According to this article, Microsoft co-president Jim Allchin told a reporter that Vista's...
"new lockdown features are so capable and thorough that he was comfortable with his own seven-year-old son using Vista without antivirus software installed."
That is a pretty bold statement! At first I thought it was crazy, but now that I know about the "lockdown features," I'm very impressed with how Vista deals with viruses.
When you hear about security issues, more often than not the issue is related to a buffer overflow exploit. Basically, this means that software was designed to handle a maximum number of characters, but the exploit sends more than the expected. Once the character buffer is filled, the extra characters start to overwrite areas of memory that were not meant to change. The trick to this exploit is to tell the running program to start executing the data in the newly compromised areas of memory. This is how a malicious web page can take control of your system.
This article explains how to use the exploit. I would recommend that anybody doing software development read this to better understand the problem. I find that most people really don't understand how this works, and just continue making software that can be exploited. This problem is *everywhere*...hence the reason we have security updates on such a regular basis.
Vista has a new feature that could very well eliminate buffer overflow attacks. Using a technique called "Address Space Layout Randomization" (ASLR), Vista shuffles how software is loaded in memory. The Buffer Overflow exploit depends on specific software loaded at a specific location, so that it can jump to an area of memory that gives it the ability run other programs or commands. With ASLR, it is highly unlikely that an exploit will be able to find these locations.
I think this is an amazingly clever solution to a *really* bad problem. I don't have any real world data on how effective it is, but the theory is sound. If ALSR works as advertised, it won't eliminate all security issues, but it will significantly reduce the number we deal with today.
I still believe *ALL* computers should run anti-virus software, even if they have ASLR. How else will you know if your system is under attack unless it is checked against a continuously updated list.
I am planning on moving to Vista as soon as it is released (Jan 30th). There is a lot to like in this new release. Vista's ASLR alone may be worth the price of admission.
An interesting side note: Microsoft is constantly bashed for the security of their operating systems. As of this writing, Apple Macintosh and mainstream Linux distributions do not include ASLR. This means that Vista is more secure against buffer overflow exploits than OS X or Linux.