back to article Vista security credentials tarnished in malware survey

Windows Vista is better at protecting against malware than XP but more easily infected than Windows 2000, according to a study by Australian anti-virus firm PC Tools. The survey calls into question Microsoft's oft-cited claims that Vista is its most secure operating system. Recent research based on malware scans of more than …

COMMENTS

This topic is closed for new posts.
  1. M Brown
    Stop

    *listens to the sound of distant rumbles*

    Hmm what could that be? Oh wait, its the stampede of bandwagoners to come and have a go at Vista because they'd rather be seen dead than like a Microsoft product by their like minded peers..... cause you know, Bill Gates is the absolute anti christ, and I often get the impression that he is worse than Hitler to a lot of IT folk round here

  2. Andrew
    Paris Hilton

    Viruses Incompatable With Vista?

    Seems to me that it could be the case. Or just the fact most people are sticking with Windows XP.

    Paris because shes one of them dumb blonds who would get infected with malware.

  3. Ash

    Click to allow...

    "AusLogics Disk Defrag wants to install. Allow?"

    "Yes."

    "ZoneAlarm Free wants to install. Allow?"

    "*sigh* Yes."

    "AVG Antivirus Free wants to install. Allow?"

    "FFS YES."

    "Website wants to install R00tm3 ActiveX control. Allow?"

    "YES YES YES YES YES STOP ASKING ME!"

    Not secure, but certainly deniable.

  4. Anonymous Coward
    Paris Hilton

    Erm...

    Is it just me, but I would have thought the average Joe who buys a cheapo PC in PC World and doesn't know anything about security, who opens every attachment on each email he receives is far more likely to be running XP or Vista than Win2k? I would have thought the majority of users of Win2k are rather more IT savvy (or at least their sysadmins are...). So you would expect win2k machines to have less problems since the users are less likely to expose themselves to possible malware vectors and are more likely to keep them up to date.

    Paris, because she uses Vista...

  5. Svein Skogen
    Flame

    I wonder

    How many of those vista machines in the test pool, that had UAC disabled and administrator-privileges?

    //Svein

  6. Dave K
    Stop

    Usage scenarios?

    Or it could be that 2K is only really used inside some businesses these days that haven't migrated to XP or Vista - hence PCs that are more likely to be sat behind a company firewall and have an up-to-date anti virus app on them?

  7. David
    Happy

    Because Professionals....

    that have to use Windoze know to use win2000... nuff said?

  8. Anonymous Coward
    Anonymous Coward

    PC tools?

    Wouldn't trust any info from them, never mind trust their products. Complete crap is the nicest description I can come up with

  9. Anonymous Coward
    Flame

    Even malware writers hate Vista...

    Even they would rather use and code for XP than Vista, so naturally the preferred OS of the lot gets the most malware!

  10. Anonymous Coward
    Anonymous Coward

    @M Brown

    Good job Godwinning the discussion before it even starts.

    If you re-read the article and think really hard you might start to understand why the poor buggers who have to admin the crap that Mr.Gates has been shoving down the throat of middle managers for the past decade or so get a bit upset.

  11. Sarah Millin
    Gates Halo

    some missing details

    I would like to know if those Vista machines that were badly infected were using Internet Explorer in protected mode and the UAC was on.

    Both these features can be a bit irritating but they do protect against malware.

  12. Richard
    Coat

    Vista vs others

    @M Brown...

    Whilst I agree with you on the bandwagonning comment, surely you would agree that if Microsoft produced a cheaper, more reliable and secure product then it would not be an issue?

    I personally use linux of various flavours but if I did use a Micro$oft product it would be Windows XP, purely because of my bad experiences with compatibility and performance of Vista. Its all flash and no bang...

    I'm getting it because I don't want to start another Microsoft vs Mac vs Linux debate...

  13. Anonymous Coward
    Dead Vulture

    Ubuntu

    No mention of Ubuntu then, quickly becoming more popular than Windows?

  14. Stephen Booth
    Alert

    No story

    No OS can be proof against user stupidity. No matter how secure it is if the owner of the machine is stupid enough to try and install software of unknown origin then the machine is going to get infected.

    Its therefore no wonder that an OS thats shipped by default to home users has a higher infection rate than an OS thats typically only used by IT professionals.

    I'm no great fan of Vista but this seems a bit bogus to me.

