58% of the binaries used in the Symantec Vista test performed a successful execution

Mar 2, 2007 14:14 GMT  ·  By

Symantec has bombarded Windows Vista with no less than 2,000 instances of malicious code in order to determine the operating system's immunity to legacy and current threats. The Cupertino-based security company revealed that an overwhelming 58% of the binaries used in the test performed a successful execution.

"The term Successful Execution simply means the binary was mapped into memory by the Windows loader and began executing instructions at the derived entry point. It does not, however, indicate the malicious code successfully compromised the system's integrity," revealed Orlando Padilla of the Symantec Advanced Threat Research.

The fact of the matter is that, if the Symantec proved anything, it is that Windows vista is quasi immaculate when confronted with legacy and current threats. Out of 197 Backdoors, only 6 (3%) managed to survive a reboot. And the same is valid for 118 Keyloggers where only 5 (4%) passed the reboot test, 17 Rootkits 0 (0%), 113 Mass mailers 4 (4%), 210 Trojan horses 4 (2%), 260 Spyware 4 (2%), 118 examples of Adware 2 (2%) and 728 items of Unsorted binaries 34 (5%).

However, Symantec did point out what are the attack vectors in Windows Vista. "From the results, we were able to identify which security components of Vista may be subverted to perform operations specifically disallowed. One example is Vista's firewall, by default it is configured to disallow all third party and untrusted network communications unless the user clicks the unblock button. This feature, if slightly enhanced, poses a great limitation for malicious code looking to back door a host. Unfortunately, the unblock button may be accessed with the same privilege level as a standard user. This configuration of privileges creates a point of vulnerability that undermines the effectiveness of the firewall's policy in Windows Vista," Padilla added.

The firewall pop-up dialog box can receive a malformed message via the SendMessage API call and therefore unblock a malicious process. Additionally, the UAC is susceptible to attack because of the "SetWindowsHookEx" and "GetAsyncKeyState" functions.