Is Microsoft Overhyping Security In Windows 7?

The vast security architecture changes Microsoft introduced with Windows Vista led to problems that overshadowed the security advancements. As a result, Microsoft is now touting new features like DirectAccess (remote connectivity), BitLocker To Go (full hard drive encryption) and AppLocker, (which lets administrators lock access to specific applications, installer files and scripts), as reasons to upgrade to Windows 7.

In both Vista and Windows 7, Microsoft has sought to improve application security as well as Windows' resiliency to application-specific vulnerabilities such as buffer overflow exploits. While this has improved the overall security of Windows, consumers aren't necessarily more secure as a result, notes Marc Maiffret, director of professional services at The DigiTrust Group, a Los Angeles-based security consulting firm.

"Microsoft does a disservice in some of its marketing by broadly speaking about improved security," says Maiffret. "Consumers interpret this to mean they'll have less malware, but there's not much difference between Windows 7 and Vista in terms of helping to keep users from shooting themselves in the foot."

Windows 7 does improve the security of PCs with better controls and protections out of the box, but as a general rule, newer code is always more secure than older code, according to Andrew Plato, president at Anitian Enterprise Security, a Beaverton, Ore.-based security solution provider. Consequently, calling each new version of Windows "the most secure ever" is somewhat misleading.

"It's kind of like saying a new car is more secure than an old junker," says Plato. "Newer cars are more secure by virtue of their having newer components, but that doesn't mean you should drive your car into the bad part of town and leave the keys in the ignition."

User Account Control was one of the most reviled aspects of Vista because of the excessive alerts it generated, but Microsoft claims to have fixed UAC in Windows 7. Microsoft has downplayed Windows 7 UAC as a security feature, but does position it as a security enhancer.

"One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure-all," Jon DeVaan, senior vice president of the Windows Core Operating System division at Microsoft, said in a blog post earlier this year.

Nonetheless, some security vendors feel Microsoft's characterization of UAC is disingenuous from a security standpoint. Earlier this month, Chester Wisniewski, senior security engineer at Boston-based Sophos, said UAC's default configuration is not effective at protecting a PC from modern malware. Wisniewski cited recent Sophos research that showed Windows 7, without antivirus installed and with UAC set to default, is vulnerable to most current malware.

"Most malware these days is behaving in a way that UAC doesn't help," Wisniewski told Channelweb.com in a recent interview. "A lot of fake antivirus software doesn't elevate privilege, so users don't get any UAC warnings. We're seeing more of these threats operating in userland and not necessarily doing things that trigger UAC."

Microsoft never got a chance to truly showcase the security advancements it made in Vista, which took Windows out of the security 'dark ages' and provided customers with an OS capable of resisting the flood of modern malware. That wasn't for lack of trying, however.

Microsoft's marketing of security in Vista was much heavier than Windows 7, says Nancee Melby, director of product marketing for Shavlik Technologies, a St. Paul, Minn.-based security vendor. "They essentially said you wouldn't have any more security problems if you went to Vista, and that wasn't true," Melby said. "But I haven't seen that message with Windows 7."

Given the reality of today's tight IT budgets, and the fact that Windows 7 is essentially Vista with the kinks worked out and a handful of new features, it's understandable that Microsoft would want to use security as a selling point.

The danger for Microsoft here is that if these security claims are proven false, competitors such as Apple will have plenty of fodder for claiming that its computing platform is more secure, says Darrel Bowman, CEO of Tacoma, Wash.-based security solution provider Mynetworkcompany.com.

"When Microsoft decides to finally build their own PC, and control the total quality hardware and software platform, then they'll have a chance to prove they have a more secure platform," Bowman said.