Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Flawed Survey Suggests XP More Secure Than Vista

Posted by Zonk on Thu May 31, 2007 05:43 PM
from the no-knee-jerking-here dept.
Operating Systems Software Windows Security
SkeeLo writes "One of Vista's big selling points is security, but a report from CRN concludes that Vista offers little in the way of security advancements over Windows XP. Ars Technica analyzed the report and found some methodological problems. 'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software — something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.' That's not all: 'It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter.'"
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Flawed Survey Suggests XP More Secure Than Vista 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Let's see (Score:5, Funny)

    by anss123 (985305) on Thursday May 31 2007, @05:47PM (#19345123)
    Study finding Vista more secure then XP = X hits.

    Study finding XP more secure than Vista = Y hits.

    if (x > y)
      post Vista more secure than XP
    else
      post Vista less secure than XP

    • XP more secure than Vista, apparently.

      Google fight [googlefight.com]

    • Re: (Score:3, Informative)

      by wile_e_wonka (934864)
      Taking cues from the other posters, I tried "battling" the same searches they did but adding quotation marks around the phrases. (I did them all in "googlefight" because it required less typing)

      "study finding xp more secure than vista" -- 0 results
      "study finding vista more secure than xp" -- 0 results

      "vista more secure than xp" -- 1820 results (note I changed "then" to "than." It's amazing what differences correct spelling can make)
      "xp more secure than vista" -- 2 results

      Then I wondered how these results

  • Anti-Virus (Score:4, Insightful)

    by biocute (936687) on Thursday May 31 2007, @05:47PM (#19345125) Homepage
    That's life for being MS.

    If MS put in a AV software, other AV companies will file for anti-competition lawsuits; If MS didn't, consumers will moan about it too.

    • Re: (Score:2, Insightful)

      by flukus (1094975)
      Because it's an unfair advantage to make an insecure OS and then charge "protection" money!
    • they put in their anti-spyware program. i'm wondering if the anti-spyware companies that charge for their products will bitch and moan, even though the best anti-spyware programs are all free (even if they don't do real-time protection).

      i still put most of the blame on the user who clicks every popup even if it says "don't click this, your computer will be immediate infected with viruses". i haven't had a virus or spyware infection when running XP, 2000, 98, and for the past several months since i install

    • Re: (Score:2, Insightful)

      by Rodness (168429) *
      When your product REQUIRES antivirus software, your product is not secure by itself.

      Of course, if they had engineered in things like privilege separation and all the other "security" features of Unix (any of 'em, take your pick, Mac, Linux, what have you) then they'd enjoy all the "intrinsic" lack of NEED for antivirus that Unix systems enjoy.

      Had they actually spent the last 7 years improving the underlying privilege model instead of just building and dropping vampireware like WinFS that never saw the light

  • AV is not a lock (Score:4, Insightful)

    by normuser (1079315) * <normuser@whyisthishere.com> on Thursday May 31 2007, @05:49PM (#19345139) Homepage Journal

    Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

    By the time your AV software comes into play your already infected. So AV software is not the lock on your door. Its the rifle in your house.
    Still important, But vary different.
    • That's not strictly true any more tbh, with net traffic monitoring systems like imon in nod32. the code, or at least part of it (I'd expect a lot of threats would be detected before the code was completely downloaded) , may have been downloaded but couldn't have been activated at all.
    • I wouldn't call having a file on your desktop (from email, for example) that could potentially infect your system and infection in and of itself. A good AV package will detect and clean the virus BEFORE it infects your system. That is, before you open/exec the file. Though there are other viruses that infect through the network without any user action required. So in that case your are correct.

      I'd say AV software is more like having a bouncer at the door... preferably with a rifle. :-)

      -matthew
      • Right now linux is more like an empty house. No one bothers to break into the house because they know there's not enough in it for them to do so.

        Windows is more like the house with a simple lock on the door. Plenty of other ways to get in, but it's up to the homeowner to implement the security.

        • Re: (Score:2, Insightful)

          by Short Circuit (52384) *

          Right now linux is more like an empty house. No one bothers to break into the house because they know there's not enough in it for them to do so.

          Corporate, government and financial databases aren't enough of an incentive? There's millions of dollars worth of information tied up there for anyone who figures out how to get at it.

