/ 20 February 2007

Vista more secure than previous Windows, but …

“Patch Tuesday”, when Microsoft releases repairs for problems in its software, came and went last week with six critical fixes — including the first one that touches Vista, the new operating system billed as the most secure Windows version yet.

The hole registers high on the irony scale: the flaw was in a “malware protection engine” that helps several Microsoft security products — including Windows Defender for Vista — guard against online threats. The problem could let an outsider “take complete control” of a victim’s computer, according to Microsoft’s security advisory.

This isn’t to say that Vista had previously appeared clean. Already a few vulnerabilities have popped up — including a remarkably low-tech hack.

In that case, security researchers noted a problem with Vista’s improved speech-recognition system, which lets people speak commands to the computer. It turns out that sounds played over the PC’s speakers — on a malicious website configured for this very purpose, for example — can trigger Vista’s speech-recognition engine and execute commands on a victim’s computer.

Mark Griesi, a security manager at Microsoft, acknowledged that the company was investigating the vulnerability, but said it was unaware of any attacks that exploited it.

There are many factors reducing the likelihood of such an attack. A victim would need to have activated speech-recognition — and have the PC’s microphone and speakers on. And if anything suspicious like “delete all data” was coming through, the user could just shut the sound off.

Still, some observers said Microsoft could have installed protections that would have prevented any problem. That’s not what the company wants to hear as it touts — legitimately, in the eyes of many analysts — “fundamental architectural changes” in the name of computer security.

Joanna Rutkowska, a security researcher for CoseInc, a Singapore-based tech-services company, initially had high praise for Vista. But she said subsequent exploration revealed troubling weaknesses — even in features that are supposed to enhance Vista’s security.

After Rutkowska pointed out such issues, a Microsoft security manager wrote on his blog that Vista had intentionally made accommodations for user convenience and making sure applications worked properly — and that those decisions did not amount to “security bugs”.

Rutkowska replied that she now wondered whether Vista’s security model was “a big joke”. In an email interview on Wednesday, she wrote that she still believed Vista could successfully raise the security bar, “but only if Microsoft changes its attitude”.

“Even though there are some flaws in it currently … they could be fixed over time, if Microsoft put enough effort in doing this,” she wrote. Otherwise, “in a couple of months the security of Vista [from the typical malware’s point of view] will be equal to the security of current XP systems”. — Sapa-AP

On the net

Vista security