[funsec] Microsoft blames Vista insecurity on thirdparty applications

Nick FitzGerald nick at virus-l.demon.co.uk
Wed Dec 20 17:44:59 CST 2006


Larry Seltzer to Blue Boar:

> No, he's misrepresenting what Jim Allchin, the author of the blog entry
> says. What Allchin says is that while the malware in the study might
> technically execute on Vista it wouldn't, as a practical matter, get
> through to the point of executing because any decent mail client would
> block executable attachments, even in ZIP files, etc.

I think Larry has this right.

_However_, even if Allchin had actually said as succinctly and possibly 
less-easily misrepresentably what he meant, he is _still_ (I'd say very 
deliberately) misrepresenting the issue...

He only looked at one method of entry.  Several of those "top ten" 
malware also spread using other means, most commonly using one or more 
common "share crawling" techniques (inheriting existing CIFS 
credentials, trawling local cached credentials, trying guest user, null 
and other common/weak user/pwd pairs, etc, etc).

Small, informal LANs are now common in homes, and _rife_ in SMEs and 
you can be sure as hell that virtually none of these will be mass-
upgraded (ahem) to Vista.  To the extent that such LANs will become 
Vista-hosting LANs, they will do so by adding Vista machines, or at 
least by replacing some of the older machines with new, Vista-capable 
ones.  The security of such LANs, of course, suffers from the weakest 
link syndrome...

So even allowing that Allchin was actually saying that "while the 
malware in the study might technically execute on Vista it wouldn't, as 
a practical matter, get through to the point of executing because any 
decent mail client would block executable attachments, even in ZIP 
files, etc" he grossly misrepresents the _actual_ threat model of those 
"top ten" malware _AND_ Vista's exposure to that threat.

So, he's deliberately talking-up Vista security and if he doesn't know 
it he sure as hell shouldn't be doing the job he gets paid to do...

BUT, it's even worse than that.

Most "anti-malware" vendors' "top X" lists actually grossly 
misrepresent the real threat exposure out there.

Note how most of the "top X" lists are relatively heavy with "old" 
and/or mass-mailing malware?

This reflects a bias in the way most such lists are compiled.  In fact, 
those malware are _not_ the things that cause the most trouble any more 
and have not been for quite some time.  Although they are still seen 
mailing themselves around in quite large numbers that does not reflect 
the real security threat exposure of most SOHO and many SME users.

For about the last three (or more) years much more problematic has been 
the smaller-scale, but much larger in total number, bot-related 
malware.  The authors and users of this malware work with entirely 
different objectives than (most of) the mass-mailing (and other very 
fast and massively spreading) malware authors of the past. These new 
miscreants spam links to their malicious executables, or links to their 
phishing sites, or links to their malicious, IE-vulnerability- 
exploiting websites that then install their malware, and so on.

Out-of-the-box Vista is no (well, only marginally) more resistant to 
these, much, much more common _in total_ forms of attack than XP SP2, 
and as Vista becomes more heavily adopted and IE 7.0 more commonly 
installed and used by XP SP2 users, you can bet the bad guys will be 
using ever more IE7 exploits, etc, etc to continue their "work".

Of course, telling the world this will not help Allchin talk-up Vista, 
and thus sell more copies of it, so why _would_ he tell us the truth?


Regards,

Nick FitzGerald



More information about the funsec mailing list