          What about home routers? If you can hack into few million broadband routers, you've got yourself a major botnet with little to no antivirus. Not to mention you're past the primary protection of the average home network. From there, you could spam networked printers with ad printouts and read the contents of any netork sha

          • Corporate, government and financial databases aren't enough of an incentive? There's millions of dollars worth of information tied up there for anyone who figures out how to get at it.
            You forgot all of Google and most of the major domain registrars. Think of Google's entire world-wide cluster as a botnet - now that IS scary.

  • Urg (Score:5, Insightful)

    by hyfe (641811) on Thursday May 31 2007, @05:52PM (#19345163)

    Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'

    Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.


    Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.

    • Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.

      Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.

      Even if Vista was as secure as OS X or a tinfoil hat version of linux you'd still have to contend with insecure applications and stupid users. Apple's install base tends to have more

      • Re: (Score:3, Insightful)

        by MrCrassic (994046)

        Apple's install base tends to have more of a clue then Windows users and Linux boys can at the very least ID when their infected or comprimised.

        What?

        If you are talking about the population that uses Apple Mac products, then I think you are HIGHLY misinformed. The main reason why many of them made the switch is PRECISELY BECAUSE of their inadequate knowledge on how to protect their Windows PC from viruses, spyware, etc. Many experienced power users who run Windows (XP, at least) software have NO protection and can still have great security provided strictly by the OS. Are all of those configured BY DEFAULT? Of course not, which is a major reason

    • So long as users can create "executables" then viruses will exist. Of course, the problem in Windows is that just about everything is executable. Was a time when if it didn't have .exe on the end then it wasn't an executable.. now you have scripts (which for some inexplicable reason can write to my harddrive) and brain dead things like Microsoft running an exe if you rename it to be a png (did they ever fix that?) and Microsoft hiding the extensions of files so you have no idea whether or not they are exe
    • exactly. These were never necessary before the 'leave everything open' operating system mentallity that microsoft bread. Then taking over all other spaces and having all their applications talk to each other and trust each other without any question was an even bigger mistake. Hence, if it was built by Microsoft and runs on Microsofts and uses Microsoft, then it must be safe... let it through. WRONG!!!

      They are JUST NOW realizing that both a) leaving your system wide open is a bad idea and b)having all app

        • So how do you do that? (Score:5, Insightful)

          by Sycraft-fu (314770) on Thursday May 31 2007, @06:20PM (#19345465)
          How does an OS know what apps are good and what apps are bad? That's what a virus scanner is: It's a list of known bad apps. If one wanted a real world analogy it wouldn't be like a locked door or anything, but rather a bouncer with a list of people who need to stay out.

          Vista already has privilege escalation if that's what everyone is bitching about. So evil apps that want system access will have to ask for it, just like everything else. However if the user says "Sure, you can have that," what can the OS do about it? Apps don't have an "evil bit" they are just code to be executed.

          Same deal with the real world. If you choose to unlock your door and let someone in, it's not the fault of the people who made the lock or the door that you did.

          I think the grandparent is just another of many Windows haters that seems to think there's some magic that could be done to keep viruses out that MS just won't do. Well, actually there IS such a technology and that would be the scary version of trusted computing. If hardware enforced protections past what the OS could override, and checked signatures on apps, then only valid, signed apps could run. Provided the signing authority did their job, there'd be no viruses. Of course that would mean giving total control of your computer to a third party, something I think none of us want.

          What it comes down to is there is no way for an OS to both give someone control of their system and protect them from themselves. The ability to grant the authority to run code at a privileged level implies the ability to do it for both good and bad code. Thus the necessity of virus scanners. They maintain a known list of bad code, and can warn you if you try to run that. I suppose you could build it in to the OS, but it changes nothing, it is just a virus scanner that's part of the OS now. There's no magic juju, other than taking away the user's administrative rights, that will work.

          Just to be clear: By taking away administrative rights I don't mean running as a deprivileged user, Vista does that, I mean NO admin access AT ALL. No escalation, period. That'll do it. Indeed we do that at work as much as we can and on those computers, we have no problems as users simply can't install software. However to do it at home, well you can see how that'd be a problem.

              • Re: (Score:3, Interesting)

                by Tony Hoyle (11698)
                Show me the OS that can protect itself against a user with administrative privileges installing bad software. Unless you can do that, it really is disingenuous to demand that Windows should be able to do it.

