Zero-Day Malware Attacks You Can't Block

Zero-Day Defense in Microsoft's New Operating System

How well will the much-touted new security features in Windows Vista protect you from a zero-day attack? Better than you might think.

Vista's new security features, such as IE's Protected Mode, offer additional protection--and more pop-up dialog boxes.
Vista's new security features, such as IE's Protected Mode, offer additional protection--and more pop-up dialog boxes.

The key new feature may be User Account Control, which changes user account permissions in Vista. As a matter of convenience--since administrator privileges are required for many common system tasks--almost every home user runs Windows XP under the administrator setting. But attackers can take advantage of the setting's carte-blanche rights to make major modifications to a system, such as by installing malware-hiding rootkits.

In contrast, the default Vista user account occupies a middle ground between an anything-goes administrator account and a hands-tied guest pass. Microsoft has tried to make the change more palatable by authorizing standard account holders to perform some routine system tasks such as printer driver installation, but power users are already complaining about having to click through too many User Account Control prompts that demand an administrator password.

Also, Internet Explorer by default runs in a protected mode with the fewest permissions possible. This arrangement limits the havoc that a zero-day exploit capable of hijacking IE (such as the WMF or VML exploit) could wreak on your PC.

Finally, Vista ships with Windows Defender, which can block malware attempts to add entries to the startup folder--for example, in the guise of baseline antispyware. The operating system also shuffles the locations at which libraries and programs load into memory, so malware that attempts to find and change the system's most important processes will have to hit moving targets.

Myspace Invaded

December 28, 2005: In this precursor to the similar VML attack, a flaw in Microsoft's little-used WMF image type permits drive-by downloads to occur if a user views a page containing a poisoned image. Microsoft releases an early patch on January 5, but in July a malicious banner ad infects millions of as-yet-unpatched PCs visiting MySpace, Webshots, and other sites.

Subscribe to the Security Watch Newsletter

Comments