Vista less secure than 2000: researchers

Help more people find out about this story
Del.icio.us StumbleUpon

Angus Kidman12 May 20084 days 21 hours ago.

Machines running the beleaguered operating system are more likely to suffer from malware attacks than either Windows 2000 and Windows 2003, new research suggests.

An analysis of threat data collected over a six month period by security software developer PC Tools suggests that despite a bottom-up code rewrite and the uber-annoying User Account Control feature, Vista isn't doing as good a job as some of its predecessors in keeping hackers at bay. By PC Tools' calculations, based on analysis of 1.4 million computers which accessed its online ThreatFire community, 639 unique threats were found for each 1,000 Vista machines. For Windows 2000, the figure was 586, while for Windows 2003, it was 478.

"Since its launch, Microsoft has flagged the increased level of protection Vista provides as one of the key reasons why consumers should upgrade from Windows XP to Vista," PC Tools CEO Simon Clausen said in a release announcing the findings. "If Microsoft's forecasts for the operating system are correct and Vista's market share increases significantly, we could expect infection rates to increase further on Vista," said Clausen.

Microsoft can at least draw some comfort from the fact that Vista outperformed XP, which racked up a massive 1,021 unique threats per 1,000 computers. However, despite Clausen's comments, XP is not showing any signs of going away soon, remaining the only realistic option for Microsoft to get a foothold in the growing market for cheap and compact notebooks such as the ASUS EeePC

A large part of the problem may be because of how Microsoft has chosen to implement security alerts within Vista itself. Because Vista normally requires all applications to run in standard mode without administrative privileges, numerous programs, including many coded by Microsoft itself as a native part of the operating system, require user confirmation every time they're launched. In theory, this should alert PC owners of any backdoor attempts to install malware. In practice, many users either tune out those notifications and blindly accept them all, or switch the entire UAC infrastructure off.

Microsoft itself believes that the problem can be overcome by making consumers more aware of the difference. "We really need to improve user education," IT pro evangelist Michael Kleef told APC in a recent interview on the topic. Our five cents worth? Telling people that they need to adjust their behaviour is never going to be as effective as writing software that remains secure without nagging them every time they try and fix their WiFi connection.

Reader Comments

RSS feed

Email alert

petert (Regular contributor):

Given MS promises about Vista being "their most secure OS ever", this news is quite disappointing; even more so when you consider that Vista does not run 16-bit applications, it is now 18 months old (allowing quite a degree of maturity) and SP1 has been released (which should have further reduced the number threats in the OS).

report abuse reply

Angus Kidman (Regular contributor):

As the research was carried out over six months, SP1 wouldn't have been a factor for the most part, I imagine. Given how many factors can block its installation, I suspect it won't be a factor for a while yet either!

report abuse reply

Me In Oz (New user):

Don't turn off UAC !
It's only going to cost you an extra 250 milliseconds to start an app, for goodness sakes !
Oh ! And stop spending so much time on Warez, Pirate and Porn sites will help too !

report abuse reply

Angus Kidman (Regular contributor):

Unlike most Vista users I know, I haven't turned off UAC -- but in the whole time I've been running Vista, it hasn't once detected an unauthorised application. So it really has offered me no benefits other than consistently wasting my time. As such, I'm not surprised that people switch it off.

report abuse reply

Me In Oz (New user):

Angus ! Are you that busy that an extra 30 seconds a day will interfere with you lifestyle/work routine ?
I'd sacrafice the 30 seconds for piece of mind any day !

report abuse reply

Angus Kidman (Regular contributor):

I haven't gotten any peace of mind, because it's yet to actually detect anything! If anything, UAC reduces my opinion of Vista, because I think "Why couldn't Microsoft code an OS that can tell the difference between malware and its own control panel?"

A few people have commented that Vista's lower figures relative to XP make it a sensible choice for home users. There's definitely another way of looking at that, though; how reassuring is it that an 18-month old OS which was promoted as highly secure already has more than half the number of vulnerabilities of a seven-year-old predecessor? And how much worse will it get as Vista becomes a more prominent choice and hence a more attractive target?

report abuse reply

Tin (Regular contributor):

I suspect Windows Genuine Advantage helped prop up the figures for XP. Blocking access to updates on boxes running pirate copies of Windows didn't make people go out and buy licenses. It simply made them stop installing updates (including major security updates).
So you can thank MS for all the spam and malware out there really ;-)

report abuse reply

Me In Oz (New user):

I don't have compassion for the people using pirate copies of anything ! .... So this is really a moot point.
Pirate software does not come with support. use it at your own risk and don't expect MS to support thieves who steal their products !

report abuse reply

Tin (Regular contributor):

While I don't agree with piracy, MS did the wrong thing by denying updates to pirate users... They just pushed them to stay vulnerable to a pile of exploits.

report abuse reply

Me In Oz (New user):

The solution is right there ! ......... Buy the product to get support and updates !
If you stole a new TV would you expect the retailer to honour the warranty ?

report abuse reply

William151515 (New user):

i turn UAC off because its to annoying, and does not let me run admin applications at start up, and that causes problems, but i at least run an internet seucirty suit (mcafee total protection 2007) so its fine, and besides, most of the people that get viruses are just software pirates, or people that download crack.exe lol, or use limewire etc etc, infact if you know what your doing you don't even need anti virus

report abuse reply

Jeff (New user):

Get away with no anti-virus on windows? are you kidding?? All it take to get a virus is for someone on the network to get the virus then it can transfer to your computer (Its happened to me several times when I was using windows) and once I couldnt find an anti-virus product that would get rid of it. I have also found virus, Trojans, etc. in programs that you wouldn't expect to have them. Then there are the hackers who hack into your computer and then leave nasty things behind.

I've seen many people who have tries to not use anti-virus software (some of who actually knew what they were doing) and it didn't take too long before their computers were riddled with malicious programs. There is no way that you can safely not use ant-virus on windows, unless of course it is completely isolated from the outside world...

report abuse reply

Tin (Regular contributor):

Troll?
No one that knows what they are doing runs without antivirus. Anyone that thinks they are better than every malware author should hand in their IT credentials and find a job doing manual labor.

report abuse reply

jake (Regular contributor):

vista has been preety good for me apart from when i did bill gates trick one day i goto my laptop plug my mp3 in and o wat do u know theres a BSOD lol

report abuse reply