Vista security gets mixed reviews from Symantec


Symantec published a series of four research reports on Feb 28 that critique various security elements of Microsoft’s new Windows Vista operating system, including the software’s ability to ward off existing malware threats.

Unsurprisingly, the security software maker, which still derives the bulk of its revenues from the estimated US$3.6 billion market for technologies used to defend Windows computers, found a fair number of shortcomings in the latest iteration of Microsoft’s dominant OS.

One of the biggest problems is that Vista remains vulnerable to existing malware attacks designed to take advantage of flaws in earlier versions of the OS, according to the reports. However, the Cupertino, Calif.-based antivirus market leader also highlighted a number of features built into the product that it said will advance end-user security.

An area where Symantec researchers said Microsoft has greatly improved security is related to the mitigation of virus attacks aimed at code-level vulnerabilities.

Previous versions of Windows have been shipped with scads of coding errors that allowed hackers to deliver malware threats, but work on the part of Microsoft — such as through its Security Development Lifecycle program — has helped lower the volume of available vulnerabilities, according to the reports.

The immediate benefit to Vista users will be the reduction of threats that use common infection techniques like buffer overflows and heap manipulations to deliver their payloads, Symantec predicted.

Another area where Symantec recognizes security improvement on the part of Microsoft is in the use of its reduced user privilege model in Vista, which is aimed at preventing virus attacks from upping the administrative status of infected PCs to boost malware proliferation and related damage.

While arguing that there may be the ability for hackers to disable Vista’s new User Access Control, which is designed to keep users abreast of any changes attempted on their PCs by unknown software programs, Symantec concedes that the security tool should help fight malware attacks, including worm viruses. Despite the praise and its submission that Vista thus far appears to be the safest operating system ever produced by Microsoft, the Symantec reports levels a great deal of criticism at many other aspects of the OS.

Vista is a more secure product than previous versions of Windows, but there is still plenty of need for users to buy the layered security defense products the security company markets, said Ollie Whitehouse, a researcher with Symantec’s Security Response team.

“Vista is a security evolution, but not a revolution,” Whitehouse said. “Microsoft did invest a lot of time and resources into the development of Windows XP SP2, and Vista is a continuation of that, and they addressed a number of core issues, such as buffer overflows, but it is still only an OS, not a security solution itself.” Vista may help stop some traditional types of attacks, such as worms, but Symantec maintains that newly emerging threats, integration problems with third-party Windows applications, and a range of other issues will keep users in the market for additional security tools.

One area that remains a sore spot from Symantec’s perspective is Microsoft’s use of new features to protect the Vista kernel against root kits and other attacks. In 2006, a major controversy broke out between the two firms and other security technology providers based on the fact that Vista’s PatchGuard system, available only in 64-bit versions of the OS, prevents any programs — including Symantec’s security applications — from patching the software’s kernel memory.

Symantec and rival McAfee, among others, argued at that time that not being allowed to access the kernel as they have in prior iterations of Windows would prevent their advanced behavior-based technologies from working properly. But Microsoft and the security firms claim to have solved the problem using a set of APIs. In the research reports, Symantec repeats its contention that PatchGuard may also be easily bypassed, defeating its very purpose and allowing kernel-altering attacks, including root kits, to live on.

Labeling the combination of PatchGuard and two other Vista kernel protection technologies, known as Driver Signing and Code Integrity, as a mere “bump in the road” for attackers, Symantec said that a single researcher bypassed all three features in one week’s time, further proving their vulnerability.

“Microsoft has made good strides with kernel protection, but again, it’s not perfect,” Whitehouse said. “PatchGuard has and will be broken, and while it is obviously better than nothing, people who have an interest will find ways to get around these features.”

Another area where Symantec leveled criticism at Microsoft is in relation to Vista’s ASLR (Address Space Layout Randomization) feature, which is designed to help obscure programs stored in the operating system’s memory to make it harder for attackers to isolate vulnerabilities. Symantec said the feature has a flaw that prevents it from working properly.

Here again, Symantec mixed praise and calls for concern in outlining its observations of ASLR. “When implemented correctly, this technology is extremely effective in mitigating the exploitation of memory corruption and memory manipulation vulnerabilities,” reads the Symantec report. However, the research contends that Symantec has already found that one element of ASLR that means to randomize and hide software components does not work consistently, therein making it easier for attackers to guess where vulnerabilities may lie.

Symantec said further that Microsoft has confirmed the issue and pledged to fix it when it issues a Windows Vista SP1 update.

Both the PatchGuard and ASLR issues feed into another Vista problem cited in the Symantec research: integration with third-party products. In addition to the potential problems introduced by PatchGuard to its own products, Symantec said that the third-party drivers provided by Microsoft may be targeted as a means of gaining kernel-level access on compromised machines.

ASLR has been highlighted by at least one other security company as a potential weak point in Vista. Just as Symantec maintains that many of Vista’s security features won’t help protect end-users unless third-party software makers can effectively integrate with the tools, penetration testing specialists Core Security, based in Boston, published a report on Feb. 6 that highlighted a well-known vulnerability existing in CA’s BrightStor backup software that it said could still be exploited on machines running Vista.

Because the CA software had not been updated to integrate with ASLR and other Vista security features — although CA said it would soon have a new version of the product to market and Microsoft officials disputed the issue — the operating systems’ onboard defense features won’t help protect such legacy systems, Core said.

Symantec’s report repeatedly highlights the third-party integration issue as a major weak point for Vista’s security goals.

Microsoft officials stuck to their long-standing defense that Vista goes a long way toward mitigating many common PC security issues and that the company will continue to bring new security features to bear on the OS and future products. Microsoft said it is further investigating several specific product flaws cited in the Symantec report, including the ASLR problem.

“It is important to note that none of the security features in Windows V