Monthly Patch Tuesday gone with Vista says Microsoft

Stan Beer
Friday, 12 May 2006 18:55

Your IT - Home IT

Each month, on a Tuesday, in a bizarre almost tribal ritual, we Microsoft Windows users wait for the word on what new vulnerabilities have been discovered that expose our computers to potential malware hazards so we can download the fixes. With the coming of Windows Vista, however, we may no longer have to do that anymore.

According to a Microsoft security specialist at Microsoft, monthly downloads of security patches to protect against viruses, trojans, worms and other software nasties just itching to take control of our computers will probably be a thing of the past with the coming of Vista. Although there will probably be still the need for the occasional fix, it will not be very often. At least that's the plan.

"I think the frequency of Patch Tuesday will change a great deal. Patch Tuesday occurs on a monthly basis. I think with the delivery of Vista you're likely to see that there won't be a need for that to occur on a monthly basis. It will definitely be a lot less frequent occurrence," says Peter Watson, chief security advisor at Microsoft Australia and New Zealand.

The big difference with Vista, according to Watson, is that the new Windows operating system has finally moved to a permission based security system similar to the environments that have been a feature of Unix and Linux based systems from the outset. The basic gist is that a normal user can't do anything serious do damage the system so neither can a malicious virus. In order to get into the guts of the system and cause trouble, you need to log on as an administrator with a password and viruses don't normally get to do that.

"One of the key elements of Vista is around segmentation. It's about segmenting what level of access users require and what level applications require," says Watson. "This very much allows users to run in a subset of the functionality or virtualisation of the environment. Therefore this limits their ability in terms of do they need all the privileges to access some of the the administrator functions."

But if users are limited to doing only certain things like running the applications that exist on their desktop. What happens when they want to do things that involve changing things on their desktop like say deleting a shortcut? Here is what Windows expert Windows expert Paul Thurrott had to say on his winsupersite about Microsoft's attempt to put Unix like security features in Vista under the name User Account Protection (UAP):

”UAP is a sad, sad joke. It's the most annoying feature that Microsoft has ever added to any software product, and yes, that includes that ridiculous Clippy character from older Office versions. The problem with UAP is that it throws up an unbelievable number of warning dialogs for even the simplest of tasks. That these dialogs pop up repeatedly for the same action would be comical if it weren't so amazingly frustrating. It would be hilarious if it weren't going to affect hundreds of millions of people in a few short months. It is, in fact, almost criminal in its insidiousness.”

Thurrott goes on to describe how he even had to get permission to delete a shortcut from his desktop from an array of never ending permission dialogue boxes.

However, Microsoft’s Watson is unrepentant about forcing users to become more security conscious. “The dialogue box component that you’re talking about really relates to an element that we call consent and credentials,” he says. “What we do recognise is that this is a new evolution on the Windows platform in terms of the fact that we restrict both users and applications in terms of what drivers and system functions they can get access to and change. But we also recognise that there may be some times where users still need some of those capabilities.

“So the consent and credentials basically provide the pop up window that allows a user so that they did want to delete an item off the desktop or change a system setting such as the date and time, we’re not restricting them from doing that. All we’re asking them to do is provide the appropriate credentials. This is in recognition of the fact that most of the time when a user is using the PC, we don’t expect them to be going in and modifying the system settings.”

Maybe so. However, PC users tend to be a fairly diverse and sometimes anarchic lot. It remains to be seen whether they’ll be prepared to suffer endless pop-up dialogue boxes in order to do trivial tasks like deleting shortcuts. Home users, may even be tempted just to simply log in as administrators just to avoid the curtailment of their freedoms – just like many Mac OSX users from what we hear. Then of course that will open the way for viruses to do their dirty work with administrator privileges.

Then again, Microsoft could always think about the fact that deleting a shortcut from a desktop is not exactly what you might call a system security risk. In fact, Microsoft might want to consult with its users and find out for itself. It’s just a thought.