FUD Watch | Vista Less Secure Than Windows 2000?

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items. Those who wish to share their own examples of FUD can send them to bbrenner@cxo.com.

IT security execs continue to shun Windows Vista deployments in their organizations, even though Microsoft released it a year and a half ago. They base their uneasiness on a variety of legitimate issues.

Despite such new security features as encryption and Network Access Protection (NAP), many who have tested the operating system ran into a host of compatibility problems. Some complain that Vista doesn’t play well with their home-grown applications and infrastructure supplied by third-party vendors. Others dismiss Vista’s User Account Control (UAC) feature as more of a nuisance than the security warning system Microsoft billed it as; UAC generates a steady stream of pop-up boxes most users simply ignore.

Along the way, however, some vendors have tried to exploit users’ Vista discomfort in ways that stretch reality.

Exhibit A is some “research” San Francisco-based security vendor PC Tools released earlier this month. The company said its research, conducted over a 6-month period using anonymous statistics from its ThreatFire user base, revealed that Vista is in fact more vulnerable to attack than Windows 2000, a relic of an OS that has fallen victim to countless exploits over the years.

According to stats gathered by the ThreatFire service, Vista failed to block 639 threats per thousand computers, compared with 586 for Windows 2000, 478 for Windows 2003, and 1,021 for Windows XP.

“Ironically, the new operating system has been hailed by Microsoft as the most secure version of Windows to date,” PC Tools CEO Simon Clausen said in a press release. “However, recent research conducted with statistics from over 1.4 million computers within the ThreatFire community has shown that Windows Vista is more susceptible to malware than the eight-year-old Windows 2000 operating system, and only 37 percent more secure than Windows XP.”

PC Tools recommends users never run Vista without additional antivirus and antispyware protection. In other words, the protection PC Tools sells.

To be fair, many security vendors have painted Microsoft as a poster boy for insecurity in an effort to promote their products. It’s hard to fault them, since those vendors live and die by their sales figures. And Microsoft has given them plenty of ammo along the way.

But these research items rarely paint the full picture. ThreatFire may have uncovered more holes in Vista than in Windows 2000, but it’s far from certain the same picture would emerge if the research involved a much larger base of Vista machines fitted with a greater variety of security software than the one offered by PC Tools.

CISSP Tony Bradley recently blogged about the PC Tools research, writing that the vendor’s claims may be the very definition of FUD. “The study reports the number of malware threats that ‘got through’ and not the number of malware threats that successfully compromised or infected the system,” Bradley wrote. “Based on the PC Tools Software results, one would expect to find 64 percent of all Vista PCs infected with some type of malware.” By comparison, he noted, data from Microsoft’s Malicious Software Removal Tool for the second half of 2007 show that the number is actually less than 3 percent, compared with 5 percent for Windows 2000 SP4.

That those numbers come from Microsoft is reason for skepticism, too. But it shows that there are plenty of ways to spin the numbers.

“It seems to me that the results could be interpreted to say that ThreatFire is 61 percent more likely to let threats get to the Vista operating system, but thankfully only 3 percent result in a compromise of some sort,” Bradley concluded.

The lesson here is that IT security pros shouldn’t base their Vista deployment plans on one study alone, especially a study that seems to exaggerate the danger. Getting an accurate picture of how many flaws a product has requires careful study of lots of different reports from a variety of security vendors. Even then, it’s impossible to get at the absolute truth.

Of course, the only research that matters for most IT security pros in the end is the research they do in their own test beds. That testing is the reason Vista sales have fallen well below expectations in the business world.