By Tom Espiner, 5 December 2006 09:15
NEWS
Microsoft has confirmed Vista can be affected by malware from 2004 but argues this is not a flaw in the operating system.
Security vendor Sophos reported last week that Microsoft's Vista is vulnerable to at least three pieces of widespread malware, two of which date back to 2004. At least three well-known internet worms - labelled Stratio-Zip, Netsky-D and MyDoom-O by Sophos - are able to execute on the operating system, according to Sophos.
However, because these attacks rely on user interaction to execute the code, Microsoft has denied this is a flaw. Microsoft said these attacks rely on social-engineering techniques to be successful.
The software behemoth said in a statement: "Microsoft is aware of a report by Sophos that claims variants of existing malware may affect users running Windows Vista. Based on our initial investigation, Microsoft can confirm that these variants do not take advantage of a security vulnerability, rather they rely on social engineering to infect a user's system."
Social engineering relies on tricking users into executing malicious code themselves - a user has to open an infected attachment on an email for these worms to infect the system. Windows Mail Client - the Vista replacement to Outlook - will block the worms but businesses running third-party email clients such as Lotus Notes, or webmail such as GoogleMail or Yahoo!, could be vulnerable to social-engineering attacks.
Microsoft stopped short of blaming third-party email clients for the problem but said that User Account Control (UAC) - which limits users' ability to install applications unless they have administrator privileges - can "help to provide better protections". IT managers can run Vista end-user accounts with limited "standard user" privileges, rather than administrator privileges. Users are also given security prompts when attempting to run executable code.
Microsoft's statement said: "In those cases where other email clients may not have made the same aggressive security design decisions as Microsoft did with Windows Mail Client, other protections such as UAC can apply still to help provide better protections against email-based social-engineering attacks."
It added that currently, once malware has breached the outer defences of a computing system through user interaction, it is no surprise that the operating system obeys user commands to run the code. Stephen Toulouse, a senior product manager at Microsoft's security technology unit, said: "If a user clicks through various security warnings and protections, it's of little surprise that malware (even malware from long ago), can still run. It is not through a flaw that this occurs."
Toulouse said currently operating systems by themselves have little way of knowing when the user has chosen to run a piece of software that is "bad" until after it is installed and running, and even then that capability is often provided by an application such as antivirus.
He said: "This is why we strongly recommend to run antivirus on all versions of Windows, even Windows Vista. The very problem you have noted is one that is not actually unique to Windows."
Tom Espiner writes for ZDNet UK
Comments
There are 3 comments. Join the discussion
1. Richard Hall
As a point of information, Vista Windows Mail client is a replacement for Outlook Express, not the full Outlook client (latest incarnation Outlook 2007)
2. Mark Hosey
Doesn't all this apparently successful activity by hackers point to a lax attitude by software writers? Is it not about time for the introduction of a European standard that clearly defines acceptable levels of security that all software must attain before European marketing of those products?
After all, every aperture in every building in Europe is filled with a product that meets minimum safety and security standards. Doors, glass, window frames, locks, bolts hinges, sealants etc all meet certain minimum standards.
Well I consider my PC connection to be another front door on my house connecting it to the outside world. The last thing I want is some shoddy product on my PC that leaves me and my family vulnerable to criminal activity. How would you react if you bought a door with a non-compliant lock which, if banged hard enough popped open giving the world access to all your possessions? And how do you think the insurance companies would react? They wouldn't pay the insurance claim of course!
So why do we blithely accept the equivalent low level of security with the software we buy. It's not as though the software writers can't make their products secure. Often they do, retrospectively by issuing bug fixes but they should be secure from day 1. Correctly drafted, controlled and audited standards can ensure that all of the common security flaws exploited by hackers but left there by amateur, lazy or incompetent writers are reduced to manageable levels.
Standards work for all other industries, so why not software, and why aren’t the insurance companies driving for it?
3. Mike W
"Standards work for all other industries, so why not software" - this is not intended as an excuse, but the logical complexity of all but the most trivial software is potentially several orders greater than most 'physical' devices.
This means that software writers must strive to use best-practice techniques ("standards") for writing and testing software, and a "if it /can/ happen, it /will/ happen" attitude to risk.
Unfortunately this ethos is not as widespread as it should be ... "if it works, ship it !"