Sign in with
Sign up | Sign in
Your question

Data Shows Vista More Secure Than XP

Last response: in Windows XP
Share
November 3, 2008 8:40:23 PM

In XP machines, Microsoft's own software contained 42 percent of the vulnerabilities attacked, while 58 percent were in third party software. For Vista machines, Microsoft's software had 6 percent of the vulnerabilities attacked, with third-party software containing 94 percent of the flaws.
http://www.pcworld.com/article/153193/article.html?tk=n...

They should do a 64-bit focused study. I wonder what that would look like.
November 3, 2008 8:55:34 PM

*shrug* from anectotal evidence I can say we get MORE Vista machines to remove viruses and spyware from than we get XP.
November 9, 2008 3:36:14 AM

How many of those computers come in with security features disabled? Just out of curiousity....
Related resources
November 9, 2008 9:13:22 PM

none, the people aren't usually smart enough to turn them off.
November 10, 2008 12:14:45 AM

Then those people literally authorized the virus to install on their computers, since UAC would have prompted them with a warning before the virus could install or run. An otherwise impenetrable fortress is useless if the person manning the front gate is dumb enough to fall for the old "Did someone order a pizza?" bit.

Homer Simpson guarding the gate: "Mmmm, pizza."
November 10, 2008 1:07:39 AM

Yeah, because with Vista people have been conditioned that if the screen goes dark, and there is a button in the middle they should press the "continue" option. Some of the more recent Viruses have been using that little trick by tying into silverlight. Remember, not everyone is as techincal as us lot.
November 10, 2008 4:33:43 AM

Well at least they received some sort of warning... would anything have popped up at all under XP? People want security, then do everything in their power to circumvent it. You can't expect greater security when you blindly click "Continue" when your OS is trying to warn you about what's going on. Vista is more secure... it's the users that haven't changed.

I'm tired of laziness and stupidity being blamed on the OS. People seriously need to learn safe computing practices and make sure that knowledge stays with them and is passed on to the family. If they blindly click on Next, Ok or Continue... then no matter how secure the OS is, it will always be open to attack.
November 10, 2008 4:44:41 AM

What they needed to have done is follow the Linux model of installing. Make someone type a password in and they'll think twice. Windows itself wasn't designed from the ground up to be secure in a network environment.

Also, it's not laziness and stupidity. It's just that people don't know any better. I was dealing with a heart surgeon the other day. I wouldn't say he was stupid, he just didn't really understand too much about computers, not did he want to. He just wanted to get his e-mail.
November 10, 2008 5:10:28 AM

All right... laziness, stupidity and ignorance. That better? People that do these thing are lazy... too lazy to take the time to learn about when they should click that button and when they shouldn't. Also, I'm pretty sure that if you put a password on your account, UAC will prompt you to type in that password before it allows you to click continue. Not passwording your account also equates to laziness.

Mind you, if they blindly click a button, they'll soon learn to blindly type in their password... you have to change users' mindsets... not the OS. Most people that use Linux are technically competent in the first place... so they are much more likely to actually read what's on the screen before clicking or typing a password and clicking.

People need to be educated... whether they want to be or not. It will save a lot more time and headaches for the person if they can avoid the problem in the first place rather than deal with a disaster later. People complain constantly about downtime... but do really very little to avoid it. If you're going to use / own a computer, it's your responsibility to learn about safe computing.
November 10, 2008 5:18:43 AM

Zoron said:
If you're going to use / own a computer, it's your responsibility to learn about safe computing.

I think we'll fundamentally disagree here. People should be educated, but most aren't interested. Just like people who own cars and just take them to the garage when they break, and don't learn about basic maintenance, and in some cases don't even know where to fill the water bottle. I think it's desirable for people to know what they are clicking, and know how to fix things when they break. However I'm a realist and know it's not going to happen, and they'll also keep on metaphorically(SP?) turning the key and drinving along ignoring the clunks and than the squeeks until bits start falling off.
November 10, 2008 5:40:42 AM

It's still no excuse. I don't care whether or not they have the desire. If I had the power, I'd take their computer away and tell them to learn how to use it before they can get it back. My latest frustration is this whole Win Antivirus / Antispyware 2008 / 2009. It's a pain in the ass to remove, and there is no way that anyone paying attention should get it in the first place.

