A Microsoft executive accuses security company Sophos of sensationalizing claims that Windows 7's User Account Control is ineffective at fighting malware. Sophos counters that its goal was merely to show that UAC may not provide the level of protection some might expect.
Sophos Senior Security Adviser Chester Wisniewski caused a
stir Nov. 3 when he repeated claims that Microsoft had rendered the
Windows
7 User Account Control feature ineffective. To back this up, Wisniewski
cited a test he had run in which numerous pieces of
malware
ran on Windows 7 without generating any prompts from UAC.
In a blog post Nov. 6, Paul Cooke, Microsoft's director of
Windows Client Enterprise Security,
countered
that the Sophos test was inconclusive.
"I'm a firm believer that if you run unknown code on
your machine, bad things can happen," Cooke wrote. "This test shows
just that; however, most people don't knowingly have and run known malware on their
system. Malware typically makes it onto a system through other avenues like the
browser or e-mail program. So while I absolutely agree that antivirus software
is essential to protecting your PC, there are other defenses as well."
To
read more about Windows 7's security features, click here.
Among them, Cooke blogged, are Windows Service Hardening,
Kernel Patch Protection, Windows Service Hardening, Address Space Layout
Randomization and Data Execution Prevention.
"Beyond the core security of Windows 7, we have also
done a lot of work with Windows 7 to make it harder for malware to reach a user's
PCs in the first place," he continued. "One of my favorite new
features is the SmartScreen Filter in Internet Explorer 8 ... [which] will notify
you when you attempt to download software that is unsafe
-which the SophosLabs methodology totally
bypassed in doing their test."
In the Sophos test, Wisniewski
explained, the approach was to set up a Windows 7 desktop with default
configurations, take 10 malware samples at random and run them to see if UAC
would provide a warning to the user. Eight of the 10 sample pieces of
malware ran, although one of those failed to run unless UAC was disabled. The other
two did not run at all.
"My purpose was not to, as Microsoft has accused, [sensationalize
the issue for profit] ... but ... to dispel the idea
that UAC will warn [users] of risks associated with installing malware,"
Wisniewski told eWEEK. "I believe
people who are accustomed to how this feature works in OS X and Ubuntu will
believe that the Windows version of this technology provides similar protection.
To install a Trojan on OS X you need to supply your administrative password."
He added, "The best advice
for administrators of corporate PCs is to run your users as nonprivileged
accounts and not worry about UAC. This brings us back to Windows legacy
applications, which is why Microsoft developed UAC, and the circle continues
around."
Despite the controversy, Cooke said he actually agrees with
Wisniewski's ultimate conclusion.
"While I'm not a fan of companies sensationalizing
findings about Windows 7 in order to sell more of their own software, I nevertheless
agree with them that you still need to run antivirus software on Windows 7,"
Cooke wrote. "This is why we've made our
Microsoft
Security Essentials offering available for free to customers. But it's also
equally important to keep all of your software up-to-date through automatic
updates, such as through the Windows Update service. By configuring your
computers to download and install updates automatically you will help ensure
that you have the highest level of protection against malware and other
vulnerabilities."
Email
Print
