Vista less secure than 2000: researchers

Angus Kidman
12 May 2008, 5:00 PM


Send to a friend Print

Machines running the beleaguered operating system are more likely to suffer from malware attacks than either Windows 2000 and Windows 2003, new research suggests.


An analysis of threat data collected over a six month period by security software developer PC Tools suggests that despite a bottom-up code rewrite and the uber-annoying User Account Control feature, Vista isn't doing as good a job as some of its predecessors in keeping hackers at bay. By PC Tools' calculations, based on analysis of 1.4 million computers which accessed its online ThreatFire community, 639 unique threats were found for each 1,000 Vista machines. For Windows 2000, the figure was 586, while for Windows 2003, it was 478.

"Since its launch, Microsoft has flagged the increased level of protection Vista provides as one of the key reasons why consumers should upgrade from Windows XP to Vista," PC Tools CEO Simon Clausen said in a release announcing the findings. "If Microsoft's forecasts for the operating system are correct and Vista's market share increases significantly, we could expect infection rates to increase further on Vista," said Clausen.

Microsoft can at least draw some comfort from the fact that Vista outperformed XP, which racked up a massive 1,021 unique threats per 1,000 computers. However, despite Clausen's comments, XP is not showing any signs of going away soon, remaining the only realistic option for Microsoft to get a foothold in the growing market for cheap and compact notebooks such as the ASUS EeePC

A large part of the problem may be because of how Microsoft has chosen to implement security alerts within Vista itself. Because Vista normally requires all applications to run in standard mode without administrative privileges, numerous programs, including many coded by Microsoft itself as a native part of the operating system, require user confirmation every time they're launched. In theory, this should alert PC owners of any backdoor attempts to install malware. In practice, many users either tune out those notifications and blindly accept them all, or switch the entire UAC infrastructure off.

Microsoft itself believes that the problem can be overcome by making consumers more aware of the difference. "We really need to improve user education," IT pro evangelist Michael Kleef told APC in a recent interview on the topic. Our five cents worth? Telling people that they need to adjust their behaviour is never going to be as effective as writing software that remains secure without nagging them every time they try and fix their WiFi connection.


Post your comment



Comments

 RSS feed Email alert

petert (Advanced Forumologist):

Given MS promises about Vista being "their most secure OS ever", this news is quite disappointing; even more so when you consider that Vista does not run 16-bit applications, it is now 18 months old (allowing quite a degree of maturity) and SP1 has been released (which should have further reduced the number threats in the OS).

12 May 2008, 6:04 PM (5 years ago)report abuse Send to a friend reply

Angus Kidman (APC staff):

As the research was carried out over six months, SP1 wouldn't have been a factor for the most part, I imagine. Given how many factors can block its installation, I suspect it won't be a factor for a while yet either!

13 May 2008, 8:56 AM (5 years ago)report abuse Send to a friend reply

Me In Oz (User):

Don't turn off UAC !
It's only going to cost you an extra 250 milliseconds to start an app, for goodness sakes !
Oh ! And stop spending so much time on Warez, Pirate and Porn sites will help too !

13 May 2008, 8:57 AM (5 years ago)report abuse Send to a friend reply

Angus Kidman (APC staff):

Unlike most Vista users I know, I haven't turned off UAC -- but in the whole time I've been running Vista, it hasn't once detected an unauthorised application. So it really has offered me no benefits other than consistently wasting my time. As such, I'm not surprised that people switch it off.

13 May 2008, 9:13 AM (5 years ago)report abuse Send to a friend reply

Me In Oz (User):

Angus ! Are you that busy that an extra 30 seconds a day will interfere with you lifestyle/work routine ?
I'd sacrafice the 30 seconds for piece of mind any day !

13 May 2008, 10:44 AM (5 years ago)report abuse Send to a friend reply

Angus Kidman (APC staff):

I haven't gotten any peace of mind, because it's yet to actually detect anything! If anything, UAC reduces my opinion of Vista, because I think "Why couldn't Microsoft code an OS that can tell the difference between malware and its own control panel?"

A few people have commented that Vista's lower figures relative to XP make it a sensible choice for home users. There's definitely another way of looking at that, though; how reassuring is it that an 18-month old OS which was promoted as highly secure already has more than half the number of vulnerabilities of a seven-year-old predecessor? And how much worse will it get as Vista becomes a more prominent choice and hence a more attractive target?