  15. Rob

    Win2k

    Win2k was my favourite, it never mucked about like the others have, xp was alright but vista is just horrible I don't know why i ever bothered installing it, You do a dual boot with xp and all you end up with is an awful awful mess of access rights, great, so straight after a clean install I don't have priviledges to write a file to my own desktop?!? or to change ID3 tags of files in my music folder?!?!? when I only have a single, admin account ?! what a f**king state

  16. Wibble
    Coat

    Different conclusion

    "Most malware infections rely on tricking users into doing something stupid"

    So isn't it really telling us that there's a higher proportion of morons using Vista and XP and the smart people are still using Win2000?

  17. frymaster

    @Richard

    Ubuntu is quickly becoming more popular than it was, but I don't think you can say it's becoming more popular than windows, really.

    In my house there are 4 windows installations to 3 linux ones, and that's only if you include the wrt54g. I suspect the average business has a higher windows-to-linux ratio than that, and I bet the average house certainly does

  18. Bob Bobson
    Gates Halo

    Who cares about 2k?

    2K's market share is tiny now, and much of it's alleged security will be down to demographics, as hinted at by other correspondents, and the fact that there's no money to be made in attacking such a minor OS.

    Also, IT pros run server 2k8 as a desktop OS.

  19. Neil
    Gates Halo

    What a pointless investigation

    So lets compare an OS used mainly by companies and likely behind corporate firewalls, and have up-to-date antivirus as set up by a qualified network team, vs an OS whose primary users to date are home users, probably their only security is the built in windows firewall and the Windows Defender. Seems like a fair comparison?

    I mean, by all accounts take 3 PCs, stick them in the same conditions, visit the same sites and click the same buttons and see which comes out on top. Taking a sample of 1000 PCs running each OS, each with clearly different purposes really proves nothing.

    And lets face it, if Vista was more secure you could bet my left butt cheek that Norton and all the other security companies out there would start mounting their anti-competive lawsuits straight away...............

  20. Slaine

    Irish Virus (no offense)

    Congratulations, you have just been infected with a computer virus.

    It's too late to save your data.

    Please open a "run..." command window and type, 'format c:/u/s', 'Y'

    Thank you.

  21. Richard

    @Frymaster

    "Ubuntu is quickly becoming more popular than it was, but I don't think you can say it's becoming more popular than windows, really"

    I never said that! (Though Ubunutu is my preferred 'flavour' of Linux)

  22. Chris
    Boffin

    Still worryingly high

    By simple averaging, even the win2k sample works out as every other machine being infected. Clearly, this won't be the case as it's more likely that once a machine is compromised it's going to have a lot of malware, so per 1000 machines you may have 50 machines with about 10 pieces of malware each and 950 machines with none.

    A much better figure would be to see what proportion machines have at least one infection, broken down by OS.

    Simply counting the number of infections is scaremongering and an anti-virus company wouldn't want to do that, now would they?

  23. DM
    Stop

    Three out of four people make up 75% of the population.

    This is meaningless,

    Number of infections is not a useable metric to define security. Move along nothing to see here.

  24. Thomas

    Much the same comment as many others, different phrasing

    "It's worth bearing in mind that PCs infected with malware are likely to harbour multiple infections, so PC Tools' stats don't shed much light on the percentage of infected machines."

    So either some PCs are more likely to have malware than others, or malware now comes in bundles? If you mean to imply the former, then it presumably follows that there is no reason that any differences in infection rates over the different OSs couldn't be down to demographics?

    I should probably fess up as a Windows 2000er, but that's only because I switched to Mac quite a few years ago and 2000 is the most recent copy I have, hence the only one I've bothered to install as a VM. I don't use it very often. To be honest, I'm more concerned about some of the third-party tools that come with OS X (Perl, PHP, etc) and even then the firewall in my router makes me feel secure.

  25. Anonymous Coward
    Joke

    An English Virus pop-up

    "Right you French ponce, I've infected your Word documents, which are being forwarded to those German goosesteppers in your contacts list just to remind them who won the war.

    Then I'm off down the pub to slag off that Scottish git Gordon Brown, and whinge about taxes/the weather."

  26. Steven Knox
    Dead Vulture

    Missing/incorrect information

    "... 586 for 1,000 machines running Windows 2000. Servers running Win 2003 had ... 586 unique threats per thousand machines. "

    So, same results for 2k and 2k3, or wrong number copied? And what version of Windows 2000 are we talking about?If they're including 2000 Server and Advanced Server in their results, that would likely skew the 2000 rates down significantly.

