Flawed Survey Suggests XP More Secure Than Vista

SkeeLo writes "One of Vista's big selling points is security, but a report from CRN concludes that Vista offers little in the way of security advancements over Windows XP. Ars Technica analyzed the report and found some methodological problems. 'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software — something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.' That's not all: 'It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter.'"

Or ... people are still writing virii for WinXP

Since most consumers aren't buying WinVista if they can avoid it.

But, if that were true, chip sales by Intel and AMD would be down ... oh, wait, they are.

Let's see

Study finding Vista more secure then XP = X hits.

Study finding XP more secure than Vista = Y hits.

if (x > y)
  post Vista more secure than XP
else
  post Vista less secure than XP

Anti-Virus

That's life for being MS.

If MS put in a AV software, other AV companies will file for anti-competition lawsuits; If MS didn't, consumers will moan about it too.

Re:Anti-Virus

Because it's an unfair advantage to make an insecure OS and then charge "protection" money!

No. No! No!!

It is a Genuine advantage

AV is not a lock

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

By the time your AV software comes into play your already infected. So AV software is not the lock on your door. Its the rifle in your house.
Still important, But vary different.

Urg

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'

Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.

Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.

So how do you do that?

How does an OS know what apps are good and what apps are bad? That's what a virus scanner is: It's a list of known bad apps. If one wanted a real world analogy it wouldn't be like a locked door or anything, but rather a bouncer with a list of people who need to stay out.

Vista already has privilege escalation if that's what everyone is bitching about. So evil apps that want system access will have to ask for it, just like everything else. However if the user says "Sure, you can have that," what can the OS do about it? Apps don't have an "evil bit" they are just code to be executed.

Same deal with the real world. If you choose to unlock your door and let someone in, it's not the fault of the people who made the lock or the door that you did.

I think the grandparent is just another of many Windows haters that seems to think there's some magic that could be done to keep viruses out that MS just won't do. Well, actually there IS such a technology and that would be the scary version of trusted computing. If hardware enforced protections past what the OS could override, and checked signatures on apps, then only valid, signed apps could run. Provided the signing authority did their job, there'd be no viruses. Of course that would mean giving total control of your computer to a third party, something I think none of us want.

What it comes down to is there is no way for an OS to both give someone control of their system and protect them from themselves. The ability to grant the authority to run code at a privileged level implies the ability to do it for both good and bad code. Thus the necessity of virus scanners. They maintain a known list of bad code, and can warn you if you try to run that. I suppose you could build it in to the OS, but it changes nothing, it is just a virus scanner that's part of the OS now. There's no magic juju, other than taking away the user's administrative rights, that will work.

Just to be clear: By taking away administrative rights I don't mean running as a deprivileged user, Vista does that, I mean NO admin access AT ALL. No escalation, period. That'll do it. Indeed we do that at work as much as we can and on those computers, we have no problems as users simply can't install software. However to do it at home, well you can see how that'd be a problem.

is this /.?

Seriously. A pro-MS article? whats next, mr spock with a goatee? Doc

Pretty crappy door IMO

"Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted."

I'm sorry, but if I bought a security door that claimed it would keep out 99% of criminals, I would be a bit pissed off if I got it home and realised that an actual lock for that door was considered an 'optional extra'. The idea of browsing the internet with IE, no anti-virus and the windows firewall for any length of time, even no longer than it takes to download zonealarm and avg, gives me the heebie-jeebies.

The Flaw is the Survey.

Comparing XP to Vista security is kind of like having a SUV milage competition, except SUV's are sometimes useful and that utility is destroyed by poor fuel economy.

Isn't greater security a selling point of Vista?

I don't understand. What's wrong with the CRN article. So they didn't mention, Vista doesn't come with AV software. Big deal. Wasn't security one of Vistas selling points? Regardless, Vista without AV software and XP without AV software,... I'm failing to see why the CRN article is wrong.

Missed?

