New Malware Report Hits Vista's Security Image

An anonymous reader recommends a Computerworld article on a new report from Australian security vendor PC Tools. The company released figures on malware detection by its ThreatFire product, and in its user base 27% of Vista machines were compromised by at least one instance of malware. From the article: "In total, Vista suffered 121,380 instances of malware from its 190,000 user base, a rate of malware detection per system [that] is proportionally lower than that of XP, which saw 1,319,144 malware infections from a user base of 1,297,828 machines, but it indicates a problem that is worse than Microsoft has been admitting to." Microsoft hasn't responded yet to this report.

What kind of malware?

Malware is not defined anywhere in the article. I know from experience that some "malware" scanners tend to mark even cookies (such as Doubleclick's) as malware, which will appear on any computer.
I would also like to see how many of these "infected" computers had UAC and automated updates turned off.

Looks like just another Vista bashing article (so it will no doubt be really popular here).

I don't think this article will be popular

After all, the survey missed classifying Vista as malware -- how accurate could it possibly be?

technical limitation

After all, the survey missed classifying Vista as malware -- how accurate could it possibly be?

This was my first thought too. But then I realised that they've obviously omitted that fact on purpose, to solve an infinite recursion paradox:

Vista is malware
Vista can host malware
Therefore vista is self-hosting

Vista is unstable
Therefore, vista can't host a stable OS
Therefore Vista can't host itse..

Oh, never mind. It works out just fine.

Re:What kind of malware?

How about Wild Tangent bundled games that come with many PCs? Those trip up the spyware detectors too.

Re:What kind of malware?

Because Wild Tangent is spyware.

Re:What kind of malware?

Malware is not defined anywhere in the article.

While incomplete it did say that:

PC Tools has publicized details of some of the malware types it has found on Vista systems during its scans, including three pages of variants based on Trojan.Agent, a few of which were described as serious.

Not a definition of what they classed as malware, but 3 pages of Trojans would seem to indicate that they found something, no?

Re:What kind of malware?

He didn't say that they didn't find anything, he was merely wondering if there were any details as to what exactly they did find.

He's entirely correct about the tracking cookie thing, every malware scanner I've used (apart from Windows Defender, I *think*) flags cookies as malware. My ex's new Vista laptop came with Norton pre-installed, and it flags a tracking cookie every time it runs (and only the cookie - so her laptop would possibly contribute to the report's number, despite being clean)

Re:What kind of malware?

Slightly off topic, but your post reminded me of Dilbert today: http://www.dilbert.com/fast/2008-05-20/ [dilbert.com]

Not saying there's a correlation to be made...

Re:What kind of malware?

The big thing I found missing from the article is how the machine got infected.

If I download and install the cool icons for my IM client and malware comes along for the ride, is it Vista's fault that it allowed me to install it?

As far as I know, all MSFT has claimed is that Vista is more secure than XP, not that it is immune from malware.

There's nothing that an OS vendor can do to protect the user from their own actions.

Re:What kind of malware?

Yeah this is an extremely valid point. My Vista PC had 100's of 'malware' items on, all were tracking cookies. So from that someone extrapolates Vista has poor security. sheesh.

Re:100% of Vista machines affected with malware

I've used Vista since it was in beta. The DRM hasn't stopped me from doing anything. The only software I use that does get in my way is Apple's iTunes. But we can't hate on Apple, /. loves Apple because it's not MS. That's why /. can never be taken seriously. It's a humor site.

PR != Security

New Malware Report Hits Vista's Security Image

Come again? Does anyone but Microsoft actually believe Vista has an "image" of better security?

Vista has one and only one major security-impacting feature - The "Train users to always click yes" interface to privilege escalation. And I feel confident saying that very, very few of us consider that a "good" thing.

Re:PR != Security

Vista has one and only one major security-impacting feature - The "Train users to always click yes" interface to privilege escalation. And I feel confident saying that very, very few
of us consider that a "good" thing.

Get users on Linux, and we'll be seeing the "Train users to always click yes (or in CLI mode, prefix with "sudo") approach to privilege escalation"

Wait, that sounds familiar. Oh, wow! Both my post and yours are virtually identical!

Seriously, people bash UAC, but it's pretty much identical to sudo.

Re:PR != Security

Seriously, people bash UAC, but it's pretty much identical to sudo.

In fact, I can think of a scenario in which UAC is actually better than sudo:

In a social engineering attack where you download some program (malware) and run it -- the malware could spoof a UAC prompt -- if you are foolish enough to click "Allow", well, nothing really happens because the program didn't get elevated privileges (since it was a fake UAC prompt). In the sudo case, the equivalent level of foolishness has you entering your password instead of merely clicking "Allow". Result is that the malware has your password now, so it's basically Game Over.

Of course, this is probably a moot point because a better social engineering attack would actually do something causing a genuine UAC prompt (instead of bothering to spoof it). The level of foolishness required to click "Allow" is probably the same in both cases.

I guess where UAC becomes valuable is when an attacker has managed to exploit a hole, to execute code remotely without requiring you to fall foul of a social engineering attack. This way you know you haven't done anything to deserve the UAC prompt that just popped up, so you know that you should click "Deny" here. This might still fail to protect users that have absolutely no clue, but honestly they shouldn't be running an admin account anyway (and hence should not be able to elevate a process).

Re:PR != Security

Seriously, people bash UAC, but it's pretty much identical to sudo.

