[funsec] Microsoft blames Vista insecurity on thirdparty
nick at virus-l.demon.co.uk
Wed Dec 20 17:44:59 CST 2006
Larry Seltzer to Blue Boar:
> No, he's misrepresenting what Jim Allchin, the author of the blog entry
> says. What Allchin says is that while the malware in the study might
> technically execute on Vista it wouldn't, as a practical matter, get
> through to the point of executing because any decent mail client would
> block executable attachments, even in ZIP files, etc.
I think Larry has this right.
_However_, even if Allchin had actually said as succinctly and possibly
less-easily misrepresentably what he meant, he is _still_ (I'd say very
deliberately) misrepresenting the issue...
He only looked at one method of entry. Several of those "top ten"
malware also spread using other means, most commonly using one or more
common "share crawling" techniques (inheriting existing CIFS
credentials, trawling local cached credentials, trying guest user, null
and other common/weak user/pwd pairs, etc, etc).
Small, informal LANs are now common in homes, and _rife_ in SMEs and
you can be sure as hell that virtually none of these will be mass-
upgraded (ahem) to Vista. To the extent that such LANs will become
Vista-hosting LANs, they will do so by adding Vista machines, or at
least by replacing some of the older machines with new, Vista-capable
ones. The security of such LANs, of course, suffers from the weakest
So even allowing that Allchin was actually saying that "while the
malware in the study might technically execute on Vista it wouldn't, as
a practical matter, get through to the point of executing because any
decent mail client would block executable attachments, even in ZIP
files, etc" he grossly misrepresents the _actual_ threat model of those
"top ten" malware _AND_ Vista's exposure to that threat.
So, he's deliberately talking-up Vista security and if he doesn't know
it he sure as hell shouldn't be doing the job he gets paid to do...
BUT, it's even worse than that.
Most "anti-malware" vendors' "top X" lists actually grossly
misrepresent the real threat exposure out there.
Note how most of the "top X" lists are relatively heavy with "old"
and/or mass-mailing malware?
This reflects a bias in the way most such lists are compiled. In fact,
those malware are _not_ the things that cause the most trouble any more
and have not been for quite some time. Although they are still seen
mailing themselves around in quite large numbers that does not reflect
the real security threat exposure of most SOHO and many SME users.
For about the last three (or more) years much more problematic has been
the smaller-scale, but much larger in total number, bot-related
malware. The authors and users of this malware work with entirely
different objectives than (most of) the mass-mailing (and other very
fast and massively spreading) malware authors of the past. These new
miscreants spam links to their malicious executables, or links to their
phishing sites, or links to their malicious, IE-vulnerability-
exploiting websites that then install their malware, and so on.
Out-of-the-box Vista is no (well, only marginally) more resistant to
these, much, much more common _in total_ forms of attack than XP SP2,
and as Vista becomes more heavily adopted and IE 7.0 more commonly
installed and used by XP SP2 users, you can bet the bad guys will be
using ever more IE7 exploits, etc, etc to continue their "work".
Of course, telling the world this will not help Allchin talk-up Vista,
and thus sell more copies of it, so why _would_ he tell us the truth?
More information about the funsec