Microsoft has confirmed that Vista can be affected by malware from 2004, but argues this is not a flaw in the operating system.
Security vendor Sophos reported on Thursday that Microsoft's Vista is vulnerable to at least three pieces of widespread malware, two of which date back to 2004. At least three well-known internet worms — labelled Stratio-Zip, Netsky-D and MyDoom-O by Sophos — are able to execute on the operating system, according to Sophos.
However, because these attacks rely on user interaction to execute the code, Microsoft has denied this is a flaw. Microsoft said that these attacks rely on social-engineering techniques to be successful.
"Microsoft is aware of a report by Sophos that claims variants of existing malware may affect users running Windows Vista," the software giant said in a statement. "Based on our initial investigation, Microsoft can confirm that these variants do not take advantage of a security vulnerability, rather they rely on social engineering to infect a user's system."
Social engineering relies on tricking users into executing malicious code themselves — a user has to open an infected attachment on an email for these worms to infect the system. Windows Mail Client — the Vista replacement to Outlook — will block the worms, but businesses running third-party email clients such as Lotus Notes, or webmail such as Yahoo or GoogleMail, could be vulnerable to social-engineering attacks.
Microsoft stopped short of blaming third-party email clients for the problem, but said that User Account Control (UAC) — which limits users' ability to install applications unless they have administrator privileges — can "help to provide better protections". IT managers can run Vista end-user accounts with limited "standard user" privileges, rather than administrator privileges. Users are also given security prompts when attempting to run executable code.
"In those cases where other email clients may not have made the same aggressive security design decisions as Microsoft did with Windows Mail Client, other protections such as UAC can apply still to help provide better protections against email-based social-engineering attacks," Microsoft's statement said. It added that currently, once malware has breached the outer defences of a computing system through user interaction, it is no surprise that the operating system obeys user commands to run the code. "If a user clicks through various security warnings and protections, it's of little surprise that malware (even malware from long ago), can still run," said Stephen Toulouse, a senior product manager at Microsoft's security technology unit. "It is not through a flaw that this occurs."
Toulouse said that currently, operating systems by themselves have little way of knowing when the user has chosen to run a piece of software that is "bad" until after it is installed and running, and that even then that capability is often provided by an application such as antivirus.
"This is why we strongly recommend to run antivirus on all versions of Windows, even Windows Vista," said Toulouse. "The very problem you have noted is one that is not actually unique to Windows."
The senior product manager said that application identity and authentication — the ability to accurately gauge a program's identity and appropriateness to run, to allow it to execute on an operating system — was an "important ecosystem change" that both operating-system and application manufacturers should address. He said this would help restrict the running of malicious code, while reducing instances of false positives blocking legitimate code.
While acknowledging that running malicious code was not a flaw in the operating system itself, Sophos predicted that Internet Explorer 7 (IE7) — the web browser bundled with Vista — would become a target for hackers, as web-based cybercrime was easier to perpetrate than attempting to attack an operating system by sending executable files directly to an email account.
"IE7 is definitely a major target," said Sophos principal virus researcher Vanja Svajcer. "More and more attacks direct people to a website, as most businesses don't allow executable file types into the organisation. It's much more difficult to prevent employees from surfing websites."