13 May 2008, 4:01 PM (5 years ago)report abuse Send to a friend reply

Tin (User):

I suspect Windows Genuine Advantage helped prop up the figures for XP. Blocking access to updates on boxes running pirate copies of Windows didn't make people go out and buy licenses. It simply made them stop installing updates (including major security updates).
So you can thank MS for all the spam and malware out there really ;-)

13 May 2008, 9:09 AM (5 years ago)report abuse Send to a friend reply

Me In Oz (User):

I don't have compassion for the people using pirate copies of anything ! .... So this is really a moot point.
Pirate software does not come with support. use it at your own risk and don't expect MS to support thieves who steal their products !

13 May 2008, 9:13 AM (5 years ago)report abuse Send to a friend reply

Tin (User):

While I don't agree with piracy, MS did the wrong thing by denying updates to pirate users... They just pushed them to stay vulnerable to a pile of exploits.

13 May 2008, 2:16 PM (5 years ago)report abuse Send to a friend reply

Me In Oz (User):

The solution is right there ! ......... Buy the product to get support and updates !
If you stole a new TV would you expect the retailer to honour the warranty ?

13 May 2008, 2:21 PM (5 years ago)report abuse Send to a friend reply

William151515 (New user):

i turn UAC off because its to annoying, and does not let me run admin applications at start up, and that causes problems, but i at least run an internet seucirty suit (mcafee total protection 2007) so its fine, and besides, most of the people that get viruses are just software pirates, or people that download crack.exe lol, or use limewire etc etc, infact if you know what your doing you don't even need anti virus

13 May 2008, 11:15 AM (5 years ago)report abuse Send to a friend reply

Jeff (New user):

Get away with no anti-virus on windows? are you kidding?? All it take to get a virus is for someone on the network to get the virus then it can transfer to your computer (Its happened to me several times when I was using windows) and once I couldnt find an anti-virus product that would get rid of it. I have also found virus, Trojans, etc. in programs that you wouldn't expect to have them. Then there are the hackers who hack into your computer and then leave nasty things behind.

I've seen many people who have tries to not use anti-virus software (some of who actually knew what they were doing) and it didn't take too long before their computers were riddled with malicious programs. There is no way that you can safely not use ant-virus on windows, unless of course it is completely isolated from the outside world...

13 May 2008, 12:44 PM (5 years ago)report abuse Send to a friend reply

Tin (User):

Troll?
No one that knows what they are doing runs without antivirus. Anyone that thinks they are better than every malware author should hand in their IT credentials and find a job doing manual labor.

13 May 2008, 2:21 PM (5 years ago)report abuse Send to a friend reply

u752181 (New user):

This is comparing apples with oranges. Vista is a desktop OS whereas Windows 2003 (I presume they mean Server 2003) is a server OS and Windows 2000 was primarily a Server OS and at the desktop level was not Windows primary desktop OS at the time.

I am sorry but the article is just meaningless. Get over yourself.

13 May 2008, 2:47 PM (5 years ago)report abuse Send to a friend reply

jake (New user):

vista has been preety good for me apart from when i did bill gates trick one day i goto my laptop plug my mp3 in and o wat do u know theres a BSOD lol

15 May 2008, 12:28 AM (5 years ago)report abuse Send to a friend reply

Jito463 (New user):

This article is misleading for a few different reasons.

Number one, Windows 2000/2003 are primarily used by corporations anymore (since most users have moved on to XP or Vista), and thus are behind secure networks.

Number two, many 2003 users may actually be XP Pro x64 users (which reports as 2003), and x64 isn't vulnerable to many of the malware written for earlier x86 versions of Windows (some, yes, but not all).

Given those two alone, you would expect the number of infections to be lower with 2000/2003. Not to mention that it's limited to those who "accessed (PC Tools') online ThreatFire community", which limits the range of computers tested.

26 May 2008, 10:49 PM (4 years ago)report abuse Send to a friend reply

JCFan (New user):

Anyone with any security knowledge would never run Windows 2000 as their main desktop with the purpose of it being more secure than Vista. Sorry but this article provides no details of its findings, kind of like most people who just want to have something to whine about. UAC isn't "uber annoying" I use Vista everyday and never see it unless I have to install something new or change some setting or service. But I have no need to do that on a workstation. I don't fiddle with it constantly. Get a life guys.

14 November 2008, 1:03 AM (4 years ago)report abuse Send to a friend reply

Not signed in
anonymous user Anonymous user