News

Vista Security Debate Continues with Follow-Up Study

• By Jabulani Leffall
• 05/16/2008

The Sydney, Australia-based company even went so far as to release early on Friday morning what it called "additional research" to support its contention that Vista "is still a long way from immunity to online threats."

"PC Tools maintain[s] that Vista is not immune from online threats," wrote Simon Clausen, chief executive of PC Tools, in an e-mail statement to Redmondmag.com on Friday. "Further research and analysis has confirmed our contention that additional third-party protection, even if it isn't our products, is absolutely necessary for all Windows Vista users."

These latest comments from Clausen -- as well as those made on Wednesday by PC Tools Vice President Michael Greene -- are a direct response to a Windows Vista Security blog posting by Microsoft staffer Austin Wilson that purported to debunk PC Tools' findings.

For its part, PC Tools is now claiming that further examination of its raw data and research methods indicate that 121,000 pieces of malware were detected on about 58,000 Vista machines (this is according to data obtained by downloading the malware count from the company's ThreatFire malware detection program). Moreover, the follow-up study found that these same Vista computers "had at least one piece of malware actively running on their system."

As for the types of malware detected on Vista-based machines, PC Tools said 17 percent of all the threats were Trojans, 5 percent were worms, 3 percent were spyware and 2 percent were various viruses.

In the study's summary, PC Tools contended that Microsoft's Malicious Software Removal Tool "is not a comprehensive anti-virus scanner" in that it sweeps away malware only for "a limited range of 'specific, prevalent malicious software.'"

The company is also not too keen on Redmond's assertion this week that its conclusions were not only inaccurate but were also not an indication of increased vulnerabilities in Vista; rather, in the words of Microsoft evangelist and TechNet blogger Michael Kleef, they were merely an indication of "poor user behavior."

"The number of virus infections found by a virus vendor does not necessarily equal poor security," wrote Kleef in a blog post. "If I, despite all prompting and consent behavior, choose to go to a (probably dodgy) Web site, accept the ActiveX control prompts to download (probably dodgy) code and I actually choose to execute that code, then I'm hosed. I'm now at the mercy of whatever code I've chosen to run."

PC Tools' Clausen countered in his e-mail that "because the technology we use to detect and identify malware is behavioral-based, the data refers to threats that actually executed and triggered our behavioral detection on the client machine."

Kleef wrote further: "It's not like the application developer community didn't know about writing for least privilege. We made it pretty clear over a number of years not to write to protected parts of the OS." Like many Microsoft security personnel, Kleef invoked Vista's User Account Control (UAC) component as a safeguard against most attacks.

Clausen said he had an answer for that, too: UAC's frequent intrusion alerts tend to compel users to ignore the alert information and unwittingly let threats slip through.

"UAC is limited in the number of activities it monitors because malware can also penetrate the operating system by evading detection," Clausen added.

While the banter between Vista security detractors and Microsoft continues, IT pros can find solace in shoring up their firewalls and also patching vulnerabilities that best fit the risk profile of their individual enterprise.