Vista Takes Aim at Social Engineering

Microsoft officials say that the Windows operating system is not the weakest link in desktop security and that Windows Vista will help limit the greatest vulnerability of all—users bad decision making.

While previous iterations of Microsofts dominant operating system hit the market with an abundance of security loopholes that left users open to myriad forms of attack, company officials said new features in Vista will not only make it harder for malware writers to attack it but also make it more difficult for users to hurt themselves.

Executives point to Microsofts SDL (Security Development Lifecycle) program as an attempt to root out many of the coding flaws that left gaping security holes in previous versions of Windows during development and said the primary thrust of the security tools added in Vista has been to help customers help themselves.

From its UAC (User Account Control) feature, which limits the ability of viruses to gain access to administrator status on desktops, to the anti-phishing filters in the newly released Internet Explorer 7 browser, Microsoft, of Redmond, Wash., is trying to give users the tools to do a better job of watching their own backs, said Ben Fathi, vice president of Microsofts Security Technology Unit.

Microsoft doesnt expect that Vista—the consumer version will be released Jan. 29—will be able to evade all forms of malware, despite the work done to shut holes via the SDL program, Fathi said. Still, the company has given users the right set of tools to help police their own habits, he said.

"The weakest link in the security of any system is the end user. It seems like were putting them down, but, realistically, theres a lot we can do in technology to secure our products, but as long as users can be tricked into clicking a link or going to an unknown Web site, were at risk," Fathi said. "We think that by helping users protect themselves better, we can make a big dent in the current methods of attacks being used by hackers."

Zero-day exploits and self-cloaking rootkits may be the rage at the most complex end of the malware spectrum, but most users encounter security issues because they fall for social engineering tactics, making mistakes such as opening malware e-mail sent from spoofed domains and following links to Web pages that offer viruses along with the advertised content, Fathi said.

UAC promises to help prevent viruses from spreading within a machine by prompting the user to approve nearly every change to the system that such a program might try to make. Whereas programs that tap into a machines administrative controls to advance their reach largely operated in secret before Vista, users will now be able to shut down the attacks as they try to proliferate, Microsoft claims.

Anti-phishing technologies in IE 7 use on-board heuristics, as well as site-blocking capabilities based on traditional blacklists and whitelists, to give users an idea of the security status of every site they try to access. Known malware and phishing sites are automatically blocked, whereas every other site gets a red, yellow or green rating, based on the characteristics it exhibits to the browser. By arming users with a browser that flashes red around the edges when they try to access a suspected phishing site, Microsoft can help customers make wiser security decisions on their own, Fathi said.

Some security vendors are already criticizing Vistas on-board security components, with anti-virus market leader Symantec calling UAC too chatty to have a significant impact on safety and predicting that users will come to ignore the many warnings the system produces. Symantec is developing products that will manage UAC and the other Vista security tools.

However, some experts say trying to limit the social aspect of IT threats will strike many people as positive, useful and adequate. Lee Nicholls, global solutions director for consultant company Getronics, said all but the most demanding customers will be encouraged by the work that Microsoft has done. Nicholls said his company will encourage businesses to use Vistas on-board protections. He works at Microsofts Redmond campus, studying the companys latest technologies.

"Weve seen all this technology provided for Windows before by third-party vendors, but customers were forced to figure out numerous processes for troubleshooting between applications, which created some additional security issues," Nicholls said. "Now all the management is there in the product, which makes it easier for end users, and for us, to try to solve problems as they arise."