February 28, 2007 11:58 AM PST

Symantec sizes up security in Windows Vista

Related Stories

Vista for the masses

April 4, 2007

Symantec CEO says no Vista for me

February 13, 2007

Symantec eyes ID management

May 8, 2006
Windows Vista might be Microsoft's most secure operating system yet, but its Windows SideBar and gadgets could pose security threats, Symantec says.

And the greatest threat of all continues to be third-party applications designed for Microsoft's new operating system, according to research released Wednesday by Symantec, which has become a Microsoft competitor as the software giant delves deeper into offering security features.

"Third-party applications continue to be the largest area of exposure. Microsoft has done a good job at protecting the core operating system, but third-party applications remain exposed," Oliver Friedrichs, director of the Symantec Security Response Center, said in reference to Microsoft's release earlier this year of its consumer version of Vista.

The lack of security surrounding third-party applications is nothing new, but attackers are starting to move up the application stack and away from the core operating system, Friedrichs said.

During the first six months of last year, 78 percent of new security vulnerabilities were found in Web applications, according to Symantec's research. And Windows Vista provides no enhanced security in this particular area, as the majority of vulnerabilities today are seen within PHP, Python, Perl, ASP and other languages, the security firm said.

"Microsoft has solved yesterday's problem but not eradicated security risks entirely," Friedrichs said.

A Microsoft spokesman said that while Windows Vista is the most secure version of its operating system to date, none of its security features--individually or collectively--are designed to be a "silver bullet" for computer security.

"Security is about making choices," the spokesman said. "Make it too restrictive and users will have to interact with the software more to do what they want. Conversely, focus on ease of use by making the default settings less stringent and increase the chance that a system can be attacked."

The Symantec "report does not properly address the fact that many of the Windows Vista security technologies have numerous options that allow for a user to make their own judgments," he added.

Within Vista itself, Symantec found that the Windows SideBar and gadgets could lead to security risks for users. The gadgets, or tools, use static HTML and scripting to allow developers to easily create new plug-ins for the Windows desktop, such as clock or calculator applications.

The gadgets do not automatically execute, but Symantec is concerned that they are automatically authorized to communicate over the Internet, making them an attractive target for attackers.

The security firm also found that while Vista's Address Space Layout Randomization strives to reduce denial-of-service attacks by loading programs randomly in memory, the process is not as secure as Symantec anticipated.

"We found the randomness of the addresses were not as optimal as we would expect," Friedrichs said.

See more CNET content tagged:
Symantec Corp., gadget, security, Microsoft Windows Vista, spokesman

8 comments

Join the conversation!
Add your comment
What do you expect from Symantec?
Are we going to expect Symantec to say "Vista is a secure OS and you don't need to buy our overpriced security suite"? Give me a break.
Posted by Jess McLean (61 comments )
Reply Link Flag
Have your cake and eat it too
Of course third party apps are the weakest point. The OS vendor doesn't control these apps so it will always be the weakest point. What MS is trying to do is close the door to the OS so that any bad app can't damage the core. So here's Symantec (and others) saying that MS should maintain a tighter system, yet everytime MS tightens the system and tries to prevent anyone from getting to the core, Symantec and others are the first to complain about lack of access.

You can't have it both ways. Either the core is locked down to all Non-OS apps including third party apps where the third party IS the OS vendor (MS can't allow defender in while others are left out) or there will always be ways to corrupt the system.

Symantec, stop crying WOLF when you ARE one of the wolves.
Posted by DatabaseDoctor (858 comments )
Reply Link Flag
Third Party Software
Wouldn't third party software include Symantec software?
Posted by solrosenberg (124 comments )
Reply Link Flag
Third Party Software
Wouldn't third party software include Symantec software?
Posted by solrosenberg (124 comments )
Reply Link Flag
Well Symantec should know...
That the "greatest threat of all continues to be third-party applications designed for Microsoft's new operating system."

After all Symantec makes some the worst software around for Windows. So if anyone knows what they are talking about it should be them.

Robert
Posted by Heebee Jeebies (632 comments )
Reply Link Flag
Microsoft's responsibilities
Per the article, in reference to third party apps:

"...And Windows Vista provides no enhanced security in this particular area, as the majority of vulnerabilities today are seen within PHP, Python, Perl, ASP and other languages, the security firm said.

'Microsoft has solved yesterday's problem but not eradicated security risks entirely," Friedrichs said.' "

Microsoft's responsibilities do not include how third party applications are coded, built, packaged and/or distributed to the consumer by third party companies.

When is everyone going to realize that Microsoft is not responsible for solving everyone elses problems? The fact of the matter is that exploits found in the core OS, as well as Microsoft's own applications are becoming fewer and fewer, while other companies are not held accountable for their own products.

Personally, I see this as nothing more than yet another petty attack from Symantec directed at Microsoft.
Posted by wanderson75 (2 comments )
Reply Link Flag
Babys
When I hear anything from Symantec all I can picture is a bawling baby who had its bottle taken away. I used to like Norton and McAfee when they used to be a product you had control over and they used little system resources. When I noticed they where clobbering things like they where on a "witch hunt" I gave them up for AVG AntiVirus because it behaves like they used to. Note to AVG: If you sold your product in the retail market I would have bought your full version. So AVG does not get a big head about this Email I would like to mention that their are also other antivirus programs that are also good. CNet Downloads can help with that. But for AVG AntiSpyware, I highly recommend it as the absolute best!! Adaware and Spybot come second!
Back to Symantec, I agree there are issues with Vista. I do own a copy of home premium and I have not been to happy with it. I do think your whining is not sounding to credible to me do to the circumstances. I feel you should shutup and let someone else state your case for you!
Posted by Ted Miller (305 comments )
Reply Link Flag
MS must hate Symantec!
I'm reading this story and I'm thinking to myself....Microsoft must hate Symantec because they are always finding flaws left and right. Vista is somewhat secure right now and perhaps made a little more secure with the nagging User Account Control feature. It's a nice idea but it's so nagging for an administrator to have on that I turned it off. I own the RC1 of Vista and can't stand the UAC, turned it right off. Give it a little while....security flaws will be found in Vista, the hackers are still learning the new OS and well.

Symantec isn't exactly perfect either. Tagging Yahoo Mail beta as a virus!!!!! I just read that story. I think the whole Symantec Norton suite is way overpriced. Lower the price! Also, I've heard Norton slows the system down to a turtle....go AVG!
Posted by pentium4forever (192 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.