Maybe I missed it when I RTFA, but it didnt mention which version of XP was used... a look at HPs site shows that the HP Compaq nc6400 did ship with XP Pro (whether that matters much compared to home edition or not)

Also... were these systems ran all the way default, as in, boots up as Administrator with no password? (again, not sure how much that matters in a test like this)

I do agree with the title, flawed survey indeed.

I dont blame Vista or XP so much as I blame IE version X.XX

Id like to see the exact same suite of tests ran against the latest version of Opera, Netscape and Firefox.

Security == knowledge and other stuff

Of course from practical point of view XP right now is more secure. And I don't mean default install. For example take my company and few facts:
- we managed to make the machines behave as we will
- we have invested money into third party security software
- we have invested time (which equals money) into free (as in speech) third party security software
- we have some knowledge and experience into XP security -- after these - what like 7? - years who doesn't?!

Right now we have quite healthly and working infrastructure based on XP and surrounding (like VPNs, IDSs, AVs, proxies, backup, imagining etc.) services. We know how to do it, we have experience.

Now Vista from my standpoint is just big black hole - another system from MS that does not offer me anything significant but opens a can of unknown worms... I don't see any serious businesses building their security infrastructure around brand new shining Vista systems.

Of course in *theory* Vista can be more secure, but from practical standpoint it is new and untested product that has ben rushed to the market.

It really depends on your security definition. Security is not a product - security is a proces in which you have knowledge about what you are doing. In which you have educated users. In which you have policies and audits and so on. Vista isn't anywhere near to be even a stable product from security standpoint.

flaw-reporting report flawed?

Don't look that flawed to me.

XP: No AV included
Vista: No AV included

Report says: "Vista no improvement over XP"

Report is pretty much correct.

XP vs. Vista is so ... (yawn) ... zzzzz zz z zz

I'm getting tired of the XP vs. Vista vs. XP vs. Vista vs. ... articles posted here all the time. Microsoft will eventually drop support for XP and will continue to support Vista. Microsoft will continue to focus on Vista. If Vista is now less secure than XP Microsoft will eventually it stronger ... that is until the next Windows OS is released. Dammit we had to listen to XP versus everything-else-before-it. Tiresome, damn tiresome. No worthwhile discussion came from it last decade but you never know ....

NO AV != No protection against viruses

Let's face it. Anti Virus software is the day after pill. I daresay if someone relies on defending against viruses by antivirus software, the security model is already utterly, completely broken. So no, not including an anti virus software doesn't mean an operating system shouldn't employ design and tactics against viruses. Ars Technica is simply wrong.

No Locks on the door?

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

I think the point is that M$ should have learned their lesson last time, and the time before that, and made vista such that having anti-virus software would be unnecessary. Or in the terms of the analogy, Having forgotten to put a lock on the door of their previous house and repeatedly come home to find their underwear scattered all over the yard, you would have thought they would have made a secure door this time.

Shrug, I disagree

the report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software

I thought the big issue everyone had with Windows products were that they needed AV products in the first place because they were fundamentally insecure?

Shipping Vista with an AV package would have practically been admitting that they can't make secure products and the only thing left to do is have a separate layer in the OS to try to intercept stuff before it caused problems (or clean up after it), rather than blocking the holes in the first place - which is, I believe, part of the point of Vista's entire security model (DON'T RUN THINGS AS ADMINISTRATOR, JERKS).

Vista is a faulty OS?

"Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted." This simply means that Vista is a basically a faulting program!!! Any Linux distro or OSX do not ship with antivirus either. That doesn't make them faulty or unsafe to use it. Vista should be safer "regardless" of the presence of the antivirus, otherwise it simply faulty by design.

Flawed counter argument

'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'

Vista is supposed to have these features built-in, as well as a host of other improvements. Such as service hardening, anti-malware (which does claim to kill viruses), network access and more.

Why, you can read the whole list right here. [microsoft.com]

So I wouldn't say it's like a door without a lock on it. If Vista is flawed, it would be like saying it's a door with a crappy lock on it. Big difference.

Inflamatory titles, this applied to corps ONLY!