Again, though, we're losing sight of the main point... a computer is only as secure as the person using it. Regardless of OS, if you ignore warning and prompts, you're going to be in trouble. I have very little time some days to look at computers coming through the door... so if I can educate a few people and get them to pay attention now and again, then I've done my job. Your computer's security is your responsibility... not anyone else's. Blaming others for your mistakes does nothing to cure the root problem.

In an ideal world, you wouldn't have to worry about malicious code and could almost click to your heart's content. We all know that this is far from an ideal world. If people can't be interested enough to learn something as simple as safe computing... then they get exactly what they deserve... and they have absolutely no right to complain about anything other than their own laziness / stupidity / ignorance.
November 10, 2008 5:45:36 AM

Zoron said:
My latest frustration is this whole Win Antivirus / Antispyware 2008 / 2009.


AdAware and Counterspy between them should clean it right out. Just did two like that tonight. :D 
November 10, 2008 3:58:12 PM

I've been using AVG to clean it... don't know how it manages to get past every single Antivirus app out there... but it does. Norton or Panda will detect parts of it, but not the entire thing. After installing AVG, I can usually get everything off and then it seems to stay off after that.
November 11, 2008 2:03:36 AM

BeakerUK said:
Yeah, because with Vista people have been conditioned that if the screen goes dark, and there is a button in the middle they should press the "continue" option. Some of the more recent Viruses have been using that little trick by tying into silverlight.

Not successfully, they haven't. There are no successful attacks using Silverlight (yet).

Quote:
What they needed to have done is follow the Linux model of installing. Make someone type a password in and they'll think twice.

Vista already has this, its called not running as Administrator all the time. If these people aren't savvy enough to know that UAC can be turned-off, they aren't building their own computer or installing operating systems. If the OEM who built the computer delivered it with OOBE Setup that used Administrator as the default account type, or failed to guide the user to create standard user accounts, that's not a Vista problem. You can open Linux to all of the same problems by running as root all the time.

Where Linux distros being shipped on low-cost desktop or notebooks have diverged from Windows is by making it very difficult if not impossible for a user to even run as root unless they have unique knowledge of Linux. If Microsoft did this, it would immediately be attacked for trying to restrict the user's control over their own computer.

In fact, MS is already being attacked for removing "Super Admin" in Vista, requiring users to have unique knowledge in order to enable or unlock Super Admin rights.
November 11, 2008 2:25:46 AM

tcsenter said:
Not successfully, they haven't. There are no successful attacks using Silverlight (yet).

One of the users I was dealing with said something along the lines of "The Screen was dimmed, and there was a box in the middle with buttons saying Continue and Cancel". I was assuming it's Silverlight, because I've not see the page they got the infection from, however i'm assuming it's Silverlight. Unless of course there is some other way to dim the entire screen from the browser. If it is Silverlight then I'll assume that itr is being successfully used.

tcsenter said:
Vista already has this, its called not running as Administrator all the time. If these people aren't savvy enough to know that UAC can be turned-off, they aren't building their own computer or installing operating systems. If the OEM who built the computer delivered it with OOBE Setup that used Administrator as the default account type, or failed to guide the user to create standard user accounts, that's not a Vista problem. You can open Linux to all of the same problems by running as root all the time.


However nto running as an Admin causes a whole new collection of user problems. Most games won't run (And lets not even go into teaching people how to run with alternatively credetials, that's a whole new can of worms to try and show people). When it comes down to it there is only so much education you can give someone, and most people just aren't interested. going back to the car analogy, they'll carry on driving it as it starts to break and slow down. Then when it'll no longer work as they think it should, they'll take it into the garage to get it fixed up, and moan about the price when they do. TBH There is a fine balance here as well. We can't hate the people who treat their computers with distain and can't be bothered to learn the fine details. If everyone knew as much as the techies then there would be a good number of us out of work.


tcsenter said:
Where Linux distros being shipped on low-cost desktop or notebooks have diverged from Windows is by making it very difficult if not impossible for a user to even run as root unless they have unique knowledge of Linux. If Microsoft did this, it would immediately be attacked for trying to restrict the user's control over their own computer.

