Conventional wisdom calls for IT managers to wait for the first service pack before installing a new Windows operating system. But since Windows 7 builds on all the security improvements Vista made over Windows XP, there may be a temptation to ignore the rule.
That could be a problem because Windows 7 is far from secure, security firm Sophos says. In a company blog, Chester Wisniewski wrote that Windows 7 is highly vulnerable to the latest viruses.
"We grabbed the next 10 unique (virus) samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC [User Control Account] held up. Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows," Wisniewski wrote.
"The good news is that, of the freshest 10 samples that arrived, two would not operate correctly under Windows 7," he added.
Antivirus Still Required
Not surprisingly, Sophos' recommendation includes purchasing antivirus software. "Lesson learned? You still need to run antivirus on Windows 7 ... Windows 7 is no cure for the virus blues, so be sure to bring your protection when you boot up," Wisniewski wrote.
Microsoft was not amused by this. While agreeing that all computer users, including Windows 7 users, should run antivirus software, Paul Cooke, Microsoft's director of Windows Enterprise Client Security, wrote in a blog post, "I'm not a fan of companies sensationalizing findings about Windows 7 in order to sell more of their own software."
Cooke emphasized that viruses don't come from the ether. They enter systems via the web and e-mail. Thus, Internet Explorer features like SmartScreen Filter "will notify you when you attempt to download software that is unsafe -- which the SophosLabs methodology totally bypassed in doing their test."
And of course, Microsoft offers its own free antivirus software, Microsoft Security Essentials.
Seat Belts Still Advised
Cooke took the opportunity to further promote the security features in Windows 7. "Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware," he wrote. Among those features: UAC, Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP).
"Windows 7 retains and refines the development processes, including going through the security development life cycle, and technologies that made Windows Vista the most secure Windows operating system ever released," he boasted.
The question of whether Windows 7 users still need antivirus software is basically a straw man, Andrew Storms, director of security operations for nCircle Security, wrote in an e-mail. "Despite all the safety innovations in cars, the auto industry doesn't advise persons to stop wearing a seat belt. Microsoft hasn't done the same when it comes to AV. In fact, they are now giving it away for free."
"It would seem obvious that given a piece of known malware and a user selects to run it, then bad things will happen -- even on Windows 7," Storms said. "The Sophos test should better be classified as a test of the Windows 7 UAC feature. Despite the user actively selecting to run malware, how many of the times did Windows 7 UAC still intervene to help protect the user?"