those statements in the public

This article is based on the Symantec Internet Security Threat Report, which states (as an example):

Microsoft Windows had the shortest average patch development time of the five operating systems in the last six months of 2006. During this period, Windows had an average patch development time of 21 days based on a sample set of 39 patched vulnerabilities (figure 13). This represents an increase over the first six months of 2006, when Windows had an average patch development time of 13 days based on a sample set of 22 vulnerabilities.

Finally, I found this blog entry showing Windows Vista in the first 90 days.

Windows Vista is the most secure Operating System ever!

Roger

It is really interesting to see: At the moment there seems to be a big race to find the first real Windows Vista vulnerability and to go public with it. I know that there are some reports out there claiming that the found THE single biggest issue in Vista. Let's look at one of them:

http://www2.csoonline.com/blog_view.html?CID=32441 - the "vulnerability" in StickyKeys: Well, by exchanging sethc.exe, you can make Vista to launch an application other than StickKeys by pressing five times the Shift-Key. sethc.exe (the file you would have to replace) is located in the windows/system32 directory. In order to replace a file in this directory you have to be - administrator. So, if you are an admin on the box, what sense does it make to replace sethc.exe and wait until the user invokes StickyKeys... You could do whatever you want from this point on.

Let's face it: When you are Admin of the box, you can do all sorts of bad things and UAC does not prevent you from doing whatever nonsese you want to do. Therefore: All the so-called vulnerabilities, where you have to be Admin in order to "exploit" them are nothing more than fuzz. If the attacker is Admin on your box beforehand, you lost anyway. We have to make sure that he/she does not get to this state at all. Afterwards, the show is over

Roger

We got an increase on helpdesk calls in different subsidiaries with regards to a mail that is circulating: The mail claims to be coming from admin@microsoft.com and provides a link to an IE7 (Beta) download site. As always: This is spam and a fake.

If you want some detailed analysis: http://isc.sans.org/diary.html?storyid=2537&rss

Roger

Well, we are discussing about Trojan Horses and targeted Trojans all over the place. There is an excellent video showing how Trojan horses work :-)

 http://www.youtube.com/watch?v=Xs3SfNANtig

Roger

There is a nice article, where Symantec talks about Windows Vista: http://www.vnunet.com/vnunet/news/2184521/symantec-clears-vista-malware

They quote the Symantec report and then talk to a person from Sophos. 

Let's look at a few quotes:

Graham Cluley, senior technology consultant at Sophos, said that the User Account Control in Vista is an important enhancement designed to prevent the installation of malware.

I like that statement (obviously).

"However, it is also very intrusive with a high number of alerts that end users need to respond to, so there is a strong likelihood of it being disabled unless they are trained in how to use it," he added.

This is somethign I simply do not get. I am running Vista at home on all the PCs. Everyone is User and - obviously - on every machine UAC is enabled. When you install applications or initially set the machine up, I agree, there are prompts. Well, I want there to be prompts as an installation task needs elevation! Looking at my wife and my kids - they never get any prompts anymore. I am sometimes wondering what people do wiht their machines when they complain about UAC. OK, if you are a geek, installing and uninstalling software, you get a prompt for each of these tasks but think about it - does it not make sense to get these prompts?

Symantec's study found that between 96 and 98 per cent of malware such as spyware and Trojans is also blocked.

I start to like the report even more :-) - and this is without AV.

However, the firm warned that malware writers could decrease those percentages by making only minor changes to their code.

Cluley agreed that Vista is the most secure operating system yet from Microsoft, but pointed out that it will still be targeted.

"Better security does not mean perfect security. The only 100 per cent secure computer is probably one without an internet connection, and with the keyboard and all disk drives disconnected," he said.

Well, we never said that it is a "secure" OS, we said that it is the most secure OS ever. There will be malware, there will be vulnerabilities and there will be Security Updates, no doubt. But we expect it to be much, much less. And this is a trend we already see: The attacks are moving up the stack into the applications and to target the end-user. Not that this is a very good thing as it moves the problem to a new level but it shows that the measures taken in XP SP2 and Vista start to pay off.

Symantec originally mauled Vista back in August 2006, pointing to security flaws that would allow computers to be easily overtaken by malicious parties.

"During this research we discovered a number of implementation flaws that continued to allow a full machine compromise to occur," the 2006 report said.

"By exploiting these flaws, a low-privilege, low-integrity level process can bypass User Account Protection, and ultimately execute code at a high-privilege, high-integrity level."

However, those tests were carried out on early release code and Symantec said that security would continue to be addressed until the final release, with some of the holes already plugged by Vista Beta 2.

Let's just leave that as it is. We see this happen often in other products as well: People compare a Beta with other (final) products and complain....

 Cheers from the Helsinki airport (BTW: They have snow compared to us in Switzerland)

Roger