I think with the Linux notebooks people aren't expecting a complicated machine in the 1st place. I've seen old ladies picking them up and learning how to use them. People who have never touched a computer before, but the nice happy, shiny interface that doesn't require you to to learn how to set up your desktop and the like.

tcsenter said:
In fact, MS is already being attacked for removing "Super Admin" in Vista, requiring users to have unique knowledge in order to enable or unlock Super Admin rights.

I Agree it was a Very Bad Idea for them to totally disable the "Administrator" account. The number of people I've had to tell there is bugger all we can do for them when they have forgotten their password. In 2K/XP it's usually just a case of boot into safe mode and use that account to change the passwords. It's one of my fav fixes for older machines.
November 11, 2008 6:47:35 AM

BeakerUK said:
One of the users I was dealing with said something along the lines of "The Screen was dimmed, and there was a box in the middle with buttons saying Continue and Cancel". I was assuming it's Silverlight, because I've not see the page they got the infection from, however i'm assuming it's Silverlight. Unless of course there is some other way to dim the entire screen from the browser. If it is Silverlight then I'll assume that itr is being successfully used.

Well you're free to base your assumptions on intepretations and recollections of users whom, according to you, are not even minimally competent in understanding of computers, or you can base your assumptions on the security community who has yet to identify a single exploit or attack that uses Silverlight. But its a free country, you can base your assumptions on the musings of Donald Duck if you want.
Quote:
However nto running as an Admin causes a whole new collection of user problems. Most games won't run (And lets not even go into teaching people how to run with alternatively credetials, that's a whole new can of worms to try and show people).

Why would games be less able to run under a standard user account than any other application?
Quote:
I think with the Linux notebooks people aren't expecting a complicated machine in the 1st place. I've seen old ladies picking them up and learning how to use them. People who have never touched a computer before, but the nice happy, shiny interface that doesn't require you to to learn how to set up your desktop and the like.

People who have never touched a computer before would not know Linux from Vista from OS X, would not be aware the desktop required any setup, nor the relative difficulty or ease such tasks would be from one OS to the next.

People who aren't computer savvy buy cheap Linux computers for the same reason they buy cheap Windows computers - the price is within their modest budget. People who are computer savvy don't buy computers to avoid the 'complication' of personalized user settings as this would be trivial to them.
Quote:
I Agree it was a Very Bad Idea for them to totally disable the "Administrator" account. The number of people I've had to tell there is bugger all we can do for them when they have forgotten their password.

Which is what you'd be telling them if they forgot their password on Linux. So you must feel Linux has the very wrong idea here as well. At any rate, removing the default Administrator account has nothing to do with removing Super Admin behavior to which I was referring.
Quote:
In 2K/XP it's usually just a case of boot into safe mode and use that account to change the passwords. It's one of my fav fixes for older machines.

Unless the administrator account is password protected, which is more likely on XP Professional since it is not hidden from normal logon as it is on XP Home. The unsecured administrator account is a huge security risk. You can't have it both ways. Either its bad to have huge security risks or its not.
November 11, 2008 7:36:14 AM

tcsenter said:
Well you're free to base your assumptions on intepretations and recollections of users whom, according to you, are not even minimally competent in understanding of computers, or you can base your assumptions on the security community who has yet to identify a single exploit or attack that uses Silverlight. But its a free country, you can base your assumptions on the musings of Donald Duck if you want.


As I said, I'm making an assumption. I'm not a coder, but multiple users have repeated the same story. The screen goes dim, and they get a message on the screen looking like a UAC warning. It's something that's tricking them, could be Silverlight, could be Java, could be something else. As it's coming from more than one source I'm inclined to belive what they say. Especially as these users have no contact with each other.

Why would games be less able to run under a standard user account than any other application? said:
Why would games be less able to run under a standard user account than any other application?

A lot of apps need Admin privs to run. In an Ideal world you would be able to run them as a Limited user, but you can't always.

