Safest Windows ever?
It only took a few weeks after the launch for the first Vista security patch to arrive and, rather worryingly given the spin about “safest Windows OS ever”, it related to a critical vulnerability in the Malware Protection Engine, the heart of Vista’s Windows Defender and OneCare applications. Designed to protect you from malware, it contained a loophole through which external forces could control your system.
I’m not knocking Microsoft for the sake of it here – I actually like Vista and applaud the efforts Microsoft has put into bolstering security in the new OS. What I don’t like is that after all that testing, all those delays and all the marketing hype, Vista could still be launched with a critical vulnerability wagging its tail at any rogue who knows where to look for it. Certainly, Windows Defender will have automatically updated itself as soon as the problem was flagged and the engine patched, but that’s not the point. The point is that more testing is required before an OS can be declared secure enough to be used in mission-critical applications, to be deployed across your company, even to be trusted as the lynchpin in a home business operation.
My advice to those businesses that have asked about upgrading is the same advice I gave when XP arrived on the scene (and Windows 2000 and 98 and so on); namely, wait six months for the Fiji Service Pack 1 release. At least by then, there’ll have been half a year of real-world tests as opposed to controlled betas, which, with the best will in the world, aren’t the same thing. By then, the initial bugs will have been discovered and squished. By then, those claims of “a whole new level of security” will leave a less bitter taste in the mouth.
I imagine Microsoft must be experiencing exactly that taste after its flagship Live OneCare for Vista security application failed the Virus Bulletin VB100 certification process. This industry standard test is renowned for being tough, and requires all exploits to be discovered without any false positives along the way. Just the idea that Microsoft would submit OneCare for certification without being 101% sure it would pass is pretty astonishing, especially when you consider that there’s no second chance because of a “no retests” policy.
To add to the “not raining but pouring” feeling at Redmond, news reaches me that the Windows Live Messenger IM client has been happily serving up malware-installing banner adverts during February 2007, which is somewhat ironic given that the application advertised was called ErrorSafe. A little checking would have revealed that Symantec rates this product as a medium-level risk, with the warning that it may give exaggerated reports of threats on the computer when run and “prompts the user to purchase a registered version of the software in order to remove the reported threats”. That’s why it’s been classified as malware by a number of security vendors, and why there’s no excuse for the adverts being served up within a Microsoft application, where there’s no escaping them (unless you breach the EULA by installing a third-party utility to remove advertising from the IM client, of course).
Getting back to Vista, Microsoft has improved IE no end from a security perspective (if not the user experience) by having it run in protected mode by default under Vista. Making IE a low-integrity process without permission to write anywhere outside of the browser cache – unless the user says so – makes life much harder for malware, which is confined to other low-integrity locations and unable to do as much damage. Even so, by the time users have finished installing add-ins from non-trusted publishers (which, frankly, means most of them in the absence of any moderating or vetting process), who knows what kind of mess the browser will be in? Do I use IE7 as my browser of choice in either a professional or personal capacity? Do I heck – I use Firefox and continue to recommend others do the same. It’s less buggy, easier to use and doesn’t attract the same volume of hacker malice IE does.