More fanboys.

For whoever doesn't see this screaming at him, here's a breakdown:
In home-user-land, credendials were an option nobody used until Vista. NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one. Vista and XP for the home user are incomparable and are in totally different leagues, vista winning by very, very, very long shot.

In corp-land, everybody (who gives a damn about his security) has been using non-administrator-accounts on his workstations (at varying and ever-improving degrees of annoyance) since NT4. For all intents and purposes, XP with domain policies had all the functional benefits of UAC, as did 2000 and NT4. So the battle over which is more secure needs to be resolved on much finer points, such as susceptibility to buffer overflows, code maturity etc. This is what the report in TFA addressed and they may be quite correct on this.

Pushing titles saying "XP less secure than Vista!" without VERY THOROUGHLY POINTING OUT WHEN AND WHERE THIS APPLIES (*WHERE THERE BE NT DOMAINS AND RESTRICTED USER POLICIES*) is a cheap, inflammatory and sensationalist way of getting attention. Most people who have no clue reading this headline will get the VERY WRONG message, become misinformed, spread on more hyperbole about Vista "being less secure than XP" to people who know even less, and the overall effect will be doing WAY more bad than good in the name of either stupidity or anti-MS fanboyism.

My horse has escaped - Again!

"a bit like faulting a door without a lock for opening when the handle is twisted". They are asking, nay forcing me to buy yet another new stable which has the same open door. I would be wrong to fault them for this?

Okay, here's the deal on CRN.

My company gets delivered (hey, it's free, so they don't argue). As such, I've run across their "reviews" before this. And I believe I can summarize.

They look at things from a distinctly user-centric POV. They're focused on what the apps/solutions/OS they review do for the end user.

As such, they're not a "technical review" in any real way, shape, or form.

The term "fluff piece" comes to mind.

They add just enough to give the business users who read CRN a bare taste of what they're talking about. Any more, and the reader would go glassy-eyed.

So, lots of hype, lots of buzz, a couple explanations of things the user MAY encounter directly in a business environment, and that's about it for CRN.

For you techies out there, think about the general technical "IQ" of the sales guys in your organization (if they have one at all). THIS is who CRN is writing for.

As such, it's easy to see how the non-techie reviewers at CRN could look at a naked Vista install.

Understanding NOTHING of the security process, comparing it to the loaded out XP install on the locked-down machine his IT department provided him would be easy.

Because he hasn't seen the process, going on behind the scenes, that are necessary to secure an XP machine.

In other news, it has been discovered...

...That submarines with screen windows offer slightly better floatation than submarines with screen doors.

MacroSubs has affirmed that this is incorrect, however, and stated today that the question will be settled once and for all when their new submarine, entirely made out of screening material, captures the imagination of the nation with its launch in 2009.

So-called "alternative" submarine manufacturers continue to insist on using steel for their doors and heavy lexan for their windows. They claim this quaint, antiquated approach lets them offer better floatation, efficiency at depth, and crew survivability, but independent studies have shown that their apparent "floatation edge" is due to the fact that far fewer of these submarines are produced, not any superiority in design. A. Noying, of an independent think-tank funded in part by contributions from MacroSubs, had this to say:

"Look, we all know that as more of these all-steel and plastic subs get produced, you'll start seeing network effects and their buoyancy will be reduced down to normal levels. Currently, with only a few percent of the market, the oceans aren't interested in them as a point of ingress. This will change soon and you'll see some interesting numbers from my lab to back this up."

When asked about the widespread buoyancy failures of MacroSub submarines around the world, Mr. Noying said only "it's hardly MacroSub's fault if submarine captains tend to drive their submarines into reefs and long-forgotten sea monsters. Their duty is only to make subs buoyant, not idiotproof. However, they are working on an interesting feature called USC, or User Submergence Controls, which should make things a little easier. The submarine will basically ask the captain if he's really, really sure he wants to increase depth, once per fathom. If the captain insists on running into that reef after all the help he's been given, perhaps he shouldn't be driving a sub anyway..."