                Linux (with selinux enabled) can be configured to do that.

                You miss the point though. A *user* with administrative privilege. That's the problem with Windows. The only person with admin rights should be the admin. Hopefully someone with enough clue to know what they're installing.

                Oh and you need to fi

  • is this /.? (Score:4, Funny)

    by defwu (688771) on Thursday May 31 2007, @05:53PM (#19345173) Journal
    Seriously. A pro-MS article? whats next, mr spock with a goatee? Doc

  • Pretty crappy door IMO (Score:3, Insightful)

    by Ren.Tamek (898017) on Thursday May 31 2007, @05:55PM (#19345209) Homepage
    "Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted."

    I'm sorry, but if I bought a security door that claimed it would keep out 99% of criminals, I would be a bit pissed off if I got it home and realised that an actual lock for that door was considered an 'optional extra'. The idea of browsing the internet with IE, no anti-virus and the windows firewall for any length of time, even no longer than it takes to download zonealarm and avg, gives me the heebie-jeebies.

    • MS is damned if they do and damned if they don't. If MS put AV in Vista there would be loud cries of "unfair competition, you're taking away our niche!" and we'd be on another round of anti-MS propaganda. If they don't, the cries are "unfair! I wanted to buy a door with a lock and now anyone can get in."

  • Comparing XP to Vista security is kind of like having a SUV milage competition, except SUV's are sometimes useful and that utility is destroyed by poor fuel economy.

  • Missed? (Score:3, Interesting)

    by schlichte (885306) on Thursday May 31 2007, @06:08PM (#19345333)
    Maybe I missed it when I RTFA, but it didnt mention which version of XP was used... a look at HPs site shows that the HP Compaq nc6400 did ship with XP Pro (whether that matters much compared to home edition or not)

    Also... were these systems ran all the way default, as in, boots up as Administrator with no password? (again, not sure how much that matters in a test like this)

    I do agree with the title, flawed survey indeed.

    I dont blame Vista or XP so much as I blame IE version X.XX

    Id like to see the exact same suite of tests ran against the latest version of Opera, Netscape and Firefox.
  • Of course from practical point of view XP right now is more secure. And I don't mean default install. For example take my company and few facts:
    - we managed to make the machines behave as we will
    - we have invested money into third party security software
    - we have invested time (which equals money) into free (as in speech) third party security software
    - we have some knowledge and experience into XP security -- after these - what like 7? - years who doesn't?!

    Right now we have quite healthly and working infrastructure based on XP and surrounding (like VPNs, IDSs, AVs, proxies, backup, imagining etc.) services. We know how to do it, we have experience.

    Now Vista from my standpoint is just big black hole - another system from MS that does not offer me anything significant but opens a can of unknown worms... I don't see any serious businesses building their security infrastructure around brand new shining Vista systems.

    Of course in *theory* Vista can be more secure, but from practical standpoint it is new and untested product that has ben rushed to the market.

    It really depends on your security definition. Security is not a product - security is a proces in which you have knowledge about what you are doing. In which you have educated users. In which you have policies and audits and so on. Vista isn't anywhere near to be even a stable product from security standpoint.

    • (like VPNs, IDSs, AVs, proxies, backup, imagining etc.)

      I like to imagine that my XP install isn't riddled with viruses, too.

  • Don't look that flawed to me.

    XP: No AV included
    Vista: No AV included

    Report says: "Vista no improvement over XP"

    Report is pretty much correct.
  • I'm getting tired of the XP vs. Vista vs. XP vs. Vista vs. ... articles posted here all the time. Microsoft will eventually drop support for XP and will continue to support Vista. Microsoft will continue to focus on Vista. If Vista is now less secure than XP Microsoft will eventually it stronger ... that is until the next Windows OS is released. Dammit we had to listen to XP versus everything-else-before-it. Tiresome, damn tiresome. No worthwhile discussion came from it last decade but you never know ....

  • NO AV != No protection against viruses (Score:5, Insightful)

    by A beautiful mind (821714) on Thursday May 31 2007, @06:30PM (#19345561)
    Let's face it. Anti Virus software is the day after pill. I daresay if someone relies on defending against viruses by antivirus software, the security model is already utterly, completely broken. So no, not including an anti virus software doesn't mean an operating system shouldn't employ design and tactics against viruses. Ars Technica is simply wrong.

