I’ve recently returned from the annual get together of security vendors with Microsoft. A lot of what was discussed is under non disclosure agreement so I can’t discuss specifics, but it was interesting to hear first hand the efforts Microsoft have put into making Vista more secure. The whole development process is now focussed on security and there were a number of sessions describing that process. The success of this approach seems to backed up but the relatively small number of vulnerabilities found in the first 90 days.
However, all the security best practices in the world won’t solve the user vulnerability; our own tests showed that three of the top ten email threats will still work on Vista. Whilst it’s true that they will only run if the user opens the attachment and allows it to run, users will, the promise of “˜interesting content’ of one sort or another will lure users into downloading content, running attachments and all the other risky activities regardless of how many warnings you give them. Warning boxes regardless of the colour will be ignored, and malware will work, users get message box fatigue and simply click whatever button makes it go away.
To answer my own question, Vista is more secure than previous versions and whilst Microsoft should be applauded with the efforts made in Vista, there is always a balance between usability and security. Vista will be targeted, vulnerabilities will be found and exploited, but most of all, users will be exploited and there will be a need to additional security products and services.