Report: Security Drives Vista Adoption

News Analysis: Is the motivation sound, given issues such as the .ANI problem and Microsoft's admission that UAC, its star security feature, is vulnerable to social engineering?

In a recent report on enterprise security, the top reason survey respondents gave for adopting Windows Vista was that the new operating system is perceived as being more secure.

The "Fourth Annual Enterprise Security Survey" was commissioned by secure-file-transfer software maker VanDyke Software and conducted by independent research firm Amplitude Research.

According to the report, 52.3 percent of security-motivated Vista adopters are specifically interested in the improved firewall and anti-spyware functions in Microsofts latest operating system.

And in spite of the bad rap Microsofts UAC (User Account Control) has gotten from security researchers, another 14.28 percent of Vista adopters cite limited user accounts as their biggest reason for migrating.

/zimages/5/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

UAC is based on the concept of LUP (least user privilege), which limits PC users account privileges during normal use. User rights are elevated only when necessary to perform certain administrative tasks. These limitations are intended to reduce Vistas vulnerability to attacks that make use of higher user privileges.

Microsoft touted UAC as a significant security improvement that signified that the company had gotten serious about securing Windows. Researchers such as Joanna Rutkowska and Symantec Research Scientist Ollie Whitehouse found that users can be tricked into allowing inappropriate rights escalation, however.

After Rutkowskas blog post on the subject, followed by a paper from Whitehouse titled "An Example of Why UAC Prompts in Vista Cant Always Be Trusted," Microsoft confirmed that UAC is vulnerable to social engineering attacks, as it is not itself a hardened security boundary like a firewall, but is more of a security "function."

Oliver Friedrichs, a director at Symantec Security Response, in Cupertino, Calif., said the perception of UAC as a security boundary persists. "That perception has become fairly well-ingrained, even given the fact that Microsoft has come out and said UAC isnt a security boundary," he said in an interview with eWEEK.

If Vista users continue to use the operating system as early adopters are doing, there will be no additional exposure to system compromise, Friedrichs said. Overconfidence in Vistas security technology may put users at risk, however, he said.

Overall, Vista is indeed a more secure operating system, Friedrichs said. He pointed to core technologies that are responsible for this security boost, including ASLR (address space layout randomization)—a technology designed to make it harder for an attacker to figure out addresses of critical functions and hence harder to get exploits running correctly; safe structure exception handlers; and a new heap manager that is more secure from a dynamic memory allocation perspective, with its newly hardened resistance to certain types of heap usage attacks.

Vistas attack exposure remains, for the most part, in third-party applications, Web applications and other areas where attackers are largely focusing their efforts at this time, Friedrichs said.

But despite these improvements, Vista is not devoid of flaws. The .ANI vulnerability, which Microsoft patched early in April, occurred in the way Windows, including Vista, handled cursor, animated cursor and icon formats. That particular vulnerability was so critical that it caused one of only three instances wherein Microsoft has patched outside of its Patch Tuesday cycle.

Of the 217 Vista users surveyed for the report, the other reasons they gave for adopting the operating system were improved usability, given by 22.11 percent, and "other," given by 11.05 percent of respondents.

Other relevant Vista-related findings from the report were that out of 300 individuals surveyed, 6.66 percent have finished testing Vista, 44 percent are currently testing, 18.33 percent are waiting for Service Pack 1 before testing and 31 percent arent testing.

When asked if their organizations planned to deploy Vista, 19 percent of those 300 said their organizations planned to deploy after testing the official release. Twenty percent said their organizations would deploy Vista after SP1 is released, 19 percent said Vista would be deployed but only on new PCs with Vista preinstalled, and 42 percent said their organizations didnt plan to deploy Vista at this time.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.