Can a Rootkit Be Certified for Vista?
During his presentation, Tan voiced concern that frequent UAC consent
dialog boxes will blend together to create a "click here to get work
done" attitude. "Frequent UAC consent dialog boxes-will this force
users to turn off the function?" he said. "Users will eventually get
annoyed with it if it impacts their normal day-to-day activity."
However, Rutkowska said she was bewildered at the frequent arguments
that the boxes are annoying. "I've been using Vista two months now,"
she said, and within a few days of installation, she's rarely
presented with a UAC dialog box. "I think UAC, from a technical point
of view, is a very good thing," she said. "For normal users, this is
[a good security mechanism]."
One thing Rutkowska said she doesn't like, however, is Microsoft's
attitude. After the UAC criticisms started making the rounds,
Microsoft began to stress that UAC is not a hard security boundary,
like a firewall-rather, it's more of a guidance tool.
Unfortunately, that attitude means that Microsoft won't consider
potential avenues of attack to be bugs, Rutkowska pointed out.
"[Illicitly] elevating from low- to high-level [user privileges] won't
be considered a security bug," she said-when in fact such escalation
is a good indication that a machine has been compromised.
Another feature that protects the system in Vista is Windows Defender,
included previously as a separate Windows download. Defender detects
and removes any unwanted application, actively monitoring protected
areas. The feature is integrated with group policy and thus works with
Another system-protecting feature is Vista's new Windows Firewall,
which expands on the firewall included in Windows XP SP2 but improves
on it by offering two-way protection. The earlier version didn't offer
outbound infection-an omission that meant an infected machine wouldn't
be stopped from spreading a virus outside of the network.
The final system protection feature added to Vista is Windows Security
Center, which checks and displays the status of the Firewall,
automatic updates, malware protection (Windows Defender) and other
security settings, including third-party security software such as
Tan also criticized Vista's recognition of installation programs,
which checks compatibility databases, heuristics and a program's
embedded manifest-which declares to an operating system what it is.
The potential dangers of Vista's handling of installers, Tan said, is
that all installers run with administrative privileges, have full
access to the file system and registry, and have the ability to load
"As soon as you click OK, that application has complete administrative
capabilities, including downloading and installing rootkits," he
Tan also criticized Internet Explorer 7 for its lack of Protected Mode
in the versions that don't run on Vista. Protected Mode makes the
browser run in a sandbox-i.e., it has limited read access to system
components and can't download Trojans or spyware from malicious
eWEEK Labs' Jim Rapoza called Protected Mode "by far the best value-
add of IE 7+." Click here to read the review.
That accounts for new system protection in Vista. As for data
protection, the new operating system comes with BitLocker Drive
Encryption-a feature that encrypts the entire Windows volume,
protecting against data being stolen when a laptop is stolen or lost.
Tan's only criticism of that feature was that it's available in only
the Enterprise and Ultimate versions of Vista and is lacking in the
Other data protection features in Vista include EFS (Encrypting File
System), used to encrypt files and folders; Rights Management
Services, used to encrypt files persistently so they can't be e-mailed
outside of the organization without proper server permissions; and
Device Control, which enables better management of plug-and-play
devices such as USB drives.
Tan also touched on PatchGuard, which locks down the kernel completely
but also locks out some third-party applications, including anti-virus
programs. Besides the ire that this drew from security software
vendors, PatchGuard was actually cracked soon after Vista's
Other flawed security solutions in Vista include Windows Defender's
lackluster performance, blocking a mere 47 percent of spyware in quick-
scan mode in anti-virus testing. OneCare also fell "well short" in
Virus Bulletin's VB100 test and flunk AV-Comparative's test
"So Microsoft definitely still has some work to do in those areas,"
Tan said. Besides all that, a critical remote code execution bug in
Vista's vector markup language was released on Jan. 9; in testing of
Vista's strength against legacy exploits, Vista was found to have
exploits that would survive exploits in every category except
rootkits; key enhancements to Vista security are only available on 64-
bit platforms; and you need new hardware platforms to fully support
Vista, Tan said.
Cumulatively, it sounds bad, Tan said, but hackers and Tan agreed:
significant strides have been made in securing Vista. "It's a security
evolution, not a revolution," Tan said. "Vista is not a security
solution-it is a more a secure version of Windows."
Check out eWEEK.com's Security Center for the latest security news,
reviews and analysis. And for insights on security coverage around the
Web, take a look at eWEEK's Security Watch blog.