Harry Waldron pointed out on his blog an article from the CRN Test Center that claims that XP and Vista are equally at peril when it comes to security.

There are many problems with this CRN review, the most obvious being that they appeared to be testing Vista as a virus-detection platform, which it isn’t. In Windows Vista, like every other OS, Virus scanning is not part of the OS and requires additional software. Vista does, however, warn you when you do not have any anti-virus software installed.

But that aside, the article does not make it clear exactly what they did in their tests. In fact, it looks as though they did just about everything they could to deliberately get infected. This does test an OS’s ability to detect malicious software, but it does not take into account that common sense is really the main defense, no matter what OS you run.

Yes, if you deliberately want to infect Windows Vista you can.

Other points the article isn’t clear on is how much effort it took to track down these malicious web sites, add them to their Trusted Sites zone, and manually download and install infected software. How many prompts did they have to dismiss to get to the point of infection? You really can’t do anything important on a Vista machine without a UAC prompt.

Yet another point they fail to make is how many of these exploits were actually successful. Just because the OS didn’t warn the user doesn’t mean the exploit succeeded. Downloading a virus isn’t an infection; you still have to run it. Furthermore, you can run an old exploit all you want against a patched machine but it just won’t work.

To clarify Vista security, the bulk of the improvements aren’t in detecting malware, but making the user aware, mostly through prompts, of barriers between trusted and untrusted content. Nevertheless, the article does show that there could be better improvement in the defense-in-depth strategy.

So anyway, I e-mailed the author to let him comment before I published this post and he responded that part of the hype was added in his article through the editing process. The details and charts do show that Vista performs as well as or better than XP. That’s fair enough; plenty of editors have changed the emphasis of my articles as well. Let me go back and edit out some of the rude comments I made above. There.

I guess the title they chose is a lot more interesting than “Vista is More Secure than XP.” FUD is definitely a problem in the security industry and as we can see, it can come in at any point of the editorial process.

Related posts

• No related posts.