People who have never touched a computer before would not know Linux from Vista from OS X, would not be aware the desktop required any setup, nor the relative difficulty or ease such tasks would be from one OS to the next. said:
People who have never touched a computer before would not know Linux from Vista from OS X, would not be aware the desktop required any setup, nor the relative difficulty or ease such tasks would be from one OS to the next.

Except for the fact loads of folks sit there telling them how easy OSX is to use, how much of a pain Vista can be, and how Linux is too complicated for the average user. It annoys me no end, because nothing in day-to-day use is overly complicated with minimal traing.

People who aren't computer savvy buy cheap Linux computers for the same reason they buy cheap Windows computers - the price is within their modest budget. People who [u said:
are computer savvy don't buy computers to avoid the 'complication' of personalized user settings as this would be trivial to them.]People who aren't computer savvy buy cheap Linux computers for the same reason they buy cheap Windows computers - the price is within their modest budget. People who are computer savvy don't buy computers to avoid the 'complication' of personalized user settings as this would be trivial to them.
[/u]
Large Numbers of non-techie people buy Windows machines, large numbers of tech savvy people buy the easy to use Linux machines. This particular point of the argument falls on it's arse really. I work with about 60 people in the same location, and a fair few have picked up things like the Aspire One because it's a basic machine that suits their purpose. Personally I find the pre-configured Linux machines to be far too restricted for my liking, so i just slap Suse on my machines alongside a Windows version.

Which is what you'd be telling them if they forgot their password on Linux. So you must feel Linux has the very wrong idea here as well. At any rate, removing the default Administrator account has nothing to do with removing Super Admin behavior to which I was referring. said:
Which is what you'd be telling them if they forgot their password on Linux. So you must feel Linux has the very wrong idea here as well. At any rate, removing the default Administrator account has nothing to do with removing Super Admin behavior to which I was referring.

I'll talk them through removing their user account, and putting it back in using the recovery console. They'll lose all their docs and setting, but it's one of those things. You still don't have to format the machine to make it usable again. I'm trying to figure out which "Super-Admin" account you talking about. On an XP machine I would refer to that as the "Administrator" account. That's disabled in Vista, and that is annoying. Also, I would point out that on XP Pro and Home the "Administrator" account is hidden, and you can only log onto it by either booting into safe mode, or by using the Classic style login.

Unless the administrator account is password protected, which is more likely on XP Professional since it is not hidden from normal logon as it is on XP Home. The unsecured administrator account is a huge security risk. You can't have it both ways. Either its bad to have huge security risks or its not. said:
Unless the administrator account is password protected, which is more likely on XP Professional since it is not hidden from normal logon as it is on XP Home. The unsecured administrator account is a huge security risk. You can't have it both ways. Either its bad to have huge security risks or its not.

Most pre-installed machines don't even give you the option to change the local admin password, so unless you know what you are doing you won't change it. Plus, with preset Linux distros they don't secure your recovery options, so it's a non-issue in most cases. I also don't think that home user machines need to be as secure as a system on a business domain. While I would recoil in horror if someone suggested that a leave Local Admin accounts with blank passwords in a business environment, I honestly can't see a huge problem with home users. With stuff like that I'll advise the customer, but I'll never set it, or force them to.

Basically I have no problem with novice users, and it's really silly to have a grudge against them. I'll bet there is a large percentage of the users on this site that rely on users who aren't clued up to pay their wages. While in an ideal world you would have to do a training course before you bought a computer, it isn't going to happen. It can annoy when the same people come back every few weeks with the same issue you just have to choke it down and get on with it.

Also, by your line of thought. Do you fix your own cars, and I don't jsut mean swap tyres. I mean every thing including swapping head gaskets, Piston rings, bearing shells etc etc? If you don't you're taking exactly the same attitude to your car that these users take to their computers.
November 11, 2008 9:39:49 PM

Vista does have the option to make a password recovery disc... of course, the user has to actually make one.

