July 24, 2006 7:54 PM PDT

Symantec continues Vista bug hunt

After poking around the Windows Vista networking stack, Symantec researchers have tried out privilege-escalation attacks on an early version of the Windows XP successor.

In a second report on Vista, Symantec takes on a security feature called User Account Control (UAC), in the operating system. The feature runs a Vista PC with fewer user privileges to prevent malicious code from being able to do as much damage as on a PC running in administrator mode, a typical setting on Windows XP.

"We discovered a number of implementation flaws that continued to allow a full machine compromise to occur," Matthew Conover, principal security researcher at Symantec, wrote in the report titled "Attacks against Windows Vista's Security Model." The report was made available to Symantec customers last week and is scheduled for public release sometime before Vista ships, a Symantec representative said Monday.

Conover looked at the February preview release of Vista. The report describes how an attacker could commandeer a Vista PC with Internet Explorer 7, the reinforced version of Microsoft's Web browser. The final version of Vista is not expected to be broadly available until January.

The attack starts out by planting a malicious file on a Vista PC when a rigged Web site is visited. The placing of the file involves using a specially crafted Web program called an ActiveX control, which exploits a security hole. The report then describes how the malicious program could gain privileges and ultimately give an attacker full control of the PC.

"The triviality of this privilege escalation...foreshadows the grave difficulty that the Windows Vista security model will have enforcing the separation between low and medium integrity level under the same user account," Conover wrote.

Microsoft has already resolved most of the issues identified in the Symantec report, a representative for the Redmond, Wash., company said in a statement. "Highlighting issues in early builds of Windows Vista does not accurately represent the quality and depth of the final functionality of User Account Control," the representative said.

Additionally, Microsoft said the Symantec research assumes that the user is logged in with an administrator account, a setting Microsoft does not recommend. Instead, the software maker advises the use of standard user accounts, which will require users to enter a password to gain administrator-level privileges for certain tasks--to install software, for example.

Microsoft has pitched Vista as its most secure operating system ever. UAC and Internet Explorer 7 are two of the key ingredients to deliver that security.

The report on UAC is the second of three reports Symantec plans to release on Windows Vista. A first report, on new Vista networking technology, was publicly released last week. A third report, examining the Vista core, or kernel, is scheduled to be published this week on Symantec's DeepSight security intelligence service.

Traditionally allies, Microsoft and Symantec are now going head-to-head in the security arena. In late May, Microsoft introduced Windows Live OneCare, a consumer security package, and the software giant is readying an enterprise desktop security product. Symantec has also sued Microsoft, alleging misuse of data storage technology it licensed to the company.

"Symantec continuously researches and analyzes new technologies," said Pamela Reese, a Symantec spokeswoman. "Even with the understanding that the issues discussed in this research will likely be resolved before Windows Vista is shipped, Symantec has opted to make this research public because of the public interest in Vista."

But telling the world at large about vulnerabilities in an operating system that won't ship for a while doesn't help anybody, noted John Pescatore, a Gartner analyst. Though it may help Symantec's marketing machine. "They want to sell desktop security software even when Vista comes out," Pescatore said.

Additionally, security companies benefit from getting their name associated with finding vulnerabilities. "It helps people trust them as a security company," Pescatore said.

Symantec said it is encouraged to see that Microsoft is taking care of the basics by improving the security of its newest operating system. "However, Symantec feels that customers are safer if they can exercise their choice to use the security capabilities offered by Symantec and others," Reese said.

See more CNET content tagged:
Symantec Corp., Microsoft Windows Vista, representative, attack, security

13 comments

Join the conversation!
Add your comment
Microsoft does not recommend Admin accounts?
"Microsoft said the Symantec research assumes that the user is logged in with an administrator account, a setting Microsoft does not recommend. Instead, the software maker advises the use of standard user accounts, which will require users to enter a password to gain admin-level privileges"

I agree that using an Admin account is unnecessary and a security risk, so WHY does Vista automatically setup the first user created as an administrator (at least in the latest public beta)?

I'm not referring to the actual "Administrator" login, I mean the first USER, created during installation, is setup with Admin access. Doesn't that defeat the whole purpose of getting away from using Admin and undermine their security efforts?
Posted by Take the Red Pill (46 comments )
Reply Link Flag
Because...
It is not recommended to use the Administrator account for anything other than recovery of the other accounts. A good security practice (for corporations, but it also applies to home and SOHO installations) is to have the Administrator account sealed and unused.
Then you need to have another Administrator account, the one you'll actually use for administrative tasks, including the creation of real user accounts, which should be used for day to day tasks.
So it makes sure that the first account created is an administrator. It could be more clearly explained during creation that the account should not be used for day to day activities though.
Posted by herby67 (144 comments )
Link Flag
Because it's beta software, duh
Locking away features won't help them get tested.
Posted by Chung Leong (111 comments )
Link Flag
Symantec spreading FUD
Symantec is trying to discredit MS over security. The problem is that Norton Security totally sucks. Check out the criticisms of Norton at Wikipedia. CNET readers should try etrust EZ antivirus from CA, free AVG, AntiVir, or avast! or ClamWin or MS OneCare. Norton is really slow, bloated, eats up RAM and CPU power. It is buggy and like all symantec products doesn't unistall properly, hence the need for the SymNRT tool. In short Norton sucks and is the worst product on the market, it is only for suckers. Check out Amazon.co.uk if you don't believe me. With new competition from MS, Symantec will finally get wiped out.
Posted by Jamie_Foster (77 comments )
Reply Link Flag
Your description of symantec's products......
sounds similar to the way some people describe windows, (Norton OR windows)"is really slow, bloated, eats up RAM and CPU power."
Just an observation , and I agree Norton does suck.
Posted by grandmasterdibbler (78 comments )
Link Flag
Your description of symantec's products......
sounds similar to the way some people describe windows, (Norton OR windows)"is really slow, bloated, eats up RAM and CPU power."
Just an observation , and I agree Norton does suck.
Posted by grandmasterdibbler (78 comments )
Link Flag
Try Bitdefender 9 Standard!
Hi, Try Bitdefender 9 Standard, that is a really
good antivirus software. PC World says it is the best! Updates all the time and takes very little RAM. Best regards,
Björn Lundahl, Göteborg, Sweden
Posted by Björn Lundahl (253 comments )
Link Flag
Bug Hunt?
Symantec needs to do a bug hunt through their own stuff! What utter garbage software they foist on the uninformed public.
Posted by als (154 comments )
Reply Link Flag
Good for vista
Its good for microsoft as vista is under microscope. This will force microsoft fix issues and hopefully deliver a solid product.
Posted by Tanjore (322 comments )
Reply Link Flag
Face the facts
M$ has always sucked at security and they always will. Symantec used to be the best but they suck as well now. At any rate, I'll bet dollars against doughnuts that Vista will be clobbered by some virus, worm or other malicious code before it's out a month.
Posted by Michael Grogan (308 comments )
Reply Link Flag
Symantec
This company is a joke, with all of their bloatware they sell, they should fix their own garbage! I have and will continue to remove any Symantec products from all my customers computers (which we know is no easy task)!!!
Posted by lolio (4 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.