Review: Vista, XP Users Equally At Peril To Viruses, Exploits2:30 PM EST Tue. May. 29, 2007
After a week of extensive testing, the CRN Test Center found that users of Windows Vista and Windows XP are equally at risk to viruses and exploits and that overall Vista brings only marginal security advantages over XP.
One of Microsoft's big promises with Vista was a more secure operating system. But when stripped to the bare bones and thrown into the wild, wild Web, Vista's security failed to impress Test Center engineers.
Vista remains riddled with holes, despite its multilayer security architecture and embedded security tools. Besides providing no improvement in virus protection vs. XP, Vista brings little or no security gains over its predecessor against such threats as RDS exploits, script exploits, image exploits, VML exploits, malformed Web pages and known malicious URLs, the Test Center found.
Armed with two notebooks -- an HP Compaq 6515b notebook running Windows Vista Business 32-bit Edition with the 256-bit encryption version of Internet Explorer 7 and an HP Compaq nc6400 running Windows XP with the 128-bit encryption version of Internet Explorer 6 -- Test Center engineers probed both OSes with some of the most dangerous exploits known today.
To even the playing field, all of the HP ProtectTools Security Manager tools on both notebooks were shut down. None of the encryption tools and the password-protect options were initialized. In addition, HP's ProtectTools Application Protection Service was not activated. Only the default security features and settings on both OSes were kept.
The Test Center selected Finjan's RUSafe appliance to analyze all HTTP traffic going to both notebooks. RUSafe is more than just a sniffer; it can analyze code behavior and identify malicious files. Engineers used RUSafe's report engine to compare the OSes and, with the help of Finjan and other experts, visited several known hacker sites.
Since the notebooks were running without any security suites, engineers were only able to visually inspect the behavior of each OS after going to a site. No code tracing techniques were used in the OSes. Instead, Finjan's RUSafe appliance provided the records of what passed to each notebook.
Here's what we found:
1ST TEST: VIRUSES
The Finjan RUSafe appliance detected 20 instances in which viruses were found in Web sites, suspicious file types, spoofed content on Web sites, worms and executables.
For instance, the Mal/EncPK-F virus and the W32/SillyFD-AB worm penetrated both OSes without detection.
None of the files were blocked by either OS. Both OSes failed to detect illegitimate archives and some binary objects that were not digitally signed.
2ND TEST: SPYWARE & ADWARE
For instance, Vista was able to pick up one of the IEPlugin spyware. Yet not all variants of the same spyware were detected through IE 7. In fact, three passed through undetected. Vista also missed the HotBar spyware signature. XP with IE 6 missed all of the sites with spyware. Most of the spyware came from pornography and hacker sites found through Astalavista's portal.
Surprisingly, Vista was able to detect adware built into the Zango player, which is typically used for playing porn videos. Even so, the current version of the Zango player could not run on Vista. XP did not provide any warnings about Zango.
Next: Some Deadly Trojans
3RD TEST: SOME DEADLY TROJANS
Vista's Windows Defender successfully blocked a trojan executable called Backdoor.Win32.Hupigon.emb.
But Vista missed another trojan executable file -- named Trojan-Spy.Win32.Goldun.ms and detected in September 2006, months before Vista's release -- that was flagged by the Finjan appliance.
Vista produced the usual warning message that running the file might cause problems. XP also gave similar warnings and allowed the engineer to run both trojans.
4TH TEST: REMOTE DATA SERVICES EXPLOITS
Vista with IE 7 was able to detect a bad remote data services (RDS) ActiveX control from one PHP-based Web site. However, on four other sites that use similar exploits, IE 7 failed to provide any warning messages. Hackers can use RDS exploits to paralyze a system with denial-of-service (DOS) attacks by corrupting IE's heap and possibly go as far as evoking code remotely.
It's not clear how IE 7 detected the bad control on the first site. It's possible that the other four sites were not detected because the code might not have been targeting Vista. On XP, however, some of the sites were able to run client-side code.
Vista might have failed to detect the code if hackers obfuscated their applications. Code obfuscation is a programming technique often employed by hackers to scramble code structures so their programs can bypass detection. Polymorphic viruses usually hide their signatures using code obfuscation.
A newer technique is to dynamically obfuscate code during execution, making it extremely hard to detect a signature. The viruses can sometimes change function names using different encryption keys. This technique is now spreading to Web scripting languages as well.
According to Finjan, some of the sites that were used for testing contained a new PHP application called MPack to run code remotely. The MPack tool is used by hackers on PHP sites to pass code to unsuspecting users' PCs. Exploits using the MPack tool became known late last year.
MPack poses a serious threat because the code is typically passed through a malformed home page. When left undetected, hackers can use MPack to pass trojans or just about any code they wish. In addition, two sites were tested that had the Neosploit malware tool, which carries several distinct exploits. Both OSes failed to detect the MPack and Neosploit signatures on all the malicious sites that had it.
5TH TEST: FINDING FLAWS WITH IMAGE FILES, SPOOFING & SCRIPTING
Both OSes failed to block spoofed content and vector-based images that had embedded scripts.
Vector Markup Language (VML) and other vector-based images pose a significant threat because they allow hackers to execute remote code. Hackers use simple redirects to pull in users into sites riddled with malware and bots. Past and current Windows architectures are still unable to accurately detect embedded scripts in images.
Finjan reported 19 scripting violations, many of which came from astalavista.com Web sites. Two scripts had spyware embedded in them, and some of the scripts used code obfuscation to hide their signatures. Since Finjan looks for behavior, the scripts were detected by the appliance. However, Vista and XP failed to flag them.
Next: How Vista & XP Security Stack Up
6TH TEST: OBSERVING SIGNATURES & VISTA'S PHISHING FILTER
Vista provides an extra layer of protection for users when they go to Web sites with self-signed certificates. Users had to click on a red link to access those sites. XP produced a single pop-up warning message.
Engineers did not use phishing techniques to test security, but it's worth noting that IE 7's phishing filter failed to connect several times to Microsoft's security site to identify fraudulent Web sites.
THE BOTTOM LINE
Based on the Test Center's findings, businesses that migrate their Windows PCs from XP to Vista will get a slightly more secure OS. But as the Finjan reports showed, Vista's security remains wafer thin.
In the end, both the Vista and the XP test notebooks were almost equally damaged by viruses, trojans and other malware. And because most of the Web sites in the test were able to exploit Vista's weaknesses, Internet users are just about equally vulnerable with both OSes.
VARs can still cite improved security as a selling point for Vista upgrades. Yet to avoid giving customers a false sense of safety, solution providers should stress that third-party security suites also will be needed to provide systems with ample protection.