The other day someone asked me a question about Vista that I honestly wasn't prepared to answer. I thought it bears repeating and discussing here, because it cuts to the heart of a lot of what has been surrounding the reasons for upgrading to Vista in the first place:
"If Vista is inherently more secure than older versions of Windows, why do I need to bother with products like Windows Defender -- or for that matter, any third party antivirus or antispyware product?"
I thought about that one for a minute. The fellow asking was someone I would call a moderately experienced user, someone who doesn't always follow the absolute latest trends in everything, but that made the question all the more intriguing. Think about Mac OS X, for instance -- viruses and spyware as we know them in Windows are essentially nonexistent in OS X. So if Windows is (theoretically) headed in the same direction, isn't stuff like Windows Defender -- and, presumably, future iterations of third-party products like that-- a waste?
The one answer I came up with doesn't seem entirely satisfactory. For one, it's possible to turn off some of Vista's protections against privilege escalation, so someone might want to spend the money (or invest the time) in obtaining something that grants them an extra level of protection in case they make a mistake. (It's fortunately not a trivial action to turn those things off, nor is it recommended.) Also, these changes may not protect against things like buffer overflow attacks (which Unix-derived OSes are also vulnerable to). The sum total of my counter-argument was that it's not possible to always foresee every possible attack. Vista does a good deal of "minimizing the attack surface" of the OS -- to use a phrase I personally can't stand -- but it can't take everything into account. I still felt like I was ducking the issue in some way, though -- if only because I was downplaying the importance of personal responsibility. You cannot make a thoughtless user any less thoughtless by habitually protecting them from the consequences of their ignorance.
This connects with the recent controversies involving Mcafee and Symantec's demands that Vista's innards be opened up to third party security developers in the same way XP was. The street-level comebacks about this whole row (from places like Digg) are mostly in the vein of snarking at Mcafee and Symantec for writing such lousy programs in the first place: Now that Microsoft is actually making a secure OS, the other guys are whining that they're being put out of a job. Microsoft's stance is that they bent over backwards to allow third-party developers to write their own security products for Vista, and while I'm curious to see how this plays out I'm tentatively siding with them on this one, as the technical details have been kind of skimpy.
My personal feeling is that good computer practices and safe surfing habits (and a browser that isn't a porous membrane for spyware) will keep you safe from the vast majority of stuff out there. And a firewall never hurts, either, but personal awareness and responsibility are paramount.
Leave a comment