  • No Locks on the door? (Score:4, Interesting)

    by smartin (942) on Thursday May 31 2007, @06:34PM (#19345603)
    Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

    I think the point is that M$ should have learned their lesson last time, and the time before that, and made vista such that having anti-virus software would be unnecessary. Or in the terms of the analogy, Having forgotten to put a lock on the door of their previous house and repeatedly come home to find their underwear scattered all over the yard, you would have thought they would have made a secure door this time.

  • the report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software

    I thought the big issue everyone had with Windows products were that they needed AV products in the first place because they were fundamentally insecure?

    Shipping Vista with an AV package would have practically been admitting that they can't make secure products and the only thing left to do is have a separate layer in the OS to try to intercept stuff before it caused problems (or clean up after it), rather than blocking the holes in the first place - which is, I believe, part of the point of Vista's entire

  • In other news, it has been discovered... (Score:4, Funny)

    by SadGeekHermit (1077125) on Thursday May 31 2007, @08:29PM (#19346539)
    ...That submarines with screen windows offer slightly better floatation than submarines with screen doors.

    MacroSubs has affirmed that this is incorrect, however, and stated today that the question will be settled once and for all when their new submarine, entirely made out of screening material, captures the imagination of the nation with its launch in 2009.

    So-called "alternative" submarine manufacturers continue to insist on using steel for their doors and heavy lexan for their windows. They claim this quaint, antiquated approach lets them offer better floatation, efficiency at depth, and crew survivability, but independent studies have shown that their apparent "floatation edge" is due to the fact that far fewer of these submarines are produced, not any superiority in design. A. Noying, of an independent think-tank funded in part by contributions from MacroSubs, had this to say:

    "Look, we all know that as more of these all-steel and plastic subs get produced, you'll start seeing network effects and their buoyancy will be reduced down to normal levels. Currently, with only a few percent of the market, the oceans aren't interested in them as a point of ingress. This will change soon and you'll see some interesting numbers from my lab to back this up."

    When asked about the widespread buoyancy failures of MacroSub submarines around the world, Mr. Noying said only "it's hardly MacroSub's fault if submarine captains tend to drive their submarines into reefs and long-forgotten sea monsters. Their duty is only to make subs buoyant, not idiotproof. However, they are working on an interesting feature called USC, or User Submergence Controls, which should make things a little easier. The submarine will basically ask the captain if he's really, really sure he wants to increase depth, once per fathom. If the captain insists on running into that reef after all the help he's been given, perhaps he shouldn't be driving a sub anyway..."

  • Dumb statements r us... (Score:3, Insightful)

    by pookemon (909195) on Thursday May 31 2007, @11:01PM (#19347653) Homepage
    "'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'"

    No, it's like comparing an old door without a lock to a new door without a lock and saying that the new door is no more secure than the old door. (Which sounds reasonable to me)

  • I guess nobody noticed (Score:5, Informative)

    by Whuffo (1043790) on Friday June 01 2007, @12:20AM (#19348073) Journal
    The summary says that Vista has "taken care" of buffer overflow problems. I'd like to submit that one of the key features of XP SP2 was that they'd gone over the code completely and eliminated all unchecked buffers - which (according to MS) eliminated buffer overflow problems.

    Microsoft is their own worst enemy; they make wild claims about the functionality of their latest version but that functionality never meets their or their customers expectations. Then some exploit points out that they were being economical with the truth. Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

    I mean, how can a company whose email clients automatically launch attachments say that they take security seriously? Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista. Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs. Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.

    What continues to amaze me is that the file type security is applied based on the file extension - but when you execute a file, the system looks at the file header to determine how to open / execute it. This bit of design stupidity has been the cause of millions of systems being exploited. Just a simple check to see if the file header matches the selected file type would go a long way - but no, this is too difficult. Here, have a UAC nuisance instead...

    • But of course XP is also an MS product.
      • The bit of the XP vs Vista comparison that I liked the most (in the summary of course, no I haven't RTFA) :

        Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

        To be fair, with windows you don't have to twist the lock... a strong fart on the way past would do it.

