But while Vista is safer than XP, experts expect online thugs to quickly look for ways to circumvent Vista's protections. One increasingly common method is to use social-engineering tactics to target the person, not the PC.
"People will still execute that file to see Paris Hilton's next video," says Thompson of Exploit Prevention Labs. Social-engineering techniques that send malware in the guise of a game or a sexy video exploit people's curiosity or ignorance to get them to click a tainted link or attachment. If someone clicks, the malware has already evaded half of their computer's automated defenses, including the firewall. "Vista is an improvement," says Thompson, "but it's not the end of the malware industry. Not by a long shot."
Another potential end run around Vista's defenses is to attack programs rather than the operating system. Media players such as the Adobe Flash player and Apple's QuickTime have suffered recent attacks as hackers discover and exploit serious software vulnerabilities--with poisoned online movie files, for example. To keep your machine safe, patching your programs has become just as important as fixing the operating system they run on.
"The applications are sitting on every desktop, and they all have known vulnerabilities," says Andrew Jaquith, a security analyst in The Yankee Group's Enabling Technologies Enterprise division.
For PC users, the message is clear: Though Vista may make things more difficult for crooks, it is far from impregnable. You will still need to apply patches to close the inevitable holes.
And finally, you must still use the same type of antivirus protection that you needed with XP. (For our review of antivirus programs available for Vista, see "Virus Stoppers.")
To date, three serious holes have been found--and patched--in Vista, as follows:
- Animated cursors: A flaw in animated cursor code used by Windows 2000 SP4 through Vista. With a poisoned .ani, .cur, or .ico file, remote attackers can create a buffer overflow, overwhelming a program with more data than it can handle and allowing takeover of a victim's PC. Fixed with Microsoft's critical MS07-017 patch.
- Malware Protection Engine: A critical vulnerability in all versions of Windows using the Microsoft Malware Protection Engine, built into Vista's baked-in Windows Defender anti-spyware and the Microsoft OneCare antivirus program. The flaw can force the engine to execute attack code when it scans a hacked PDF file. Fixed in Microsoft's critical MS07-010 patch.
- CSRSS privilege escalation: A vulnerability in the Windows Client/Server Runtime Server Subsystem's (CSRSS) error handling could allow an attacker to make an end run around Vista's UAC (User Account Control) protections. Fixed in Microsoft's critical MS07-021 patch.