Key difference - Using sudo represents an active request by the user for privilege escalation. Telling UAC to continue approves apassive request that the user might not actually have made (or known they made). When enough of them pop up at random times, it conditions the user to just say okay to make it go away - By comparison, no one would ever just randomly sudo a command for the hell of it.

Security PR

That's not fair. Vista security might not have a very good image on Slashdot -- I doubt any Microsoft product ever will -- but in actuality, there are improvements over XP. Vista has more than just UAC (which was made slightly less annoying in SP1, by the way):

* IE runs in a sandbox by default
* IE has anti-phishing filters on and ActiveX off by default
* Windows Mail disables ActiveX and blocks executable attachments by default
* An anti-spyware program, Windows Defender, is included
* Windows Firewall was upgraded and now scans outgoing connections as well
* BitLocker adds full-drive encryption
* Parental Control allows other accounts to be locked down and monitored, either for children or guest users

Wikipedia has a more extensive list: Security and Safety Features new to Windows Vista [wikipedia.org]

Vista was overhyped and it failed to deliver everything Microsoft promised, but at least give it SOME credit where security is concerned. The first three features killed off some of the most common attack vectors of previous Windowses. Vista started with great ideas; it's the execution (lookin' at you, UAC) that made the final user experience intolerable. Hopefully, that'll be refined in future service packs.

Re:PR != Security

Users should be prevented from installing programs blindly - Full stop

Users should be informed the program is trying to run as an admin and so has been killed

Users should ask to install a program, be asked for admin password to continue and then go ahead without repeated warnings ....!

Asking for permission to do something means the program was not installed properly (when installed it should request all permissions it will need), or should not be doing it

Windows Vista does all the wrong things
    Prompts for permission on both installed and uninstalled programs repeatedly
    treats an install the same as running a program

Linux/OSX are not perfect but seem to have got the balance more correct (mainly due to a legacy of doing the right thing and so not having to support user programs that assume full admin rights)

Wait a moment...

Vista Had a Positive Security Image?

They would, wouldn't they?

Why might "Australian security vendor PC Tools" claim this? Could they have a vested interest in saying this?

Consider the source

So a company that sells security software [pctools.com] puts out a press release to say that you still need to buy their software even if you run Vista. I can't think of a single ulterior motive that they might have to do this!

How many of the anti-virus companies don't issue doom-and-gloom style press releases? It is just their way of drumming up business. I would rely on these figures as much as I would rely of Microsoft's "research" that might suggest that Vista is completely immune to any security issue. The truth lies somewhere in between - which shouldn't surprise anybody.

And before anyone jumps down my throat, no Microsoft didn't says Vista was that perfect.

Solutions?

27% of Vista machines were compromised

This is indeed troubling (notice position of tongue and cheek). How can we fix this? I propose a five step program

5. Electro shock all users the click "install now" without thinking
4. Remove the fingers of users that follow the links on penis enlargement spam
3. Publicly flog all users that attempt to install that "special media player" to get to "free p0rn" from a any site in the former communist block.
2. Revoke all credit card, debit card, home depot card and sears charge cards for those that purchase a fake Rolex based on an email they got
1. Remove any and all computers from folks that say "My computers running slow, you know about computers, can you look at mine"

Respectfully,
Cluge

PS - A more meaningful less painful solution would be an OS lock down - IE think a live image distro where the Hard Drive is only used to store user data. Every reboot takes you back to square one - a heavily locked down environment with basic abilities allowed, but little else.

Vista and UAC ..

"Vista suffered 121,380 instances of malware"

I thought Vista with UAC didn't get malware. Didn't Allchin say Vista didn't need [theinquirer.net] any anti-virus software.

Re:the problem is combining ...

No need to slam Vista (or Windows in general) -- the problem is combining a dumb user with /any/ OS he can get admin rights on.

No matter how good your antivirus/antispyware/OS, once an idiot user figures out that by closing a certain app or clicking "yes" somewhere he can run the funny application he got by e-mail, he will do so, and the system is potentially infected.

Re:the problem is combining ...

No need to slam Vista (or Windows in general) -- the problem is combining a dumb user with /any/ OS he can get admin rights on.

I don't think that works as an excuse for Microsoft.

The trouble with that Windows is supposed to be the operating system of the common man. At least, every time Linux gets a cool feature, the Redmond apologists start roll out their hypothetical Joe Sixpacks and Great Aunt Mildreds and tell us how these ordinary people can never cope with Linux, but windows, focus-grouped to death as it is, has been designed for these exemplars of non-geekiness, and is therefore superior.

But that makes it kind of hard to blame bad security on the users. Windows is supposed to be designed with the click-on-the-dancing-monkey demographic in mind. They can't really throw their hands in the air and say "it's not us, it's the stupid users" without admitting that, really, they haven't a clue how to make a secure operating system.

Re:Self-selection bias?

Seriously,

27% of all the machines were owned by a marketing company. Its sunk in.

Sudo copied Windows - hmmmm ... "Sudo was originally written by Bob Coggeshall and Cliff Spencer "around 1980" at the Department of Computer Science at SUNY/Buffalo".

As for the virus remark - Its more difficult to write Linux viruses. User level permissions are more rigorous. The browsers don't have ActiveX. People who use Linux tend to know what a firewall is; and don't click yes in reply to "would you like to install" dialogues so much.