Hi, Austin Wilson here. Recently there have been some questions raised about the susceptibility of Windows Vista to malware – specifically, that it’s more susceptible to malware than Windows 2000. I’d like to show why we reject that claim. We study the malware space very carefully and publish our results twice a year in the Security Intelligence Report. This report is compiled from statistics on malware infections based on over 450 million executions of the Malicious Software Removal Tool (MSRT) every month. Microsoft is a member of AMTSO (Anti Malware Testing Standards Organization) and its charter includes defining test methodology so that there is a minimum quality bar to all testing of this type. Our results published in the April 2008 version of the Security Intelligence Report show that Windows Vista is significantly less susceptible to malware than older operating systems. In fact, from June – December 2007, using proportionate numbers, the MSRT found and cleaned malware from 60.5% fewer Windows Vista-based computers than from computers running Windows XP with Service Pack 2 installed. How about Windows 2000? Using proportionate numbers, MSRT found and cleaned malware from 44% fewer Windows Vista-based computers than Windows 2000 SP4 computers and 77% fewer than from computers running Windows 2000 SP3. Note that the Windows 2000 numbers include both Windows 2000 client AND server versions, while the Windows XP numbers of course are only clients. Servers tend to be less likely to get infected with malware as many of them are in data centers and aren’t used for general web surfing or other day to day tasks. Does this mean that anti-malware software isn’t necessary? Absolutely not. No software is perfect. While we have many defense-in-depth improvements in Windows Vista, it’s critical for consumers to follow the Protect Your PC guidance of keeping the firewall turned on, keeping the operating system up to date, and having up to date anti-virus and anti-spyware software. It’s worth mentioning just a few of the defense-in-depth improvements and features that are in Windows Vista that aren’t included in Windows 2000: DEP, ASLR, firewall on by default, Windows Defender, IE hardening, User Account Control, Windows Security Center, parental controls etc… We’re always looking for ways to improve our studies, so please feel free to make suggestions on what you’d like to see. For feedback on the Security Intelligence Report, send email to sirfb@microsoft.com. Likewise, we welcome and encourage feedback from the community to make our products better, so comment on this blog entry if you have suggestions. - Austin 
Hi, Austin Wilson here. Now that Windows Vista has been available to business customers for more than a year, it’s a good time to go back and look at how it’s holding up from a security perspective. I think that it’s fair to say that Windows Vista is proving to be the most secure version of the Windows to date. Our investments in the SDL and our defense in depth approach to building Windows Vista seem to be paying off. Let’s take a look at some areas that we’ve made progress in: the impact of defense-in-depth; Internet Explorer 7’s protection of personal information; vulnerabilities and infections; and cost savings. First, let’s look at the impact of defense-in-depth features like User Account Control and Internet Explorer Protected Mode. These features have helped reduce both the risk and severity of security bulletins, giving enterprises more time to deploy patches: • Running as standard user , which is the recommended configuration and made easier in Windows Vista thanks to User Account Control, helps reduce the impact of any particular vulnerability. Of the 23 security bulletins that have been released for Windows Vista through January 2008, 12 specifically call out a lower impact for those running without administrative privileges: MS07-033, 034, 040, 042, 045, 047, 048, 050, 057, 064, 068, and 069. This is a great illustration of the importance of User Account Control and why we included it in the product. It’s also the reason I personally run as a standard user on every machine I use. • Because of IE Protected Mode , the MS07-056 bulletin from October ’07 was rated important on Windows Vista and critical on Windows XP. The bulletin rating helps organizations determine the urgency with which they need to deploy the update. Fewer critical updates help organizations maintain regular processes around patch management. Internet Explorer 7, which is the default browser in Windows Vista, also helps protect the personal information of end users. We’re seeing almost 1 million phishing attempts blocked per week, representing a large number of potential cases of identity theft or credit card fraud that were stopped. In addition, there are over 3500 sites with Extended Validation SSL Certificates (EV SSL) representing an improved level of authentication for securing transactions on these sites. Internet Explorer 7 is the first browser to fully support EV SSL. It turns the address bar green for EV SSL sites and notifies users about the available identity