"Vista remains riddled with holes"

People. Get off the denial job already. Vista is not magically going to become the upgrade you were hoping for; No matter how many studies, weblogs, reviews, taste tests, or procto exams happen, Vista sucks, end of story. Microsoft will come out with service packs this fall, there will be all sorts of heavy breathing once again, but it's going to be the same historical disappointment. Microsoft needs to get their shit together and stop robbing people.

Whose security?

The "security enhancements" in Vista were to protect Microsoft from piracy, not to protect Vista users. Microsoft still doesn't care about them.

Flawed Survey Shows Penguins Eat Own Babies

Those dirty little penguins! Who knew?

Other flawed surveys show:
- Bush Is Actually Orangutan In Suit
- RIAA Hates DRM Music, Gives Thousands To College Kids
- Emacs Is Better Than Vim
- IE Is Most Secure Browser Of All Time
- Volcano Likely To Erupt In Redmond

You know what they say: "News for nerds. Stuff that matters."

Dumb statements r us...

"'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'"

No, it's like comparing an old door without a lock to a new door without a lock and saying that the new door is no more secure than the old door. (Which sounds reasonable to me)

I guess nobody noticed

The summary says that Vista has "taken care" of buffer overflow problems. I'd like to submit that one of the key features of XP SP2 was that they'd gone over the code completely and eliminated all unchecked buffers - which (according to MS) eliminated buffer overflow problems.

Microsoft is their own worst enemy; they make wild claims about the functionality of their latest version but that functionality never meets their or their customers expectations. Then some exploit points out that they were being economical with the truth. Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

I mean, how can a company whose email clients automatically launch attachments say that they take security seriously? Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista. Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs. Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.

What continues to amaze me is that the file type security is applied based on the file extension - but when you execute a file, the system looks at the file header to determine how to open / execute it. This bit of design stupidity has been the cause of millions of systems being exploited. Just a simple check to see if the file header matches the selected file type would go a long way - but no, this is too difficult. Here, have a UAC nuisance instead...

You don't have to have some AV Software on the sys

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

That is not right. If I build a house with a front door and a reasonable good lock, there iss e difference to a house in the woods with no lock at all. Software architecture can sure make a difference if it is easy for malware to take unwanted advantage. You don't have to have some AV Software on the system installed, if the OS would only allow signed code from trusted sources to execute.

But then again you have other problems. ;)

My 2cents: M$ could have made Vista more secure out-of-the-box without AV-Software.

this news is pure FUD

this news is pure FUD

FUD

Maybe there should be a time window on how many days we can get
to post about a new OS, c'ause I'm sick of reading about how Vista is great
and an improvement. It ain't, it bytes, it's not what we were promised at purchase time.
Let's all move along now, and let the MS/Industry paid bloggers alone with their macs ok ?

Re:Anything to slam MS

But of course XP is also an MS product.

Re:Anything to slam MS

What? I know we get a lot of "RTFA" around here, but read the fucking summary! Shall I condense it down for you further, since I see your time is precious?

Study #1 finds that Microsoft has made no improvements (XP -> Vista)
Study #2 finds Study #1 to be incorrect and badly done. /. reports on study #2.

In essence, the story accepts that XP isn't as secure as it could be, but Vista improves on this significantly. Its one of the most pro-MS stories I've seen on slashdot for a little while now. Of course, I'd never touch Vista personally, but that doesn't mean it isn't an improvement over XP in security.

Re:I knwow I'm an AC and all...

The first is well known, Windows is hundreds of times more popular....

You mis-spelled predictable. The issue isn't that more people use Windows; the issue is that the same exploit reliably works on vast numbers of Windows machines. It's not the popularity, it's the monoculture [wikipedia.org], combined with a broken design that is trivially easy to exploit. Another example of monoculture and utter lack of security combining to create havoc is the Morris Worm [wikipedia.org] of 1988. Happily, *nix systems have moved on since then.

