Windows 7 is less secure out-of-the box than Vista, despite Redmond's protestations to the contrary, a top security firm has claimed.
Trend Micro said that the default configurations of Windows 7 are less secure than Vista. Raimund Genes, CTO of Trend Micro, said that Windows 7 had sacrificed security for useability - at least for default configurations.
"I'm not saying Windows 7 is insecure, but out of the box Vista is better," Genes told El Reg.
The User Account Control (UAC) feature that debuted with Vista was a security safeguard that asked users for permission before allowing applications to run. The nagware technology irked users and was blamed for producing numerous largely meaningless pop-ups that users blithely clicked past.
Even senior Microsoft execs, for example UK security advisor Ed Gibson, have taken to describing the technology disparagingly as "User Annoyance Control" over recent months. A toned down version of UAC has been developed for Windows 7, but Genes regards this and other changes as a step backwards.
"I was disappointed when I first used a Windows 7 machine that there was no warning that I had no anti-virus, unlike Vista," Genes said. "There are no file extension hidden warnings either. Even when you do install anti-virus, warnings that it has not been updated are almost invisible."
Genes said the security of Windows 7 for consumers might be improved by offering virtual XP, a sandboxed version of the older OS, with Windows 7 home editions. The virtualisation technology (criticised by other security firms, most notable Sophos, as a security risk in its own right because it needs separate patching and security protection) was only released in enterprise versions of the operating system.
Trend's unfavorable default security comparison between Vista and Windows 7 was released alongside its Trend Micro 2010 Future Threat Report. The main focus of the report places the security implication of the wider IT industry shift towards cloud computing and virtualisation under the spotlight.
While offering significant benefits and cost-savings, the architectural shift means cybercrooks are likely to turn their sights towards manipulating the connection to the cloud, or attacking the data center and cloud itself, instead of trying to infect desktop or server systems.
"The focus for security firms has been protecting desktops or servers, but this needs to shift to providing security for the cloud, where sensitive information such as credit card records will be held. Using encryption to establish shielded containers for sensitive data and improving the security and back-up of cloud computing systems needs to be improved so that we can have safe cloud computing," Genes explained. ®