February 28, 2007 11:58 AM PST
Symantec sizes up security in Windows Vista
And the greatest threat of all continues to be third-party applications designed for Microsoft's new operating system, according to research released Wednesday by Symantec, which has become a Microsoft competitor as the software giant delves deeper into offering security features.
"Third-party applications continue to be the largest area of exposure. Microsoft has done a good job at protecting the core operating system, but third-party applications remain exposed," Oliver Friedrichs, director of the Symantec Security Response Center, said in reference to Microsoft's release earlier this year of its consumer version of Vista.
The lack of security surrounding third-party applications is nothing new, but attackers are starting to move up the application stack and away from the core operating system, Friedrichs said.
During the first six months of last year, 78 percent of new security vulnerabilities were found in Web applications, according to Symantec's research. And Windows Vista provides no enhanced security in this particular area, as the majority of vulnerabilities today are seen within PHP, Python, Perl, ASP and other languages, the security firm said.
"Microsoft has solved yesterday's problem but not eradicated security risks entirely," Friedrichs said.
A Microsoft spokesman said that while Windows Vista is the most secure version of its operating system to date, none of its security features--individually or collectively--are designed to be a "silver bullet" for computer security.
"Security is about making choices," the spokesman said. "Make it too restrictive and users will have to interact with the software more to do what they want. Conversely, focus on ease of use by making the default settings less stringent and increase the chance that a system can be attacked."
The Symantec "report does not properly address the fact that many of the Windows Vista security technologies have numerous options that allow for a user to make their own judgments," he added.
Within Vista itself, Symantec found that the Windows SideBar and gadgets could lead to security risks for users. The gadgets, or tools, use static HTML and scripting to allow developers to easily create new plug-ins for the Windows desktop, such as clock or calculator applications.
The gadgets do not automatically execute, but Symantec is concerned that they are automatically authorized to communicate over the Internet, making them an attractive target for attackers.
The security firm also found that while Vista's Address Space Layout Randomization strives to reduce denial-of-service attacks by loading programs randomly in memory, the process is not as secure as Symantec anticipated.
"We found the randomness of the addresses were not as optimal as we would expect," Friedrichs said.
8 commentsJoin the conversation! Add your comment