Microsoft has added numerous other features to Windows Vista besides UAC (see 'Vista security: the truth, part I'), many of which are intended to increase the overall security of the OS. But, upon closer examination, these add-ons are only marginal improvements over previous versions of Windows.

Windows Firewall has been enabled by default on all new Windows installs since the introduction of Windows XP SP2. With Vista, Windows Firewall gains the capability of blocking outgoing connections as well as incoming ones – a marked improvement, when you consider the growing threats of spyware, phishing and DDoS (distributed denial of service) attacks.

Unfortunately, the filtering of outgoing packets is not enabled by default. In other words, without manual configuration Vista's firewall won't provide much more protection than the one included in XP SP2.

Furthermore, while Windows Defender adds antimalware capabilities, the primarily consumer-focused application doesn't seem to be in the same league as the major third-party options already available to XP users.
According to Webroot security software, Windows Defender misses the vast majority of spyware. Worse, in February, Windows Defender was shown to actually be an avenue for attack on Vista, with the disclosure of an exploitable bug in Microsoft's malware-detection engine.

And while Vista includes a hard-drive-encryption feature called BitLocker, it's only available on the Ultimate and Enterprise versions and not the consumer-focused Windows Vista Home Basic and Windows Vista Home Premium. It's not even enabled by default on the business versions, and whether it offers any real protection against advanced computer forensics techniques is questionable.

Worst of all, some features added to Vista have even proven detrimental to overall security. In January, hackers discovered that Vista's speech-recognition feature could be used to gain limited access to a remote system, including the ability to delete arbitrary files. Such annoyances sound almost cute – until they result in real data loss.


Enemy at the gates

The Vista speech-recognition exploit underscores an important point. As with previous versions of Windows, by far the majority of attacks on systems running Vista will come not in the form of exploits of the OS itself but of applications running on top of Vista.

Microsoft has made significant improvements to Vista that are designed to mitigate some of the most common types of application vulnerabilities. A group of technologies makes it more difficult for hackers to exploit commonplace bugs by obscuring the memory addressing space and protecting access to the OS kernel.

Preliminary research by Symantec suggests that Vista may still be vulnerable to some forms of attacks, but the company concludes that "the implementation of these protections achieves many of the security goals that Microsoft had envisioned".

Patches to widely used commercial applications will no doubt continue to surface during the next few months. However, until the older applications are upgraded to take advantage of Microsoft's latest security technologies, they will gain little benefit when running under Vista beyond what's provided by UAC. Although Microsoft has made significant advances, Vista is no panacea for a secure Windows-based environment.

The road to security

"We remain confident that Windows Vista is the most secure version of Windows to date," says Russ Humphries, senior program manager for Vista security in the US. "However, it is important to note that no OS is ever going to be 100 percent secure – there are no silver bullets."

The bottom line: Windows Vista is not immune to attack, nor would it be fair to expect it to be. Technological advances within the OS bring real security benefits, but Microsoft acknowledges that Vista users will benefit from aftermarket security and antimalware products as they have for previous versions of Windows.

As is often the case with Microsoft operating systems, Vista's biggest weakness lies in the desire for backward compatibility. The vulnerabilities discovered so far exploit legacy applications that don't take advantage of Vista's security model. And UAC itself is a capitulation to outdated practices. In the meantime, the watchword is caution. The overall message is that security under Vista still requires a combination of user oversight, adherence to security policies, plus third-party antimalware and security-management tools. So, business as usual. Vista does represent a significant security improvement over Windows XP, but it's still Windows.