        • Re: (Score:3, Informative)

          by Hal_Porter (817932)
          Of course the great irony is W98 is more secure than either.

          No it's not. I remember in Systems Programming for Windows 95, there was a great quote. They talked about protected mode, descriptor tables and so on. At the end of it, the author said something like

          "I bet now you're trying to work out if it's possible to subvert this stuff. Well, it's so easy that there's no point. Windows doesn't protect the descriptor tables from Ring 3 [the least privileged] code so it's easy to create a trap gate or call gate

    • Re:Anything to slam MS (Score:4, Informative)

      by Stormx2 (1003260) on Thursday May 31 2007, @06:18PM (#19345427)
      What? I know we get a lot of "RTFA" around here, but read the fucking summary! Shall I condense it down for you further, since I see your time is precious?

      Study #1 finds that Microsoft has made no improvements (XP -> Vista)
      Study #2 finds Study #1 to be incorrect and badly done. /. reports on study #2.

      In essence, the story accepts that XP isn't as secure as it could be, but Vista improves on this significantly. Its one of the most pro-MS stories I've seen on slashdot for a little while now. Of course, I'd never touch Vista personally, but that doesn't mean it isn't an improvement over XP in security.

      • Re:Anything to slam MS (Score:5, Funny)

        by dotgain (630123) on Thursday May 31 2007, @08:34PM (#19346563) Homepage Journal
        I've been using it for a few months.

        It's almost done logging me in, in fact.

          • Re:Anything to slam MS (Score:4, Interesting)

            by dotgain (630123) on Thursday May 31 2007, @11:27PM (#19347795) Homepage Journal
            You're absolutely right, but now it's time for me to be truthful.
            My comment was based on my experience earlier this week on Monday, only the second time I've been close enough to be able to identify a Vista install, and the very first time I'd used it. It had just been installed (as well as Office 2007) by one of my colleagues on a brand new HP laptop. No, didn't get asked to Allow or Cancel anything, but what I did experience didn't surprise me in the least.

            From the instant I hit Ctrl-Alt-Delete (and this is after waiting for the machine to finish choking itself) it was the same familiar Windows experience - watching the HDD LED as if it's going to give some sort of indication as to when it might be safe to go on to the next step as the machine crawls through the login procedure - totally unresponsive for the majority of the time.

            People bag Windows about insecurity, DRM and UAC all the time - they're not the things I have problems with. I play the game, keep machines patched, AV installed if the shareholders demand it, and so on. My only real gripe with Windows it simply that I habitually find small sub-tasks to do like clip my fingernails or organise desk-drawers while waiting for countless delays my Windows box gives me. Screwed if I'm going to spend a month of my life waiting for start menus to render.

            Where with a different OS, I'd start the kettle boiling and check my email while that's going on, in Windows I launch outlook and then go and see to the kettle, because I know which will make me wait longer.

    • Re: (Score:2, Insightful)

      by Stormx2 (1003260)
      I don't mean to nitpick, but have a glance over the Wikipedia page on plural of virus [wikipedia.org]. A good discussion on the matter.

    • Re: (Score:3, Interesting)

      by QuantumG (50515)
      The virus scene is dead. No-one is writing viruses.

      There are people who write worms and bot-net building trojans, but they have nothing to do with the virus scene.

    • Just wondering, how many linux distro's come with A/V? is it standard now?

      And how fast would MS find themselves in court again for monopolising everything if they HAD included A/V.

    • Re: (Score:2, Informative)

      by secPM_MS (1081961)
      Security is a selling point for Vista. For me, it is the most compelling selling point, although I do like search a lot as a feature. Now for my perspective on why Vista is more secure than XP:

      A lot of work was done to support running as normal user. This does not get much attention, but it means that I can (and I do) run as a normal user without administrative credentials (it is much harder to do this in XP). If I have to manage the system, I have to use full administrative credentials (read, su root). I

    • Re: (Score:3, Informative)

      by bluefoxlucid (723572)

      NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one.

      ... *sets IP datagram length to 1400* ... *sets TCP datagram length to 63* ... *lets kernel copy remainder of IP packet to 63 byte buffer* ... *obtains kernel level access without even connecting to an open port, before the packet even reaches the installed zonealarm/mcafee/norton firewall or built-in Windows fi

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.