The car analogy is a little off. Fixing cars requires mechanical skill and (depending on the job needing to be done) a lot of manual labour. Fixing a computer requires almost no mechanical skill and no real manual labour. I am capable of performing most maintenance tasks myself... but choose not to. Changing a head gasket is a much more daunting task ($1100 to get one changed doesn't exactly point to something simple). Of course, since the vehicle I drive is a company vehicle... I can afford to be somewhat lazy. If it were my own vehicle, I might be inclined to do more myself.

I have no problem with novice users either... at least the ones that are willing to learn to help themselves. The ones that bother me are the ones that refuse to listen to any advice or learn anything from their mistakes. In other words (like most people) I hate trying to help people that refuse to help themselves.
November 11, 2008 9:47:46 PM

Oh and concerning Silverlight... almost any ActiveX control that asks to be installed within IE will also dim the screen and present users with the option to allow it or refuse it. I have Silverlight... and I certainly haven't seen anything trying to use it as an exploit.
November 12, 2008 3:32:04 PM

Quote:
However nto running as an Admin causes a whole new collection of user problems. Most games won't run (And lets not even go into teaching people how to run with alternatively credetials, that's a whole new can of worms to try and show people).




Complete And Utter Bollox
November 12, 2008 3:41:48 PM

Zoron you wouldnt last two minutes int he job i do, heres an example of some of the things ive gone through:


I recieve a laptop with an error that says "Adobe Reader can not load please start another adobe product first", i get told that they dont know what to do and that there computer is crap and they want a new one, i think to myself "just **** read the message it tells you what to do" instead im nice and calm and walk the user through the process of what to do in this situation.

another favourite question i get, "i cant access my drive, why not?", i ask is your light on to signal that the wireless is working? "yes", ok can you access the internet? "no" hmm, i go down meet them press the wireless switch and leave with everything back to normal.

scotteq that statement you quoted is correct, heres a recent game you cant run without admin "Mass Effect".
November 12, 2008 4:11:56 PM

Scotteq said:
Complete And Utter Bollox

You'll find that quite a few games support docs specifically state that they won't properly, or won't run at all without being given Admin privs.

Don't take my word for it, just take a look at MS's (a bit outdated now, but still relevant) TechNet article. Modern games still have the same problems.

http://support.microsoft.com/kb/307091

http://support.microsoft.com/kb/893677/en-us

Facts, Check them before calling someone on what you think is **** :) 
November 13, 2008 2:28:26 AM

Flakes, you're probably right... I deal with enough stressful situations that I really don't need complete idiots riding my ass all day because they can't be bothered to read and comprehend what they're reading. It would be fine if I had time to sit in the office all day and work on the computers that come in... but unfortunately, there are more critical things that have to be done. Having one more person to help with the workload would be wonderful.
November 13, 2008 12:49:32 PM

BeakerUK said:
You'll find that quite a few games support docs specifically state that they won't properly, or won't run at all without being given Admin privs.

Don't take my word for it, just take a look at MS's (a bit outdated now, but still relevant) TechNet article. Modern games still have the same problems.

http://support.microsoft.com/kb/307091

http://support.microsoft.com/kb/893677/en-us

Facts, Check them before calling someone on what you think is **** :) 



Point taken on Admin Mode for certain games... Mea Culpa on the knee jerk reaction. < bow >


But you *do* understand that the difference is because XP runs in "Admin Mode" by default? And further understand the change (from Admin to User/Protected) was made because running an (XP) box in this manner leaves it exposed to Malware/Hacks, correct? Therefore this change alone makes Vista more secure because the standard settings prevent trojans and the like from running. Whereas the same code will successfully execute on an XP box. That is also a fact.


What happened is the application vendors failed to account for the change.
November 13, 2008 3:38:36 PM

Scotteq said:
Point taken on Admin Mode for certain games... Mea Culpa on the knee jerk reaction. < bow >


But you *do* understand that the difference is because XP runs in "Admin Mode" by default? And further understand the change (from Admin to User/Protected) was made because running an (XP) box in this manner leaves it exposed to Malware/Hacks, correct? Therefore this change alone makes Vista more secure because the standard settings prevent trojans and the like from running. Whereas the same code will successfully execute on an XP box. That is also a fact.


What happened is the application vendors failed to account for the change.