information so they can make better trust decisions when entering sensitive personal information while online. Next, let’s look at patch events, vulnerabilities and infections. We’re showing steady positive progress in this area. When looking at Windows Vista compared to Windows XP, we’ve seen: • An important metric for IT professionals is the concept of patch events , which is discussed in the One Year Vulnerability Report released today by Microsoft’s Jeff Jones. During Windows XP’s first year, updates were released on 26 separate days. Through a combination of the move to a predictable monthly release schedule, and decreased vulnerabilities, Windows Vista had updates released on just nine days in its first year. To the average security professional, this is one of the most relevant metrics: how many times did I have to activate my internal patch management process due to vendor update releases over the course of a year? Nine times is much more attractive, and cost effective, than 26 times. Jeff Jones’ one year report goes into this in area in more detail, and the graph below from his report shows the patch events during the first year of Windows Vista and Windows XP:  • Fewer vulnerabilities : Also from the One Year Vulnerability Report , we see that Windows Vista in its first year had significantly fewer fixed and unfixed vulnerabilities than Windows XP in its first year: 36 fixed/30 unfixed for Windows Vista vs. 68 fixed/54 unfixed for Windows XP. The chart below gives you an idea of the progress we’ve made:  • Fewer months with updates: Building on the concept of patch events, since Windows Vista was released, there were three months in which Windows XP had updates and Windows Vista did not (December ’06, January ’07, and November ’07). This means that an organization running all Windows Vista clients would have had three months in which they wouldn’t have had to deploy an OS update to their clients at all. Fewer infections : From January – June 2007, there were 60% fewer malware infections and 2.8 times less potentially unwanted software on Windows Vista than on Windows XP SP2, according to the Microsoft Security Intelligence Report from 10/07. This illustrates how the defense in depth features built in to Windows Vista help prevent machines from getting infected by malicious and potentially unwanted software. Finally, what does Windows Vista do to help organizations reduce costs? A recent Microsoft commissioned report from GCR on cost savings for mobile PCs shows $251/machine per year in cost savings for Windows Vista, of which $55/machine per year was attributed to security and data protection features such as User Account Control and BitLocker Drive Encryption. We’ve said it before, but it bears repeating: our job with security is never finished. But, t he focus we put on engineering for security, the backing of the world-class security response process delivered by the Microsoft Security Response Center, and the defense in depth approach of Windows Vista are showing real-world benefits for customers and that’ something I take pride in. - Austin 
So I am reading a lot of stories that seem to have confused, or incorrectly aligned, Windows Vista driver signing and Kernel Patch Protection technologies. Whilst driver signing and KPP are complimentary, they are not conjoined. Driver signing provides a method to better identify the author/creator of a piece of software or code so that the author/creator can be approached in the event a reliability issue, vulnerability, or malware is discovered. Signing is not designed to confirm the “intent” of signed code (i.e. good or bad), or whether exploitable bugs or malicious code is present. Malicious or exploitable kernel drivers can lead to system compromise beyond disabling of code signing controls, since kernel driver code has access to hardware as well as all programs running as the user. Kernel Patch Protection (KPP) helps protect code and critical structures in the Windows kernel from modification. Microsoft updates KPP periodically, based on internal and external research. You can read more about KPP here: http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx Perhaps the mix up is due to a confluence of events, or – put another way – the fact that we released an update to KPP at the same time that news about an ATI Driver issue appeared. The update to KPP has no relationship to the ATI driver issue or recent topics related to code signing. These are unrelated events! 1: Microsoft issued a non-security update for Kernel Patch Protection (KPP), and an accompanying security advisory: Microsoft Security Advisory (932596) 2: Microsoft was made aware of an issue reported in an ATI driver that is potentially vulnerable. Microsoft was in contact with ATI to help address this issue and ATI have posted a fix in the v7.8 Catalyst Package that can be found here: http://ati.amd.com/support/drivers/vista64/common-vista64.html , http://ati.amd.com/support/drivers/vista32/common-vista32.html I would like to highlight that the driver in question was not shipped ‘in-box’. Russ Humphries 
|
|
Microsoft MCTS 
