Vista less secure than 2000: researchers

An analysis of threat data collected over a six month period by security software developer PC Tools suggests that despite a bottom-up code rewrite and the uber-annoying User Account Control feature Vista isn’t doing as good a job as some of its predecessors in keeping hackers at bay. By PC Tools’ calculations based on analysis of 1.4 million computers which accessed its online ThreatFire community 639 unique threats were found for each 1000 Vista machines. For Windows 2000 the figure was 586 while for Windows 2003 it was 478.

“Since its launch Microsoft has flagged the increased level of protection Vista provides as one of the key reasons why consumers should upgrade from Windows XP to Vista” PC Tools CEO Simon Clausen said in a release announcing the findings. “If Microsoft’s forecasts for the operating system are correct and Vista’s market share increases significantly we could expect infection rates to increase further on Vista” said Clausen.

Microsoft can at least draw some comfort from the fact that Vista outperformed XP which racked up a massive 1021 unique threats per 1000 computers. However despite Clausen’s comments XP is not showing any signs of going away soon remaining the only realistic option for Microsoft to get a foothold in the growing market for cheap and compact notebooks such as the ASUS EeePC

A large part of the problem may be because of how Microsoft has chosen to implement security alerts within Vista itself. Because Vista normally requires all applications to run in standard mode without administrative privileges numerous programs including many coded by Microsoft itself as a native part of the operating system require user confirmation every time they’re launched. In theory this should alert PC owners of any backdoor attempts to install malware. In practice many users either tune out those notifications and blindly accept them all or switch the entire UAC infrastructure off.

Microsoft itself believes that the problem can be overcome by making consumers more aware of the difference. “We really need to improve user education” IT pro evangelist Michael Kleef told APC in a recent interview on the topic. Our five cents worth? Telling people that they need to adjust their behaviour is never going to be as effective as writing software that remains secure without nagging them every time they try and fix their WiFi connection.