Baking up some Vista FUD

FUD (that’s Fear Uncertainty and Doubt) is back in the news this week, as Jim Allchin, Microsoft’s Co-President for Platforms and Services called “bull s***” on a recent report by antivirus vendor Sophos PLC that Vista is vulnerable to a rogue’s list of malware, much of which has been in circulation for a couple of years now. The Sophos report (available here) claims that three viruses: Stratio-Zip, Netsky-D and MyDoom-O can bypass Vista’s defenses when accessed via a third part web email client.

A bold claim and, not surprisingly, Microsoft took umbrage to it. Writing on the Windows Vista blog, Allchin

“clarified” those claims, noting that Vista out of the box, without any third party software, is actually immune to those viruses, and the rest of the malicious code on Sophos Top 10 list.

On the other hand, Vista users who take advantage of Microsoft Outlook, rather than Windows Mail, or use a third-party email client that blocks execution of known executable formats only stop eight of the top ten. Two worms: variants of MyDoom and Bagle, might slip by depending on what attachment type they use to spread the worm code, and what kinds of attachments you choose to block.

“In both cases, this is a function of the e-mail software, not Windows Vista,” Allchin said.

Who’s at fault here? Everybody, really. Sophos is certainly guilty of inflaming a non-debate by suggesting that Vista, the operating system, was vulnerable to XP-era malware when what we’re talking about is third party mail clients allowing e-mail with Zip file attachments through, then Vista users opening the ZIP files, then clicking again to open the worm executables, which then run in the Vista environment.

But get used to it. Vista FUD is flying fast and furious from security vendors of all shapes and sizes, as they prime the pump to get people buying Vista-compatible updates to their own products. As Sophos says in its own release:

“It won’t be long before cyber criminals develop Vista-specific malware or modify current threats to fit the bill.”

Then, earlier in the week, we had reports (this time from Trend Micro) of unconfirmed Vista 0Days on auction for $50,000, though nobody who wrote about that was able to confirm if the code for sale was a real Vista 0day or if the auctioneer was going to get their minimum bid met. Even the experts from Trend seemed incredulous. As of Wednesday, both the auction and the channel it was posted on had disappeared, according to a Trend spokesman.

Of course, nobody doubts that exploit code is for sale, and I’m inclined to believe Trend researchers when they say that prices are going up up up for undiscovered (0day) exploits on popular platforms.

And, in some sense, Microsoft was asking for this by trumpeting Vista’s security improvements as the best (and only?) reason to invest in their zaftig new OS. Nobody really expected Vista to be a clean slate for Microsoft security wise. The problem is that so many of the other next generation features dropped out of the OS, security is the only thing most people could point to as an honest to goodness improvement. In areas where Microsoft did move boldly, as with Kernel patch Protection, they got their ears pinned back by competitors and EU regulators, as Allchin acknowledges.

“The recent feedback we received around our decision to continue to include Kernel Patch Protection in the 64-bit versions of Windows Vista (even though we had shipped this protection in 64-bit versions of Windows XP nearly two years ago) was more controversial than we would have expected. It’s a complicated world — that’s all I can say.”

Depressingly, though, if you read down in Allchin’s post exonerating Vista, you find yourself in a discussion that’s eerily similar to the kinds of talk that we’ve heard about Windows XP for years.

“If you are like most users and receive e-mail from unknown people, are not really sure even what executables or ZIP files are, run a lot of software and browse the web downloading programs with abandon, then our best advice remains the same: You should 1) stay current with the latest security updates (and in this case I urge you to use the recommended defaults included in Windows Vista); 2) use a firewall (there’s a great two-way firewall built into Windows Vista! Or, use a third-party solution that you can buy); and 3) use anti-malware software. I recommend using the combination of Windows Defender and an add-on anti-virus software program such as Windows Live OneCare or one of the many great products available from third parties, such as Sophos.”

Sigh.