    This article raises more questions than it answers. I'd like to read the full report; perhaps someone could post a link to it?

  27. Chris C

    Useless stats

    How many of those Win2000 systems were servers? I find it difficult to believe that servers are infected with malware, unless you consider "malware files stored on servers" as infections. And if you do that, you can even claim that Samba servers are infected with Windows-based malware and viruses.

    I haven't used Vista much. It came on my notebook and I replaced it with XP. I didn't like how it was so slow, I didn't like the look and feel, and I didn't like that most software (at least when I purchased it) had problems with it. I also didn't like how the Automatic Updates did not give any meaningful progress indicator. However, as much as I dislike Vista, I do so, and will continue to do so, on the merits. I will not bash Vista because of people's stupidity.

    I've said it before, and I'll say it again -- a computer cannot protect people from themselves. In the end, it is the user who instructs the computer what to do. As an anecdote, I had a client a number of years ago (2001 or 2002, I think) who had infected her computer with a virus, and I was called out to remove it. She had antivirus software on her computer, and it was an older virus, so I didn't understand how she got infected. When I asked what happened, she said she received an email and the antivirus software warned her that the email attachment was infected, but she selected to ignore it and run the attachment anyway. When I asked her why she ran a file she knew was infected, her answer was "Well, I had to see what it was".

    If you build a foolproof system, they will build a better fool. When you have users who click "OK" and "Yes" buttons without even reading the messages they are responding to, you cannot blame the OS. There are those of you who will say you can blame Microsoft because you feel they conditioned people to click on things, but in the end, it's the users performing the actions. As such, it is the users' fault for not reading what they are responding to. This goes for pop-up windows as well as license agreements and contracts.

  28. Dustin
    Stop

    Sigh

    So, it appears to me that the data proves one thing, it's the user's fault. Vista is based off of the Server 2k3 platform, just like XP x64. The users of said 2k3 systems are less likely to behave in a way to put the system at risk. What is not started in this 'Research' is what the operational environments were and how the systems were being used. Blah blah blah, point being, I do not operate my system with AV or anti spyware. I do install said software and run system scans from time to time to confirm that........My system doesn't get infected because I don't do stupid things online, I'm at risk but very careful. Don't blame the OS, blame the jerks behind the keyboard.

  29. Quirkafleeg

    @Bob Bobson

    “Also, IT pros run server 2k8 as a desktop OS.”

    2k8 = 2800…

  30. Anonymous Coward
    Thumb Down

    @ dustin ?

    Don't blame the OS, blame the jerks behind the keyboard. ????

    Dustin question for you How much command line utilities does Windoze give you when you do have major issues ?

    Can you goto CLI mode and do a recovery of GUI in windows without having to fiddle with it ? or even change your windows manager for kde to gnome or whatever ?

    Can you actually debug and fix install anything useful from CLI ?

    When the jerks sitting behind the keyboard click yes and yes and more yes do they get prompted for a root password ?

    Can they get as part of the OS tools FREE tools provided by OS to find cure issues caused by a badly written OS ?

    the answer is NO so back to the jerks who design this shite.. and the jerks who support it like YOU keep jerking behind windows dude you will get to see the light one day and it wont BE MS lol

  31. DZ-Jay

    85% of all statistics are made up.

    67.8% of tests prove this conclusively. The remaining 52.95% prove the opposite is false.

    -dZ.

  32. Nexox Enigma

    Easy to infect?

    Seems as though I remember plugging a fully patched 2k box into the Internet with no firewall and having it owned within 20 seconds. Then again that was a while ago, but they haven't released any new service since then. XP stays connected to the internet with minimal firewalling and no magic infections. Until the users click those damned links in spam...

  33. James O'Brien
    Flame

    @Click to allow...

    Couldnt have said it better myself. Hats off to you and I will also throw a shout out to you at the pub here tonight.

    As for the Ubuntu comment and it becoming more popular, are you insane? :ets do the math here, 99000000000* Windows boxes (average users) and probably 10000000 Ubuntu and thats if we are lucky. Its gonna be a while bro

    *yes I know horribly inflated but probably close to the truth as well.

    /mines the one on fire

  34. James Pickett
    Thumb Up

    What about Win 98?

    Any figures for that? Mine's still going strong...

