Symantec: Vista Not A Security Panacea

That's the overarching message from a series of whitepapers released Wednesday by researchers from Symantec's Security Response Advanced Threat Research group, who put Vista's highly touted security through the paces.

Symantec researchers took a backlog of malicious code samples and ran them on Vista to see what could survive in the new OS environment. They found that Vista is vulnerable to some of the same malicious code that attackers have been using on older versions of Windows, said Ollie Whitehouse, an architect with Symantec's Security Response Advanced Threat Research team.

For example, Symantec found that 4 percent of keyloggers and mass mailers can successfully execute and survive a system restart on Vista without being modified, as can 3 percent of backdoors and 2 percent of Trojans, spyware and adware, Whitehouse noted.

In addition, malware authors in some cases only have to make modifications to get their exploits running on Vista, according to Whitehouse. "The fact that there are existing samples of malicious code that works today against Vista is alarming," he said.

id
unit-1659132512259
type
Sponsored post

Microsoft has bolstered kernel security in Vista with three new technologies: driver signing, which ensures that all kernel drivers the system loads are trustworthy; code integrity, which checks the OS code for signs of tampering; and Patchguard, which protects OS elements at the deepest level of kernel memory.

Although the kernel protection technologies are designed for 64-bit versions of Vista, which won't be in widespread use for a couple of years, they represent little more than "a bump in the road" for hackers, Whitehouse said. Symantec researchers also said they were able to disable all three of the security technologies in Vista with about one man-week of effort.

"As demonstrated during the development process of Windows Vista and during its release, hackers can and will subvert PatchGuard," the researchers wrote.

Vista also doesn't fully account for the fact that attackers are now moving up the application stack and gravitating to the low-hanging fruit of third-party applications, Whitehouse said.

While Microsoft deserves credit for letting third-party Vista application developers gain the same level of protection that Microsoft applications have, developers must make changes to the code of their apps to access those improvements, which is a tedious process, Whitehouse said.

Another new security measure in Vista that falls short is Address Space Layout Randomization (ASLR), a defensive technology that takes memory assigned to applications and jumbles it to make it harder for attackers to find and exploit vulnerabilities, according to Whitehouse.

ASLR helps soften the impact of memory corruption flaws that can be leveraged to launch malicious code attacks, but the level of protection one would have expected from ASLR isn't necessarily present, he said. In fact, Symantec discovered two bugs in the implementation that undermine ASLR's effectiveness, as well as an unexpected manifestation of how memory is used that could make it easier for hackers to find what they're after, he said.

Symantec's Vista research isn't meant to cast a shadow on the security improvements in Vista but to provide a view of how Vista will affect the overall threat landscape, Whitehouse noted.

However, one Symantec solution provider said he thinks the research underscores the gamesmanship going on in the security industry that's being fueled by competition between vendors.

"I think Symantec is a little bit worried about Microsoft moving into their space, and these papers could be their way of slowing Microsoft's momentum into the security space," said the solution provider.