Secondly is a much smarter reason. Who uses these operating systems. Average windows user, knows nothing about PCs, more than willing to go to dodgy websites, doesn't notice when things are strange, hell most of them don't even update windows with the security patches and as a result they are a really nice target. Now linux users, they know what they're doing, they're either programmers/hackers etc. or they are using for very specific tasks- these people know what's going on, update their system and sweep for bugs and notice things.

Sorry to rain on your parade, but that's utter bollocks. I have empirical proof of this, from having installed and run numerous Linux-only computer resource centres for first-time computer users. The users are mostly under- or uneducated youth from a developing country, who love nothing more than to click anything that flashes or shines. The number of people who have used these centres is in the thousands, so it's statistically significant. We've just opened another centre that uses only Mac Minis.

So why, pray tell, is the total number of malware-infected machines a big fat zero? It's not the administration. The staff are taken from among the youth themselves. In most cases, they have no prior experience with IT. They're simply more interested in it. It's not user habits; the youth do wander regularly onto malware-infested sites.

The bottom line is that Windows gets regularly and predictably infested with malware because it's so easy to do, and the 'rewards' are so great.

Re:Anything to slam MS

Go ahead and post your facts supporting MS then.

Re:CRN Report Is Fair

But common folks, after five(5) years and millions and millions of bucks they sure could have done better than this-- really. Its not Microsoft bashing--- its true and its fair.

How could Microsoft have done better? If Microsoft had bundled antivirus software with the OS, the other antivirus software companies (McAfee, Norton, etc.) would sue Microsoft for anti-competitive practices. If Microsoft doesn't bundle antivirus software with the OS, CRN write a review saying Vista without antivirus software is no better at defending against virus attacks than XP without antivirus. That's about as dumb as saying Vista without a printer is no better at printing out documents than XP without a printer. I mean, come on, Microsoft! You had 5 years, and millions and millions of bucks. Couldn't you figure out a way to print out documents without using a printer?

Re:Anything to slam MS

I've been using it for a few months.

It's almost done logging me in, in fact.

Re:Anything to slam MS

You're absolutely right, but now it's time for me to be truthful.
My comment was based on my experience earlier this week on Monday, only the second time I've been close enough to be able to identify a Vista install, and the very first time I'd used it. It had just been installed (as well as Office 2007) by one of my colleagues on a brand new HP laptop. No, didn't get asked to Allow or Cancel anything, but what I did experience didn't surprise me in the least.

From the instant I hit Ctrl-Alt-Delete (and this is after waiting for the machine to finish choking itself) it was the same familiar Windows experience - watching the HDD LED as if it's going to give some sort of indication as to when it might be safe to go on to the next step as the machine crawls through the login procedure - totally unresponsive for the majority of the time.

People bag Windows about insecurity, DRM and UAC all the time - they're not the things I have problems with. I play the game, keep machines patched, AV installed if the shareholders demand it, and so on. My only real gripe with Windows it simply that I habitually find small sub-tasks to do like clip my fingernails or organise desk-drawers while waiting for countless delays my Windows box gives me. Screwed if I'm going to spend a month of my life waiting for start menus to render.

Where with a different OS, I'd start the kettle boiling and check my email while that's going on, in Windows I launch outlook and then go and see to the kettle, because I know which will make me wait longer.

Re:AV-less?

Yes, you're missing something. The most important function of AV software is not to fix security holes, it is to protect the user's data from user mistakes, such as running malicious software. Users who only run software from trusted sources, and use a firewall, don't really need AV software.

Re:Umm...

The /. title is misleading... as usual. Nowhere does the "flawed survey" suggest that XP is more secure than Vista. They use terms like "Vista is only marginally more secure" and "Vista brings little or no security gains over its predecessor". But then, apparently they're not even quite sure themselves because in almost every "test" they discuss in their article, Vista catches at least some things that XP misses.

And their conclusion at the end:

THE BOTTOM LINE

Based on the Test Center's findings, businesses that migrate their Windows PCs from XP to Vista will get a slightly more secure OS. But as the Finjan reports showed, Vista's security remains wafer thin.