Hold off on upgrading from XP until Vista is glitch-free

Q: My four-year-old laptop has Windows XP Professional and I'd like to know whether there would be any advantage to my upgrading to Windows Vista. I don't play games nor download music. My use is pretty much restricted to e-mails, banking and Internet searching.

— Canfield Smith

A: First things first: I wouldn't recommend anyone upgrade to Vista on a machine they care about until the new operating system starts shipping, and maybe even for a while after that.

I've been using Vista on a test machine for several months and there are still a number of glitches.

Once Vista ships, you may want to consider upgrading, especially if you're using your computer for such things as online banking. Fact is, while Vista offers a new slick look to the operating system, the more significant improvements are in security.

Indeed, Microsoft has put a lot of effort into securing this release of Windows, though it will be some time before we learn how effective it has been. Hackers and virus writers will be searching for vulnerabilities to exploit. No doubt they will find some. But Microsoft seems to be making many of the right moves.

A lot of the changes are hidden from users. Vista's architecture, for example, makes it easier to integrate third-party authentication technologies, such as smart cards. Vista offers Authentication Manager applets on the client. That feature, along with Vista's support for eXtensible Rights Markup Language, means that developers will be able to fine-tune user access to digital content. Also, Vista employs a new TCP/IP stack more secure than the stack in earlier Windows versions. Routing compartments and tables will be more difficult to crack and corrupt, according to Microsoft officials.

Vista also provides enhanced policy enforcement tools for enterprise users and detailed audit categories for tracking user access to systems and services. Another new feature lets system administrators control the use of removable storage devices, such as USB flash devices, via Group Policy settings.

For consumers, Microsoft has gone a long way toward plugging one of the most common vulnerabilities simply by employing context-sensitive user roles. Using previous versions of Windows, many of us simply log on as a user with administrative privileges. If we didn't do that, we would have to back out and log on again repeatedly simply to run a few programs, install software or use certain utilities. But logging on with administrative privileges is a dangerous practice. If anyone hacks into the computer, or if you acquire a Trojan horse while you're logged on as an administrator, you've given the hacker a free pass to all of your computer's resources.

Vista partly solves that problem with user account control. You can be logged on as an administrator, but until you need administrator privileges, Vista will treat you as a regular user. If you try to access anything that requires administrator privileges, Vista will prompt you for permission. It's a simple but effective measure. The downside, of course, is that you have to deal with those system prompts.

Vista's built-in firewall tools are also improved, though they don't match the configurability of most high-end hardware firewalls. Vista also sports an anti-spyware tool: Windows Defender.

Again, however, don't expect Vista to eliminate the dangers of viruses. You'll still need antivirus software and you'll still need to guard against hackers.

Q: Once, when I was running Windows 98, I had a Trojan horse that I could not eliminate through spyware, Msconfig or eliminating the files. It kept re-creating and reinstalling itself. I fooled it by eliminating the file, then creating a dummy file in its place. The dummy file was an empty .exe file of the same name that I created in Notepad.

— Maurice Robson

A: Cool.

The problem, of course, is that each Trojan horse uses different techniques. What works against one may be totally ineffective against another. That's why antivirus programs have to be constantly updated.

Questions for Patrick Marshall may be sent by e-mail to pmarshall@seattletimes.com or pgmarshall@pgmarshall.net, or by mail at Q&A/Technology, The Seattle Times, P.O. Box 70, Seattle, WA 98111. More columns at www.seattletimes.com/columnists.