In Sophos' annual mid-year Security Threat Report, released Tuesday, the vendor notes that malware distributors are eagerly poking at the security barriers of Windows and OS X 10.6 "Snow Leopard" in search of weaknesses to exploit, with the implicit message that it's just a matter of time before they succeed.
Sophos does give Microsoft credit for making Windows 7 more resistant to threats than Windows XP. "When the first few versions of Windows XP came out, there were [so] much more serious issues than those seen with Windows 7 -- and many were fixed with Service Pack 2," according to the report.
However. Sophos also asserts that Microsoft still has "room for improvement" when it comes to making Windows 7 more secure. The fake antivirus scam has been particularly effective in propagating malware on Windows XP systems, and Sophos says attackers are now actively trying to get it to work on Windows 7 machines.
"We are actually seeing proof-of-concepts for malware on Windows 7, and fake antivirus is what they're targeting," said Beth Jones, senior security researcher at Sophos, in an interview. "Depending on how the malware is written, the malware could allow for the installation of a back door that would pave the way for additional malware to be installed."
On the OS X side, Sophos gives Apple a backhanded compliment for including "rudimentary anti-malware protection" in OS X 10.6. However, Sophos then declares that Mac users need to keep the OS fully patched due to a rising tide of malware,
including the backdoor Trojan Apple patched in June that could have allowed remote attackers to gain control over users' machines.
"All of these security issues hammer home the message to Mac users that they cannot afford to depend on their operating system’s reputation for safety," Sophos says in the report. "Anyone can be tricked by subtle scams, and running quality, up-to-date anti-malware software is by far the safest option."
In the report, Sophos doesn't call out Apple for issuing the Trojan patch without informing customers, but the security vendor loudly called attention to the issue back in June when it accused Apple of trying to hide the fix to protect its security reputation.
Sophos has also seen fit to challenge Microsoft in the past. Last November, a Sophos researcher warned that Windows 7 PCs were vulnerable to malware when running without antivirus and with default User Account Control settings, and Microsoft accused Sophos of "sensationalizing" its findings.
In the security business, vendors that raise the alarm on issues that their products can solve are viewed with cynicism. But most security experts would agree that any false sense of security is dangerous, and Apple does take the position that Mac users won't have to deal with the flood of Windows malware.
In Microsoft's case, however, it's hard to see where the "room for improvement" exists in Windows 7 beyond patching vulnerabilities when they arise.
