Windows Vista and Protection From Malware
Microsoft gives details of the Windows Vista's vulnerability to some malware threats, as they were reported by Sophos IT security firm last month.
In November 30, Sophos issued its monthly report on the top ten
threats reported to them in November of 2006. As a part of this,
Sophos also studied Windows Vista's vulnerability to these
malware threats.
Jim Allchin, member of the Windows Vista Team Blog, asked Microsoft to go look at the technical facts behind the story. Microsoft began by observing first-hand how these various forms of malware affect a Windows Vista system using a machine that was configured with the default settings and without any additional security software.
"What we found was that if you are using only the software in Windows Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited," said Allchin.
"If you are using Microsoft Outlook or a third-party email client that blocks execution of known executable formats, then a user running Windows Vista is not vulnerable to eight of the ten malware threats. In the case of the ninth piece of malware, Bagle-Zip, the malware is able to run because it uses the .ZIP file format which some mail programs do not block."
"In the case of the tenth piece of malware, Mydoom-O, the malware is sometimes able to run because it randomly chooses the file type to which to distribute its payload and sometimes that file type is an executable inside a .ZIP file, which some mail programs do not block. In both cases, this is a function of the e-mail software, not Windows Vista. That said, even when a user receives a mail infected with Bagle-Zip or Mydoom-O in the .ZIP file format, in order for the malware to affect the system, the user must first explicitly open the .ZIP file and then explicitly run the executable file that's contained inside the .ZIP file -- there is no way for this to happen without two steps of user action. If you happen run a third-party email client that does not block known executable formats, then you may also be vulnerable to Netsky-D."
While Windows Mail blocks running executables even when they are included in a .ZIP file, other email clients could as well if they used a technology available (via APIs) in Windows called Attachment Manager (AM), first introduced in Windows XP Service Pack 2. So what should you do if you use a mail client that doesn?t support AM? Well, the most basic thing to do is to train users in your environment not to click on unknown attachments and, even if they do, to make sure that they don?t run executable files included in ZIP files.
"That said, if you use an add-on e-mail client, you should also use anti-virus software that can scan attachments prior to opening them to detect and block malware."
Windows Vista has cleaners that detect and remove this form of malware that is offered as part of the malicious software removal tool that Microsoft distributes each month.
However, there is certainly a question about whether Microsoft should do even more in the operating system.
"The recent feedback we received around our decision to continue to include Kernel Patch Protection in the 64-bit versions of Windows Vista (even though we had shipped this protection in 64-bit versions of Windows XP nearly two years ago) was more controversial than we would have expected. It's a complicated world -- that's all I can say," said Allchin.
Microsoft also offers this kind of "on access" anti-virus software as part of Windows Live OneCare (for home users) and offer server based e-mail security in Microsoft Forefront Security for Exchange Server. In addition, the company is currently beta testing an enterprise version of the client software called Microsoft Forefront Client Security.
So what should you do?
"..no software from anyone I have seen is neither foolproof nor perfect, " said Allchin.
So, if you have a totally locked down environment (including using Parental Controls), you may be good to go with Windows Vista out of the box. Similarly, if you aren?t in a locked down environment, but you use Windows Mail in a controlled configuration, you may also be ok from malware such as this. If you use an add-on email client and you know not to run executables embedded in email attachments, then you will also be safe from these specific threats. And with all that said, if you are like most users and receive e-mail from unknown people, are not really sure even what executables or ZIP files are, run a lot of software and browse the web downloading programs with abandon, then our best advice remains the same: You should 1) stay current with the latest security updates; 2) use a firewall and 3) use anti-malware software.
Jim Allchin, member of the Windows Vista Team Blog, asked Microsoft to go look at the technical facts behind the story. Microsoft began by observing first-hand how these various forms of malware affect a Windows Vista system using a machine that was configured with the default settings and without any additional security software.
"What we found was that if you are using only the software in Windows Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited," said Allchin.
"If you are using Microsoft Outlook or a third-party email client that blocks execution of known executable formats, then a user running Windows Vista is not vulnerable to eight of the ten malware threats. In the case of the ninth piece of malware, Bagle-Zip, the malware is able to run because it uses the .ZIP file format which some mail programs do not block."
"In the case of the tenth piece of malware, Mydoom-O, the malware is sometimes able to run because it randomly chooses the file type to which to distribute its payload and sometimes that file type is an executable inside a .ZIP file, which some mail programs do not block. In both cases, this is a function of the e-mail software, not Windows Vista. That said, even when a user receives a mail infected with Bagle-Zip or Mydoom-O in the .ZIP file format, in order for the malware to affect the system, the user must first explicitly open the .ZIP file and then explicitly run the executable file that's contained inside the .ZIP file -- there is no way for this to happen without two steps of user action. If you happen run a third-party email client that does not block known executable formats, then you may also be vulnerable to Netsky-D."
While Windows Mail blocks running executables even when they are included in a .ZIP file, other email clients could as well if they used a technology available (via APIs) in Windows called Attachment Manager (AM), first introduced in Windows XP Service Pack 2. So what should you do if you use a mail client that doesn?t support AM? Well, the most basic thing to do is to train users in your environment not to click on unknown attachments and, even if they do, to make sure that they don?t run executable files included in ZIP files.
"That said, if you use an add-on e-mail client, you should also use anti-virus software that can scan attachments prior to opening them to detect and block malware."
Windows Vista has cleaners that detect and remove this form of malware that is offered as part of the malicious software removal tool that Microsoft distributes each month.
However, there is certainly a question about whether Microsoft should do even more in the operating system.
"The recent feedback we received around our decision to continue to include Kernel Patch Protection in the 64-bit versions of Windows Vista (even though we had shipped this protection in 64-bit versions of Windows XP nearly two years ago) was more controversial than we would have expected. It's a complicated world -- that's all I can say," said Allchin.
Microsoft also offers this kind of "on access" anti-virus software as part of Windows Live OneCare (for home users) and offer server based e-mail security in Microsoft Forefront Security for Exchange Server. In addition, the company is currently beta testing an enterprise version of the client software called Microsoft Forefront Client Security.
So what should you do?
"..no software from anyone I have seen is neither foolproof nor perfect, " said Allchin.
So, if you have a totally locked down environment (including using Parental Controls), you may be good to go with Windows Vista out of the box. Similarly, if you aren?t in a locked down environment, but you use Windows Mail in a controlled configuration, you may also be ok from malware such as this. If you use an add-on email client and you know not to run executables embedded in email attachments, then you will also be safe from these specific threats. And with all that said, if you are like most users and receive e-mail from unknown people, are not really sure even what executables or ZIP files are, run a lot of software and browse the web downloading programs with abandon, then our best advice remains the same: You should 1) stay current with the latest security updates; 2) use a firewall and 3) use anti-malware software.