Yeah, I understand the difference. Personally I run run all my own machines in full admin mode, and my Vista boot has UAC turned off because it annoys me personally. The issue with admin prompts on limited user accounts is easy enough to configure, if you have plenty of access to the machine. I built my mother-in-law's machine up a few weeks back, and she's only set to a limited user because her old machine was INFESTED with viruses and spyware. However certain apps she plays have been set up by me to run with full admin access (Just set up the Start With Alternative Credentials).

Issue only real issue I have with Vista is that it has conditioned a certain subset of users to assume that if something dims the screen at all, and there is a box in the middle of the screen then they should click "Continue". It doesn't click that they should actually read what it says, and they don't notice that it's not actually a UAC prompt (Which pops up directly afterwards anyway). These are the same users who would blithely install anything that IE told them to anyway. MS themselves are still producing some games that need Admin access to run, which is dumb. Something tied into the security settings should allow you to just put a list of trusted apps into the Control Panel or similar, and then it'll never prompt you about them again.

As for me, I take my own risks. Security center is turned off, as is the firewall (I'm behind a Watchguard SOHO, so no need for a software firewall). I've got Windows Home Server (I tried my MSDN 2k3 and 2k8, and they are overkill for a home network) running my workgroup computer backups, and I have full subs to Sophos as an AV for all of my machines. I also have "clean" images stored on a removable USB drive or each machine so they can be restored back to a fresh point whenever I feel the urge. I may be paranoid, but that's what I consider a minimum of security. I even change my Wireless password each month.
November 13, 2008 11:05:14 PM

BeakerUK said:
You'll find that quite a few games support docs specifically state that they won't properly, or won't run at all without being given Admin privs.

So do a lot of other applications, games aren't unique here. It is trivial to right-click on the game executable or shortcut and perform any of the following:

Select "Run as administrator" from the context menu

Select Properties > General Tab > Advanced > check "Run as administrator"

Select Properties > Compatibility Tab > Select "Show Settings for all users" > check "Run as administrator"

Ideally, this should be done prior to installing the application, by elevating the application installer executable, but the post-install application launch executable or shortcut will suffice for beginners.

This they can learn to do just as well as they can learn to configure their game settings and options. Its a bit retarded to think "run as administrator" is a prohibitively complicated thing to learn but a game with two dozen or more configurable game play, graphics, audio, character, and culture settings is light work for the computer novice.
November 14, 2008 5:59:19 AM

tcsenter said:
So do a lot of other applications, games aren't unique here. It is trivial to right-click on the game executable or shortcut and perform any of the following:

Select "Run as administrator" from the context menu

Select Properties > General Tab > Advanced > check "Run as administrator"

Select Properties > Compatibility Tab > Select "Show Settings for all users" > check "Run as administrator"

Ideally, this should be done prior to installing the application, by elevating the application installer executable, but the post-install application launch executable or shortcut will suffice for beginners.

This they can learn to do just as well as they can learn to configure their game settings and options. Its a bit retarded to think "run as administrator" is a prohibitively complicated thing to learn but a game with two dozen or more configurable game play, graphics, audio, character, and culture settings is light work for the computer novice.


It's almost like you think you're telling someone who doesn't know. I mean, it's not like I've been doing stuff with that since the days of NT and 2k. You'll find many users CAN'T work that out. We're not talking novice users, we're talking users who can just about get to their shopping sites and do their e-mails. I've actually sat there and spent about 15 mins trying to explain how to do this to someone.

Seriously, the things we think are trivial aren't to someone who has no interest in learning stuff like this. You may think they are stupid for not learning, but they aren't. They are just disinterested and if they are paying someone to fix their computer then they will just call them up. I used to do wireless setups for an ISP, and many of these people ran into problems doing something as simple as logging into their router using a browser.
November 14, 2008 1:15:36 PM

i agree with BeakerUK, i used to think like you guys but ever since i became an ICT Technician my views have changed, no matter how simple and easy something appears to me, it will undoubtedly be extremely difficult for someone else.

those cases ive posted above are just the tip of the iceberg, ive been asked by people to create folders cause they dont know how, ive even been asked how to create a table in MS Word.
!