Experts: Don't buy Vista for the security

New Microsoft operating system is a leap forward in security, but few people familiar with it say the advances justify an upgrade.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
6 min read
Experts: Don't buy Vista for the security Windows Vista is a leap forward in terms of security, but few people who know the operating system say the advances are enough to justify an upgrade.

Microsoft officially launched Vista for consumers Tuesday. The software giant promotes the new operating system as the most secure version of Windows yet. It's a drum Microsoft has been beating for some time.

"Safety and security is the overriding feature that most people will want to have Windows Vista for," Jim Allchin, Microsoft's outgoing Windows chief, told CNET News.com a year ago. "Even if they are not into home entertainment or in any of the specialty areas, they are just going to feel safer and more secure by using it."

Now that Vista is finally here, pundits praise the security work Microsoft has done. However, most say that is no reason to dump a functioning PC running Windows XP with Service Pack 2 and shell out $200 to upgrade to Vista.

"As long as XP users keep their updates current, there's generally no compelling reason to buy into the hype and purchase Vista right away," said David Milman, chief executive of Rescuecom, a computer repair and support company. "We suggest people wait until buying a new machine to get Vista, for economic and practical reasons."

As in the past, Microsoft faces itself as its toughest competitor. SP2 for Windows XP, which was released in August 2004, marked a significant and much-needed boost in PC security. Since then, Microsoft has released Internet Explorer 7 and the Windows Defender antispyware tool for XP. As a result, the older Windows version is simply good enough for many users.

"Upgrading to Vista is pretty expensive, not only the new software but often new hardware as well," said Gartner analyst John Pescatore. "If you put IE 7 on a Windows XP SP2 PC, along with the usual third-party firewall, antiviral and antispyware tools, you can have a perfectly secure PC if you keep up with the patches."

News.com Poll

Vista: Now or never
How soon do you plan to move to Microsoft's latest OS?

I'm standing in line right now to buy it.
Whenever I buy my next PC.
Windows XP is going to last me a good, long time.
I'm sticking with the Mac--or moving there soon.

View results

Vista is the first client version of Windows built with security in mind, according to Microsoft. That means it should have fewer coding errors that might be exploited in attacks. Vista also includes several techniques and features designed to make it harder to attack computers running Vista and easier to thwart attacks if they do happen.

"Vista is light-years ahead of XP from a built-in security perspective," said Pete Lindstrom, a Burton Group analyst. "But the market will decide whether it is important. Note that there haven't really been significant problems with the operating system lately, and our memories are short."

If most consumers think like Brian Lambert, a student at Southern Illinois University, it doesn't bode well for Microsoft. "The added security alone is not worth the money when comparing Vista with Windows XP SP2," said Lambert, a member of CNET News.com's Vista Views panel.

But Chris Swenson, an NPD Group analyst, thinks that many consumers will prefer Vista's built-in security features over adding defenses to their XP machine.

"A lot of customers will prefer to either buy a new machine with Vista or upgrade a recently acquired XP machine with Vista in order to get at this added layer of protection," Swenson said.

If you are in the market for a new Windows PC because your old computer is outdated or otherwise failing on you, Vista is your best bet, all experts agree. That's even if you're considering buying a Mac, said David Litchfield, a noted security bug hunter.

"If you're looking to buy a new computer, the security features built into Vista tip the balance in its favor over other options such as Mac OS X," Litchfield said. "We've moved beyond the days of lots of bugs and worms. Recent history shows that Microsoft can get it right, as they did with XP SP2. With Vista, they will again demonstrate that."

Litchfield and other security researchers are impressed with the work Microsoft has done on Vista, in particular because the operating system has gone through the company's Security Development Lifecycle, a process designed to prevent flaws and vet code before it ships. Also, Microsoft challenged hackers to break Vista before its release.

Key Vista security features

User Account Control: Runs a Vista PC with fewer user privileges, which dictate how software can interact with the PC. UAC asks for permission to lift security barriers whenever software requires it.

Protected Mode for IE 7: Prevents silent installation of malicious software by Web sites by stopping the Web browser from writing data anywhere except in a temporary folder without first seeking permission. IE 7 is also available for Windows XP, but the protected mode is not.

Address Space Layout Randomization: Loads key system files in different memory locations each time the PC starts, making it harder for malicious code to run.

Windows Defender: Detects and removes spyware. Also available for Windows XP.

Windows Firewall: Blocks attacks from the Net and includes limited outbound protection. Also in XP, but improved in Vista.

BitLocker: Encryption for hard drives. Only in Vista Enterprise and Vista Ultimate.

"To be clear, XP SP2 was a massive leap for Windows security. But XP SP2 was not the systemic, top-to-bottom, scrub-everything experience that Vista is," said Dan Kaminsky, an independent security researcher. "XP SP2 secured the surface. Vista security goes much deeper. It's a far bigger leap."

Kaminsky was among about two dozen hackers asked by Microsoft to try to hack Vista. The exercise took about eight months, and Microsoft paid attention to the feedback, he said. "They did what we asked," Kaminsky said. "The security community spent years bashing Microsoft, and (Microsoft) deserved to get bashed. But they listened."

Robert McLaws, a blogger who writes about Microsoft, is particularly gung-ho about Vista. He recommends that everyone buy a copy as soon as possible. "Security is the No. 1 feature in Vista, and everyone with a computer in the house should go out and buy it," he said.

All the praise aside, Vista isn't flawless. In fact, Microsoft has issued security patches for the operating system even before its final release.

"To think there won't be vulnerabilities and there won't be exploits is inappropriate," said Michael Cherry, an analyst with Directions on Microsoft. "At best, we should see the number of them decline and the time in between them increase."

No software is without flaws, and Microsoft will be the last to deny that.

"While we greatly improved the security of Windows Vista and we believe it is the best system available, I have always been clear that the system is neither fool-proof nor unbreakable; no software I have seen from anyone is," Allchin wrote on a Microsoft corporate blog last week.

Some critics, however, say Microsoft has reserved too many of the security features for the high-end editions of Vista. The operating system comes in five different versions (with a sixth, "Starter" edition designed for developing countries), but only Windows Vista Ultimate--the most expensive one--includes the maximum level of protection.

Even more, Vista comes to market in an era in which criminals are taking to the Net and looking for profits by breaking into the PCs of unsuspecting Web surfers. Vista is their next target.

"I don't want people to expect that their computer is never going to be compromised because of Vista; that's simply not the case," McLaws said. "The nature of maliciousness on the Internet is changing rapidly. It used to be that nerdy kids were trying to outdo other nerdy kids. Now it is criminals."