Symantec Corp is to release four white papers that make the claim that Windows Vista’s security is perhaps not all it is cracked up to be.
The papers represent the result of man-decades of research into Vista, Microsoft Corp’s latest desktop operating system, and come to the conclusion that, while the security is good, it is not bulletproof.
Our overarching conclusion is that Vista is not a silver bullet when it comes to security, said Oliver Friedrichs, director of emerging technologies at Symantec Security Response.
The papers look at three areas of improved security in Vista — user account control, memory protection and kernel-level protection — as well as providing some details on whether the Windows XP generation of malware works on Vista or not.
According to the papers, 3% of existing backdoors, 4% of current keyloggers, 2% of Trojans and 2% of spyware can successfully execute and survive a restart on Vista without being modified. It’s not clear how well this compares to non-malicious software designed for XP.
Friedrichs said the company figured out how to deactivate Vista’s three main kernel protection technologies – PatchGuard, driver signing and Code Integrity – and it took a week for one guy to research and write the code.
If an attacker was able to replicate what we did, we believe a sophisticated attacker would be able to figure out how to do it in one week too, he said.
The publication is arguably as much of a marketing effort as it is about security. There are bound to be critics that accuse Symantec of spreading FUD to plug its packaged antivirus business.
From a business standpoint this always can be seen as a self-serving effort, Friedrichs acknowledged. It’s more about providing a counterpoint to Microsoft’s publicity, he indicated.
The industry needs a voice of reason in order to really understand the security implications of Vista. We haven’t had that. There needs to be somebody there to balance the hype, he said.
Of course, just because Symantec has a lot to lose if consumers get complacent about security, and stop buying its products, does not mean the company’s findings are not true.