  35. George Johnson
    Coat

    Right lets get this over with....

    ...blah, blah, blah...Linux is great...blah, blah, blah...Mac is great...blah, blah, blah...BSD is great...blah, blah, blah...Linux/MAC/BSD never get hit...blah, blah, blah...perfectly safe...blah, blah, blah...thumb nose as M$ plebs...blah, blah, blah...

  36. Pierre

    Vista more secure than XP?

    Might it be because Vista is still far less used, as no one wants it?

    give it a couple of month, and I bet there will be 37 % MORE malware on Vista machines Than on XP ones.

    The number of unique malware per 1000 machines is relevant here, the keyword being "unique". Stop trying to look stupid.

    Also, the fact that tech-savvy users don't want to be anywhere near a Vista machine whereas Joe Bloggs will take whatever PC Worlds sells might bias the numbers. But isn't that very fact a clue about the crappiness of Vista, in the first place?

  37. vahid
    Thumb Down

    Problem is now fixed get XP and SP3 now !

    yep install XP and make sure you have SP3 now this will fix all your issues, since you will be constantly rebooting your hacker wont get a chance to run anything

    All fixed

    get a proper OS you windows bible bashers.

  38. tempemeaty

    Malware x 2

    Vista is malware. It collects user data then sends it off to people you don't know for them to do what they want with it. MS did say it does that...

  39. Dai Kiwi

    Where's a link? We need more info

    A quick search turned up the original (?) article on InformationWeek. Can't find anything in PC Tools' press releases.

    I agree with some other's comments here - while the report is interesting there is more information wanted, and a better breakdown of threats/OS. I see the correct figure for Windows 2003 is 478:1000.

    I also see that Threatfire is 32 bit only, which will definitely skew the figures for Win2003, & possibly Vista too. I'd like to know if there was a noticeable difference between XP Home & XP Pro? And likewise, do the report rates vary across the different flavours of Vista? My first instinct is to say that the home systems would have significantly higher rates than business ones. This would support the infection through ignorance thesis. If the levels are substantially the same that would put things in the favour of the 'Vista is pants' camp.

    Maybe one of the Reg writers could see if they can turn up that information for us as a follow up?

  40. Chris

    I'd like to know a bit more

    You see, it occurs to me that the figures are roughly what I'd expect, given the sort of user of the respective operating systems and the age of the systems.

    Think about it. Who's likely to be running 2k these days? 2003 Server? Probably people who have a clue...

    Both have low vulnerability ratings... Could it possibly be that the users have set them up rather better than the XP/Vista users? Despite the fact that a 2k system has almost certainly been around longer than any of the others. And 2003 isn't exactly new, is it?

    As for the Vista/XP difference. Could it possibly be that copies of XP will tend to have been running longer, with less than savvy users? Accumulating more vulnerabilities? I'm not popping at XP YOU, as an XP user either - I'm one too - but just look at the competence of your average XP user!

    And copies of Vista simply not having been around as long, regardless of the competence of their users, simply not been running long enough to accumulate vulnerabilities?

    And how about the vulnerabilities as a fresh install with default settings?

    Or the level of security patch application?

    OK, let's do a 'survey'. Comparing Apricots, Sardines, Fish fingers and Belt buckles... Comparing them measuring the same parameters. Taking no account of their use, age.... Um, get the idea?

    99% of statistics a useless. 98% of statistics might as well be made up. The other 1% are lies.

  41. suc
    Alien

    this news is the best FUD I've ever heard!

    this news is the best FUD I've ever heard!

  42. Chris C

    re: AC @dustin

    "How much command line utilities does Windoze give you when you do have major issues ? ... Can you goto CLI mode and do a recovery of GUI in windows without having to fiddle with it ? or even change your windows manager for kde to gnome or whatever ? ... Can you actually debug and fix install anything useful from CLI ? ... When the jerks sitting behind the keyboard click yes and yes and more yes do they get prompted for a root password ? ... Can they get as part of the OS tools FREE tools provided by OS to find cure issues caused by a badly written OS ? ... the answer is NO so back to the jerks who design this shite.. and the jerks who support it like YOU keep jerking behind windows dude you will get to see the light one day and it wont BE MS lol"

    Sadly, it is this type of person who has the loudest voice in the FOSS world. And let's be honest, when you hear/read something like this, what's your first reaction? Mine is to walk away. This is the kind of attitude that will keep the average person (and many businesses) away from FOSS. Mindless, foaming-at-the-mouth babbling like the above does nothing to help your cause. If you really want people to understand that your choice of OS is better than Windows (whatever your choice is), then be polite and give clear, concise information and reasons why you think that way. Then again, from my experience, the type of person who writes such drivel as the above, and constantly bashes people for using Windows, is the same person who says they don't want the average person using their choice of OS (obviously because they somehow feel superior or "leet"). In the past, I've defended the IT workers and have said the stereotype is wrong. Perhaps the stereotype is more correct than I thought, and I'm just different.

