Microsoft watcher Ed Bott reckons that journalists are jumping on Vista security in typically sensational fashion, fuelled by a couple of rather thin reports from PC Tools that show a rising number of vulnerabilities in the OS.
Bott’s broad point is that no matter which security tools are included in an OS (UAC for instance), some users will choose to ignore them for reasons of stupidity, naivety or carelessness. Operating systems can’t be held responsible for their users, and that includes Vista as much as any OS.
“If you’re the admin and you tell the OS you want to run an executable program, the OS has to respect your judgement and allow it. It has no way of knowing whether a program is good or evil, well written or buggy, or whether it will cause your system to lock up with a STOP error. As the boss, you get to make the decision.”
I’m going to disagree with the ‘Bott defence’, as I’d now like to call it as I dig deep for more sensation, and not because the PC Tools statistics hold huge amounts of water – they don’t. Their evidence is fragmentary, and they certainly have security software to sell, especially to Vista users who might be crazy enough to think they can do without.
As we pointed out in our coverage , making sense of PC Tools’ figures is not straightforward. The malware occurrences were simply ones spotted by their ThreatFire software. No mention of what, if any, damage was done. Little mention also of which pieces of malware were encountered, and which if any specific vulnerabilities were being targetted.
Some malware – hitting browser and media player holes for instance – works across XP and Vista. This doesn’t mean Vista is vulnerable per se, only that computers running Windows-based browsers have security flaws.
But hold on a minute. The reason Vista’s UAC has to ask us so many questions in the first place is because of the way Windows is designed. It is very hard to understand which events are significant on modern operating systems, or to probe their provenance before making a decision. We have digital certificates for websites, and driver signing for till it comes out of every orifice, but the problem is that OSes are complex, running thousands of application modules, so many in fact that the modern PC is like a class of rowdy children all trying to beat up the teacher.
Vista didn’t create this problem, but it perpetuates the conditions that make it possible – complexity. Microsoft has for decades championed the idea that this is a necessary part of modern computing, when it’s nothing of the sort. It’s what we’ve become used to because it offers what is called a ‘platform’, an interesting metaphor for a system designed to be capable of running anything and everything because 'you just never know what you will need'. But that convenience comes at a price, and that price is complexity and, therefore, insecurity.
Indeed, we are sometimes told that it is Vista’s relative underlying complexity that makes it harder to compromise, when it could be argued that the same complexity increases the opportunity – the attack surface - in the long run.
Vista is today more secure than XP straight out of the wrapper, but that’s not a meaningful comparison. XP has been around and targeted by criminals for seven years. What state will Vista be in the equivalent amount of time? And will the answer really be more of the same in the form of Windows 7?