Microsoft gives details of the Windows Vista's vulnerability to some malware threats, as they were reported by Sophos IT security firm last month.
In November 30, Sophos issued its
monthly report on the top ten
threats reported to them in November of 2006. As a part of this,
Sophos also studied Windows Vista's vulnerability to these
malware threats.
Jim Allchin, member of the Windows Vista Team Blog, asked Microsoft to go look at the technical facts behind the story.
Microsoft began by observing first-hand how these
various forms of malware affect a Windows Vista system using a
machine that was configured with the default settings and without
any additional security software.
"What we found was that if you
are using only the software in Windows Vista (e.g., Windows Mail
and no add-on security software), then you are immune to all ten
of the malware threats that Sophos cited," said Allchin.
"If you are using Microsoft Outlook or a third-party email client
that blocks execution of known executable formats, then a user
running Windows Vista is not vulnerable to eight of the ten
malware threats. In the case of the ninth piece of malware,
Bagle-Zip, the malware is able to run because it uses the .ZIP
file format which some mail programs do not block."
"In the case
of the tenth piece of malware, Mydoom-O, the malware is sometimes
able to run because it randomly chooses the file type to which to
distribute its payload and sometimes that file type is an
executable inside a .ZIP file, which some mail programs do not
block. In both cases, this is a function of the e-mail software,
not Windows Vista. That said, even when a user receives a mail
infected with Bagle-Zip or Mydoom-O in the .ZIP file format, in
order for the malware to affect the system, the user must first
explicitly open the .ZIP file and then explicitly run the
executable file that's contained inside the .ZIP file -- there is
no way for this to happen without two steps of user action. If
you happen run a third-party email client that does not block
known executable formats, then you may also be vulnerable to
Netsky-D."
While Windows Mail blocks running executables even when they are
included in a .ZIP file, other email clients could as well if
they used a technology available (via APIs) in Windows called
Attachment Manager (AM), first introduced in Windows XP Service
Pack 2. So what should you do if you use a mail client that
doesn?t support AM? Well, the most basic thing to do is to train
users in your environment not to click on unknown attachments
and, even if they do, to make sure that they don?t run executable
files included in ZIP files.
"That
said, if you use an add-on e-mail client, you should also use
anti-virus software that can scan attachments prior to opening
them to detect and block malware."
Windows Vista has cleaners that detect and remove this form of malware that is offered as part of the malicious software removal tool that Microsoft distributes each month.
However, there is certainly a question about whether Microsoft should do even more in the operating system.
"The recent feedback we received around our decision to continue to include Kernel Patch Protection in the 64-bit versions of Windows Vista (even though we had shipped this protection in 64-bit versions of Windows XP nearly two years ago) was more controversial than we would have expected. It's a complicated world -- that's all I can say," said Allchin.
Microsoft also offers this kind of "on access"
anti-virus software as part of Windows Live OneCare (for home
users) and offer server based e-mail security in Microsoft
Forefront Security for Exchange Server. In addition, the company is currently beta testing an enterprise version of the client
software called Microsoft Forefront Client Security.
So what should you do?
"..no software from anyone I have seen is neither foolproof nor perfect, " said Allchin.
So, if you have a totally locked down environment (including using Parental Controls), you may be good to go with Windows Vista out of the box. Similarly, if you aren?t in a locked down
environment, but you use Windows Mail in a controlled
configuration, you may also be ok from malware such as this. If
you use an add-on email client and you know not to run
executables embedded in email attachments, then you will also be
safe from these specific threats. And with all that said, if you
are like most users and receive e-mail from unknown people, are
not really sure even what executables or ZIP files are, run a lot
of software and browse the web downloading programs with abandon,
then our best advice remains the same: You should 1) stay
current with the latest security updates;
2) use a firewall and 3) use anti-malware software.