Print 107 comment(s) - last by weskurtz0081.. on Nov 11 at 8:55 AM

Windows 7 may be more secure, but its UAC is less functional than Windows Vista's, according to a recent security study. The study suggests that only antivirus protection can properly protect Windows 7.  (Source: Switched)
Antivirus protection still necessary, says firm

One of the most unpopular features of Windows Vista among casual users was the User Account Control (UAC).  Ironically, while the UAC provoked irate comments from these users, like "why is my computer asking me to approve everything", the feature was one of the most appreciated features by power users as it gave them much more control over their security and ability to prevent inappropriate actions.

With Windows 7, Microsoft pledged to go the OS X route on this topic, tuning down the UAC's warnings to a lesser level.  Many security firms complained about this approach and Microsoft relented slightly, restoring some of the UAC's warnings, in particular a warning about the disabling the UAC altogether (experts showed that attackers could disable the UAC without prompting the user in early builds of Windows 7).

While these changes helped make Windows 7's release edition more secure than the test builds, the UAC's default setting is still neutered compare to Vista's robust solution, indicates Sophos Senior Security Adviser Chester Wisniewski.  He's just completed a study of attacking Windows 7 with malware and seeing how the new UAC responds.

Of the ten pieces of malware tested, Windows 7 wouldn't install two of them.  Of the remaining eight only one generated a UAC warning, allowing the user to disallow its installation.

Microsoft officials, though, minimized the test, saying the UAC just isn't that important a security feature anymore.  They point to Windows 7's improved memory protections and Microsoft free Security Essentials antivirus suite as two critical tools that can be used to fight infection, in addition to the UAC. 

States a Microsoft spokesperson, "Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware; this includes features like Security Development Lifecycle (SDL), User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP)."

"Windows 7 retains all of the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released," the spokesperson added. "Coupled with Internet Explorer 8—which includes added malware protection with its SmartScreen Filter—and Microsoft Security Essentials, Windows 7 provides flexible security protection against malware and intrusions."

While he understands that with other supplemental protections Windows 7 will likely be safe, Mr. Wisniewski seems mildly disapproving of defaulting the UAC to reduced functionality.  After all, users of Windows Vista may be lulled into a false sense of security expecting prompts to save them from malware.  Ultimately, though, there's little that can be done to convince Microsoft to change this, though, and he concludes, "Lesson learned? You still need to run antivirus [protection] on Windows 7."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Flawed Methodology
By Screwballl on 11/5/2009 3:56:08 PM , Rating: 0
The problem is that these companies use tests that the ONLY way for someone to not get infected is to have an OS where even if you do click on something, nothing bad will happen.

that is why customers of mine that have continuous problems with viruses and malware, I have set them up with Linux (usually Kubuntu) as well as any office or whatever software they need. Except for an occasional call asking for a program like GIMP or other alternatives, I have not seen many of these people (needing help or repair) for over a year. Yet each and every one has thanked me for fixing their problems, and they love not having to worry about anything with linux.

Granted this is not a fix all solution but as long as the system is setup properly then there are no hardware or software issues to worry about. It would work with a majority of the population (home users) as long as a little education is done along with setting it up for them. A little education goes a long way.

RE: Flawed Methodology
By rs1 on 11/5/2009 4:33:29 PM , Rating: 5
Even on Linux you can get yourself in trouble if you intentionally run a program that's designed to harm your system. Granted, permissions will keep the program from running amok with the core of the system (as they do on Win 7 as well), but a properly designed malicious program (or shell script, even) could trash a Linux user's account plenty easily, and without the OS raising any warning flags. Linux is no more secure than Windows in this regard. If you tell it to run a malicious program that only trashes your user-level settings/account and does not try to access any privileged areas, then the OS will allow you to without complaint. Just like Windows.

The only real difference is that there aren't many malicious programs out there that target Linux, relative to the number that target Windows. And also that the company selling the anti-virus software doesn't offer a linux version, so there's no incentive for them to come up with a contrived test that shows just how "vulnerable" Linux is to malware.

RE: Flawed Methodology
By Fox5 on 11/5/2009 4:35:55 PM , Rating: 2
Windows has unfortunately become too synonymous with computing. I could see a big player like Dell or HP changing that IF they pushed Linux (probably Ubuntu) as the biggest thing since Apples. Seriously, many of Apple's big selling points are even more true in favor of a Linux system. Flashiness, security, things 'just working' (to a certain level of functionality, Linux handles pretty much all of the common tasks well, it's specific apps it fails in), system responsiveness, I'm surprised some enterprising enterprise hasn't tries to use Linux as the off-brand Mac.

Ultimately though, the security model is broken. Who cares if malware can't get admin rights, there's still a crap ton of damage it can do at just the user level. Identify theft, loss of probably all the data that matters to the user, and it can still make freeze programs or crash the computer at a user level.
Google's security model for Android (and probably Chrome OS) sounds like a smarter way to do things, read up on it, it's a good attempt to fix a flawed model instead of just continually patching it and wondering why Windows Vusta/7 now has one of the best security implementations around, yet it is still one of the most vulnerable OSes around.

RE: Flawed Methodology
By Screwballl on 11/5/09, Rating: 0
RE: Flawed Methodology
By Reclaimer77 on 11/5/2009 5:02:48 PM , Rating: 5
You are creating a self fullfilling prophecy. Look, NOTHING built or coded by man is foolproof. If everyone started using Linux, then guess what, Linux would be the number 1 target OS.

You Linux guys... just go away. We are NOT interested, we are NOT going to switch. And until you can pull your elitists collective heads out of your asses and come up with a Distro that runs ALL our programs, ALL our games, and does it all without emulation, compilers, and terrible driver support..well, I think I speak for most Windows users when I say you can just go screw off.

Linux is great for certain things. Prime time on our desktops ? Nope, it's not ready. And please, save your "my mother uses Linux and loves it" stories. Been there, heard that, not interested.

RE: Flawed Methodology
By bupkus on 11/5/2009 5:34:47 PM , Rating: 1
I propose a compromise. How about installing linux in a virtual machine with Windows as host and using that for all your dirty work. Whatever you absolutely need Windows for, use that.
I have Windows 7 for games and... I'm still using W7 for this right now but I'm still testing VirtualBox. When content I intend to use linux for all else where risky exposure is involved.

RE: Flawed Methodology
By Reclaimer77 on 11/5/2009 5:43:18 PM , Rating: 5
Why bother ?

If you have WIndows 7, with even the default UAC settings, Windows Security essentials installed, and do a decent job of keeping Windows updated ( which is retardedly easy because it's automatic ), unless you are a flaming IDIOT there is no way you will have a problem.

I propose a compromise, take off your tin foil hat, and stop downloading questionable porn from seedy websites. And for god sakes, think twice when you download a warez with a "patcher.exe" before you open it.

RE: Flawed Methodology
By Alexstarfire on 11/7/2009 6:10:42 AM , Rating: 2
I'd end up using Windows for everything but the internet and IMing people. Not very useful. I can't imagine how hard it would be to find all the converting programs I have for Linux. And I don't just mean command line interfaces either. No sense it taking a giant step backwards for no reason. I have quite a few that I use fairly often. Ohh, and I'd be playing ALL my games on Windows.

Not that Linux isn't fairly easy to use, but the lack of programs keeps me from switching.

RE: Flawed Methodology
By DominionSeraph on 11/5/2009 11:55:56 PM , Rating: 2
Android? Seriously?

Android's security model is crippling. It's fine for a phone due to the nature of their apps, but PCs actually have to do things.

A PC is not a console. Its openness is what makes it great.

"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki