/ 1 February 2007

Hackers start probing Vista’s hyped security

Computer hackers are off and running trying to find vulnerabilities in Microsoft’s new Windows Vista operating system, putting to test the software maker’s claim that it is the most secure Windows program to date.

The new version of Windows, the computer operating system that runs more than 95% of the world’s computers, became available to consumers on Tuesday after five years of development and a number of delays to improve security.

A high-profile new product like Windows Vista draws interest from the entire spectrum of the computer security industry, ranging from hackers trying to exploit a breach for criminal means to researchers looking to make a name for themselves as security experts.

”For sure, people are hammering away on it,” said Jeff Moss, the organiser of Defcon, the world’s largest hacking convention. ”If you are a bad guy and you find a problem, you have a way to spread your malware and spyware.”

Most security experts see Vista as a more secure operating system than its predecessor, Windows XP, but even Microsoft acknowledges it’s not impenetrable and attackers will undoubtedly look for a way in.

Attackers can use spyware programs to monitor a computer remotely and collect personal information on a user. They can also control machines remotely to attack websites, send spam email or defraud online advertisers.

Vista’s comes with built-in anti-spyware software, and new account controls curb the ability of users to install harmful programs unintentionally. The high-end versions come with a feature called BitLocker that encrypts a computer’s hard drive in the case of a lost or stolen machine.

”We know from the outset that we won’t get the software code 100% right. No one does in the entire software industry … but Windows Vista has multiple layers of defence,” said Stephen Toulouse, senior product manager at Microsoft’s trustworthy computing group.

Windows Vista runs more than 50-million lines of software code and Redmond, Washington-based Microsoft invested $6-billion to develop the first new operating system since it released Windows XP in October 2001.

Microsoft’s ability to protect Windows from attackers is seen as a critical litmus test for a product that generated more than $10-billion in sales last year, especially to large institutional customers who are extra careful.

Another key element in Microsoft’s plan to combat attacks will be automatic Windows updates sent to Vista users to patch up vulnerabilities and changes to its anti-spyware products.

In the past, attackers honed in on vulnerabilities in the core Windows operating system, but those types of attacks are being cast aside for attacks from email, instant messaging and applications downloaded from the web.

”In the past with XP, they could attack the operating system itself to infect you. Today the OS [operating system] is stronger but threats can still get on your system,” said Oliver Friedrichs, director of emerging technologies at security-software maker Symantec.

Johannes Ullrich, a cyber-security expert at the Sans Institute research group, expects hackers are working furiously to win recognition as the first to find and publicise a security hole in Vista.

He also cautioned that hackers will still be able to launch attacks by taking advantage of vulnerabilities in Internet Explorer and Microsoft Office, and warned that criminals will hold off on exploiting holes until more users adopt Vista.

”Being the first to write an exploit for Vista is something a lot of people would like to do,” Ullrich said in a telephone interview. ”But ultimately any exploit will be used for financial gain.” — Reuters