64-bit Windows safer, claims Microsoft

But lower infection rates for 64-bit won't stand, counters researcher

Windows users running 64-bit versions of the operating system are less likely to get infected by attack code, Microsoft's security team said yesterday.

But that doesn't mean they won't, countered an outside security researcher.

"64-bit Windows has some of the lowest reported malware infection rates in the first half of 2009," said Joe Faulhaber of the Microsoft Malware Protection Center in a post to the group's blog yesterday. "64-bit malware is still exceedingly rare in the wild."

Faulhaber cited statistics gleaned from Microsoft's Malicious Software Removal Tool (MSRC), a free malware detection and deletion utility the company updates and pushes to users monthly. According to Microsoft's data, the 64-bit version of Windows XP was 48% less likely to be infected than the 32-bit edition during the first half of 2009; PCs running Vista 64-bit, meanwhile, were 35% less likely to be infected than Vista 32-bit.

Windows 7, which was not included in the data for the first half of this year because it had not been released in final form, also is available in both 32- and 64-bit editions. Faulhaber noted that Windows 7 64-bit is the dominant flavor of that new OS as he touted its security. "Most PCs shipping with Windows 7 come with the 64-bit versions of Windows," he observed.

Windows 64-bit is safer to run, he argued, in large part because malware, which is written for the much more widely used 32-bit versions of Windows, is "confused by 64-bit."

That's not necessarily true, said Alfred Huger, formerly with Symantec and currently vice president of engineering at security start-up Immunet. "There's a lot of 64-bit malware," said Huger. "They can run their code in compatibility mode, or they can compile it for 64-bit. The reason they're not is that there's still not a lot of 64-bit deployment. There's 64-bit malware out there, just like there's Mac OS malware out there. But right now, [64-bit] is just not as opportune a target as 32-bit."

It's relatively simple for criminals to customize their attacks against 64-bit systems, Huger maintained. "We almost never see just one [piece of malware] on a machine. It's almost always eight or ten or a dozen," he said. "Most malware gets on your system because you put it there, and one of the things most attacks do is download a bootstrapper that then downloads other malware. It's easy for attackers to have their bootstrapper check whether the OS is 64-bit, then grab 64-bit malware to download onto the PC."

In the end, said Huger, there just isn't a "compelling reason" for hackers to bother with 64-bit, but there's nothing inherently more secure about a 64-bit operating system. "Malware is just software," he observed. "It can execute on 64-bit just like other software."

Faulhaber argued that 64-bit Windows was safer by design than the less-powerful 32-bit version, ticking off such measures as PatchGuard, which makes it more difficult for malware to tamper with the operating system's kernel. PatchGuard is included in the 64-bit versions of XP, Vista and Windows 7. He also mentioned WOW64 (Windows On Windows 64), the lightweight emulation mode that lets 64-bit versions run 32-bit code. "The additional protections built into 64-bit Windows will make it harder for malware to make the 64-bit jump," Faulhaber said.

While Faulhaber trumpeted 64-bit XP's and Vista's -- and by extension, Windows 7's -- ability to sidestep more malware, the bi-annual Microsoft Security Intelligence Report he cited said that some of the lower infection rates might have nothing to do with the OS, and everything to do with the user.

"Infection rates for the 64-bit versions of Windows XP and Windows Vista are lower than for the corresponding 32-bit versions of those platforms, a difference that might be attributable to a higher level of technical expertise on the part of people who run 64-bit operating systems," the report concluded. "This difference may be expected to decrease as 64-bit computing continues to make inroads among mainstream users."

Nor did Faulhaber go so far as to claim that 64-bit Windows, even Windows 7, was stout enough to do without security software. "64-bit Windows needs 64-bit anti-malware software like Microsoft Security Essentials to protect the whole computer," he acknowledged, touting his company's free security suite, which shipped in late September.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
7 Wi-Fi vulnerabilities beyond weak passwords
Shop Tech Products at Amazon