  43. Anonymous Coward
    Anonymous Coward

    @ Chris C

    "the user who instructs the computer what to do"

    ok, so how do I conclusively prove that I haven't done something stupid and that my machine is owned by me.

    absent of proof, I think I'll keep away from the totally secure on line banking experience.

  44. Elrond Hubbard
    Linux

    hoho

    is you win-OS insecure? unstable? expensive? simply shite?!

    try linux - be free!!

  45. Anonymous Coward
    Alert

    Simple Reason

    The uneducated use Vasta cos they were told to.

    The Pros use 2000 2003 XP etc.

    Hence it is obvious which machines are better cared for and which will be riddled

    (Vasta because it needs vast amounts of everything! time to throw another kitten into the ms Furnace)

  46. John

    @Bob Bobson

    good god man, you run a server with a head on it???? IT pro ???

    Users are the main security issue and this PC Tools (never heard of them) is desperate for some business.

  47. arbeyu

    I've said it before...

    If a computer is going to be usable, then the operating system must allow the installation of OS patches and applications. That's the problem right there, and it means that it is impossible to fully secure an OS. There has to be SOME mechanism to allow users to install software, and that mechanism will equally well let them install malware.

    If non-technical users are to use a computer, the mechanism to allow the installation of OS patches and applications must be easy to use and as unobtrusive as possible. Ergo, the installation of malware is also made very easy.

    The problem isn't the OS - it's the users. Letting non-tech users use computers is a bad idea for security. Unfortunately, it's also the only way that we can afford to have home computers in the first place... Without the non-tech users there wouldn't be the mass market driving down the unit cost.

    Ubuntu could suffer just as much - if it ever reaches an installed user base large enough to be worth the attention of malware writers. Windows may have a special problem in that the line between OS and Application is more blurred than it is in Linux, but exactly the same logic applies to both: If you have to let a non-technical user install software or patches then you've immediately allowed a route in for malware.

    The only solution is to start selling computers as "appliances" with no user-modifiable parts or software. It's a radical departure from what tech users think of as being a general-purpose computer, but I bet it's what 95%+ of users think of the wee box sitting in the corner of their room.

  48. alistair millington
    Thumb Up

    @M Brown

    Well bandwagons and vista just happen along so often you gotta jump on board for the ride.

    M$ have given so much ammunition to be angry, annoyed and upset since it's release you can't blame people for agreeing when something like this comes out.

    Everything Vista was hailed for has been proven wrong or incorrect, from the amount of support it had by third parties to the features working on a base spec machine that is "Vista ready".

    That being said I think the numbers reflect people trying to hack it based on how many people actually own a copy. Why try and corrupt a tiny % of machines out there when XP is still the main use OS.

  49. James
    Dead Vulture

    @ Richard

    "Whilst I agree with you on the bandwagonning comment, surely you would agree that if Microsoft produced a cheaper, more reliable and secure product then it would not be an issue?"

    They do - Windows Mobile aka CE.

    It's cheap, secure and reliable enough to go into high availability applications like phones.

    It's also about as useful as Ubuntu et al for the average PC user, but I bet it would fly on a Core 2.

    Back to the article - perhaps a more useful survey would be a comparison between user-created risk ("click this link for FREE PRON!") and genuine technical risk due to OS vulns.

  50. Anonymous Coward
    Anonymous Coward

    Most used win

    The number of infection per OS seem to be directly related to the number of people actually using the OS.

    1. Of course Windows XP will have the most

    2. Of Course Win2k/2003 will have the less, because there is a lot less in use

    3, Of Course There is almost none for Linux/MacOS (very fews peoples are using them)

    4. Of course most attack rely on user action and since now these day everyone have a computer and 90% of know as much about computer then they used to know how to program a VCR.

This topic is closed for new posts.