This entry updated at 8:49 PST on Tuesday 19 December 2006.
On November 30, Sophos issued its monthly report on the top ten threats reported to them in November of 2006. As a part of this, Sophos also studied Windows Vista's vulnerability to these malware threats. I found the information and press discussion confusing, so I thought I would clarify what this really means for customers.
In order to understand what was really going on here, I asked the team to go look at the technical facts behind the story, and that started in the lab. We began by observing first-hand how these various forms of malware affect a Windows Vista system using a machine that was configured with the default settings and without any additional security software. What we found was that if you are using only the software in Windows Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited.
If you are using Microsoft Outlook or a third-party email client that blocks execution of known executable formats, then a user running Windows Vista is not vulnerable to eight of the ten malware threats. In the case of the ninth piece of malware, Bagle-Zip, the malware is able to run because it uses the .ZIP file format which some mail programs do not block. In the case of the tenth piece of malware, Mydoom-O, the malware is sometimes able to run because it randomly chooses the file type to which to distribute its payload and sometimes that file type is an executable inside a .ZIP file, which some mail programs do not block. In both cases, this is a function of the e-mail software, not Windows Vista. That said, even when a user receives a mail infected with Bagle-Zip or Mydoom-O in the .ZIP file format, in order for the malware to affect the system, the user must first explicitly open the .ZIP file and then explicitly run the executable file that's contained inside the .ZIP file -- there is no way for this to happen without two steps of user action. If you happen run a third-party email client that does not block known executable formats, then you may also be vulnerable to Netsky-D.
While Windows Mail blocks running executables even when they are included in a .ZIP file, other email clients could as well if they used a technology available (via APIs) in Windows called Attachment Manager (AM), first introduced in Windows XP Service Pack 2. So what should you do if you use a mail client that doesn’t support AM? Well, the most basic thing to do is to train users in your environment not to click on unknown attachments and, even if they do, to make sure that they don’t run executable files included in ZIP files. This may be hard to do -- and frankly, this is why we built AM protection into Windows. That said, if you use an add-on e-mail client, you should also use anti-virus software that can scan attachments prior to opening them to detect and block malware.
One question you may ask is why isn't this kind of malware scanning built into Windows Vista? We do have cleaners that will detect and remove this form of malware that is offered as part of the malicious software removal tool that we distribute each month. However, there is certainly a question about whether we should do even more in the operating system. The recent feedback we received around our decision to continue to include Kernel Patch Protection in the 64-bit versions of Windows Vista (even though we had shipped this protection in 64-bit versions of Windows XP nearly two years ago) was more controversial than we would have expected. It's a complicated world -- that's all I can say.
I should note that we do offer this kind of "on access" anti-virus software as part of Windows Live OneCare (for home users) and offer server based e-mail security in Microsoft Forefront Security for Exchange Server. In addition, we are currently beta testing an enterprise version of the client software called Microsoft Forefront Client Security.
So I know what you are thinking: Does any of this change my position about how I protect my 7-year-old son's PC? The short answer is absolutely not. The longer answer is that today I don't allow him to use e-mail or IM (also remember he is running as a standard user without knowledge of an administrator password, and he has specific Windows Vista parental controls turned on), so I don't worry about these kinds of attacks hitting his machine. And when I do let him start emailing his friends, I will simply set up Windows Mail to ensure he has a safe experience. For example, Windows Mail by default blocks images and other external content in HTML e-mail messages and it also by default prevents opening or saving attachments that could potentially be viruses. But, I could go even further by using Windows Mail rules to block all attachments and delete such email. That said, one day, he will most likely use AV software. But remember, even without the AV software, if he was using Windows Mail in Windows Vista, he was safe from all ten of these malware threats.
So what should you do? As I have said on this blog in the past, I am very proud of the work we have done for security in Windows Vista. However, I have also stated that it is neither foolproof nor perfect; no software from anyone I have seen is. So, if you have a totally locked down environment (including using Parental Controls) like my son, you may be good to go with Windows Vista out of the box. Similarly, if you aren’t in a locked down environment, but you use Windows Mail in a controlled configuration, you may also be ok from malware such as this. If you use an add-on email client and you know not to run executables embedded in email attachments, then you will also be safe from these specific threats. And with all that said, if you are like most users and receive e-mail from unknown people, are not really sure even what executables or ZIP files are, run a lot of software and browse the web downloading programs with abandon, then our best advice remains the same: You should 1) stay current with the latest security updates (and in this case I urge you to use the recommended defaults included in Windows Vista); 2) use a firewall (there's a great two-way firewall built into Windows Vista! Or, use a third-party solution that you can buy); and 3) use anti-malware software. I recommend using the combination of Windows Defender and an add-on anti-virus software program such as Windows Live OneCare or one of the many great products available from third parties, such as Sophos.
jim