Cnet claims that Windows Vista “has the potential to demote spyware from a security priority to an afterthought.” Color me skeptical.
To be sure, Microsoft appears to be doing many of the right things. Users will no longer run as the administrative user by default, and Internet Explorer is getting an overhaul. When combined with a multitude of bug-fixes and a good firewall and anti-virus software, this will certainly cut down on the spyware problem.
But the article misses the point that spyware is fundamentally a problem of social engineering, not technology. Much of the time, spyware gets onto a user’s computer by deceiving the user about its origins or contents. All the technological improvements in the world won’t help the user who thinks she’s downloading, say, a new screen saver, without realizing that it has spyware attached. The user will now have to enter a password before the spyware will be installed, but if she was trying to install the software anyway, that’s not likely to protect her.
Moreover, the task of plugging all the holes in a previously insecure operating system is much harder than designing it to be secure in the first place. For example, a common vector of virii are ActiveX controls, a Windows-based browser plug-in that allows web pages to have interactive content. Because it’s tightly integrated with Windows, ActiveX is full of bugs that threaten the operating system’s security. Yet Microsoft cannot simply remove ActiveX because thousands of web pages use the technology. So they’re doing their best to patch up an inherently insecure technology.
So I think it’s great that Microsoft is taking security more seriously, and I hope they’re successful. But I don’t think spyware on Windows will be an afterthought any time soon.
Comments on this entry are closed.