Thursday, May 31, 2007

Back in January (damn, that seems so long ago) I made the statement that, despite the Microsoft push for Vista as a security panacea, security is not a good reason to move to Vista (see So long Superman... Vista will save the world).

CRN Australia today just published an article "Vista, XP users equally at peril" detailing Test Center engineers validation of my statements.

Reading through their tests, they seems to systematically evidence each of the points I made in my post, with a couple of exceptions. They made no mention of patches, but when performing a comparative test of 2 operating systems, I don't think there are any practical tests to be performed (and it's too early to start doing statistics on average number of patches per month/year/whatever).

Of their 6 tests, I only missed one - Test 6: Signatures & Phising Filter. Y

Yep, Vista has a slight edge here (not all of IE7 functionality is back-ported to XP), and this is were I missed the boat a little bit in my recommendations. I should have put something into my list to make sure you're running a newer browser than IE6 (either IE7 or Firefox). Personally, I'd recommend both - the reality is that there are still fewer exploits for Firefox than IE, so it makes a solid primary browser, but many sites still need IE (and lots of businesses apps too).

I've needed IE on government web sites like the Ontario Ministry of Transportation for credit card payments - for some reason I couldn't get it to work with Firefox. People are still (and always will) prioritize which browsrs they code for based on install base - the largest base is still IE.

I would also point out that IE's Phishing Filter is not your only option here. NetCraft toolbar has been doing this for a much longer time.

Their 5th test leaves something to be desires, though. They tested flaws with image files, spoofing & scripting. Most of this has to do with malformed data formats. I'm not aware of any products that test for valid formatting of yet (largely because most file formats rely on relatively "loose" standards), so everyone still needs to rely on AV, anti-spyware/malware, and buffer overflow prevention to prevent or detect exploitation through these paths.

rG0d

1 comment:

Gabe Friedmann said...

I think the largest security advantage is that a user is not always running as admin.

Before a browser vulnerability can be turned into Full-Fledge owning the operating system, you have to first approve one of those "About to do something Administrators only can do dialogs.

Running as a regular user currently goes a long way towards preventing trojan installation and system depredation.