Old malware can affect Vista, admits Microsoft

Microsoft has confirmed Vista can be affected by malware from 2004 but argues this is not a flaw in the operating system.

Security vendor Sophos reported last week that Microsoft's Vista is vulnerable to at least three pieces of widespread malware, two of which date back to 2004. At least three well-known internet worms - labelled Stratio-Zip, Netsky-D and MyDoom-O by Sophos - are able to execute on the operating system, according to Sophos.

However, because these attacks rely on user interaction to execute the code, Microsoft has denied this is a flaw. Microsoft said these attacks rely on social-engineering techniques to be successful.

The software behemoth said in a statement: "Microsoft is aware of a report by Sophos that claims variants of existing malware may affect users running Windows Vista. Based on our initial investigation, Microsoft can confirm that these variants do not take advantage of a security vulnerability, rather they rely on social engineering to infect a user's system."

Social engineering relies on tricking users into executing malicious code themselves - a user has to open an infected attachment on an email for these worms to infect the system. Windows Mail Client - the Vista replacement to Outlook - will block the worms but businesses running third-party email clients such as Lotus Notes, or webmail such as GoogleMail or Yahoo!, could be vulnerable to social-engineering attacks.

Microsoft stopped short of blaming third-party email clients for the problem but said that User Account Control (UAC) - which limits users' ability to install applications unless they have administrator privileges - can "help to provide better protections". IT managers can run Vista end-user accounts with limited "standard user" privileges, rather than administrator privileges. Users are also given security prompts when attempting to run executable code.

Microsoft's statement said: "In those cases where other email clients may not have made the same aggressive security design decisions as Microsoft did with Windows Mail Client, other protections such as UAC can apply still to help provide better protections against email-based social-engineering attacks."

It added that currently, once malware has breached the outer defences of a computing system through user interaction, it is no surprise that the operating system obeys user commands to run the code. Stephen Toulouse, a senior product manager at Microsoft's security technology unit, said: "If a user clicks through various security warnings and protections, it's of little surprise that malware (even malware from long ago), can still run. It is not through a flaw that this occurs."

Toulouse said currently operating systems by themselves have little way of knowing when the user has chosen to run a piece of software that is "bad" until after it is installed and running, and even then that capability is often provided by an application such as antivirus.

He said: "This is why we strongly recommend to run antivirus on all versions of Windows, even Windows Vista. The very problem you have noted is one that is not actually unique to Windows."

Tom Espiner writes for ZDNet UK