Microsoft blames Vista insecurity on third-party apps

Windows Vista by itself is "immune" to existing Windows malware, but third-party email applications could compromise the operating system's security, Microsoft's co-president for the platform and services division said in a blog posting.

Jim Allchin responded to a study published in November by security vendor Sophos.

The firm tried to infect a system running Vista with the 10 most prevalent viruses of November 2006, and found that three were able to penetrate the operating system's defences.

The study raised eyebrows because Microsoft typically touts Vista's security features as one of the software's top benefits.

Following the publication of the report, Microsoft tried replicating the Sophos study and found that none of the viruses was able to infect a bare system that runs only applications bundled with the operating system, including Microsoft Mail.

Systems running Outlook or another outside email client that supports Microsoft's Attachment Manager feature could fall victim to Mydoom-O, provided that the virus was sent in a .zip archive file. The user would then have to manually extract and execute its contents.

The Attachment Manager API was first introduced as part of Windows XP service pack 2. It offers to scan attachments for email clients and warns users against potentially unsafe file formats such as executables.

Email clients that lack support for the API can still introduce Trojans and other malware to Windows Vista without warning.

Allchin stressed, however, that users should still expect vulnerabilities to pop up in Windows Vista.

"I have ... stated that [Vista] is neither foolproof nor perfect; no software from anyone I have seen is," he wrote.

He warned users not to open suspicious email attachments, and recommended the use of a firewall as well as antivirus software.