NEW YORK -- Microsoft Corp. took great pains to improve security in its newly released computer operating system, Windows Vista, redesigning it to reduce users' exposure to destructive programs from the Internet. Outside researchers commend the retooled approach -- yet they say the changes won't make online life much safer.
Why not? Partly because of security progress that Microsoft already had made in its last operating system, Windows XP. Also because a complex product like Vista is bound to have holes yet to be discovered. And mainly because of the rapidly changing nature of online threats.
Sure, Microsoft appears to have fixed the glitches that used to make it easy for viruses, worms, and other problems to wreck PCs. But other avenues for attack are always evolving.
"Microsoft has made the core of the operating system more secure, but they've really solved, by and large, yesterday's problems," said Oliver Friedrichs, director of emerging technologies at antivirus vendor Symantec Corp.
That claim would not please Microsoft, which touts Vista's improved security as a big reason why companies and consumers will want to upgrade to the new operating system.
In fact, Microsoft's effort to tighten security in Vista was one reason the software was delayed past the crucial holiday shopping season. It's now available for businesses and will be available to consumers Jan. 30.
"It is an incremental improvement -- it is a reasonably large increment," said Jon Callas, chief technology officer at PGP Corp., a maker of encryption software. "I don't think it's a game-changer."
Some of Vista's security enhancements require computers with the latest microprocessors -- which are known as 64-bit chips, in reference to how much data they process at once. That won't improve things on today's standard 32-bit computers, which will stick around for a long time.
However, most of the improvements are available in all editions of Vista, including a stronger firewall and a built-in program known as Defender that alerts users if Vista believes spyware is being installed.
"Windows is going to talk to you a lot more and make sure you're a lot more aware of what you're doing," said Adrien Robinson, a director in Windows' security technology unit. "It's going to help consumers be more savvy."
One of Vista's biggest changes is more control over computer management. With previous versions of Windows, users were given by default great control over the computer's settings -- a situation that opened the door to nefarious manipulation by outsiders. In Vista, users are prompted to supply a password when they make significant changes -- a security feature long available on Apple Computer Inc.'s Macintosh and computers running the Linux operating system.
At the same time, the software gives corporate PC administrators new security powers, such as the ability to turn off the USB ports that employees might use to remove data or bring in troublesome programs on flash drives. (Some network administrators had told Microsoft they were so desperate to stop that practice that they were filling the PC ports with glue.)
Even with all the changes, Vista does not promise a total cure for security headaches. Microsoft, after all, is also selling security add-ons, competing more directly with antivirus companies than in the past.
"Rather than having all the doors unlocked, you now have locks on the doors. It doesn't mean it's a silver bullet," Robinson said. "If they really wanted to get in, they could get through. They could throw a rock through the window. But it's harder. Our goal is to make it harder, to raise the bar."
Still, when Vista for businesses was launched in New York on Nov. 30, Microsoft CEO Steve Ballmer promised a "dramatic" drop in "the number of vulnerabilities that ever present themselves."
If so, that would spare Microsoft from a repeat of the embarrassing series of "critical" security patches it had to release for the previous operating system.
But it might not mean much against many threats Web surfers face today.
For one thing, the kinds of large-scale, automated worms that Vista purportedly will hinder have been waning anyway, according to security analysts. Symantec's Friedrichs said 2006 hasn't seen any worms as prevalent as the kinds that caused widely publicized PC outages several years ago, with names like Slammer and Blaster.
That's partly because of enhancements Microsoft already made in Service Pack 2, a huge set of patches for Windows XP that were released in 2004.
"If you're looking at two versions, XP Service Pack 2 versus Vista, I'm going to say to the average user they're both going to offer them good security," said Michael Cherry, an analyst at Directions on Microsoft. "Is Vista better? I don't know if it's that substantially better."
Security experts say malicious hackers have largely moved away from outage-causing attacks, motivated by publicity or pride, in favor of more targeted and lucrative thefts of users' data. Those attacks tend to exploit flaws in Web applications or employ "social engineering" -- such as tricking people with phony e-mails into giving up passwords.
"From that perspective, Vista is a non-event," said John McCormack, a senior vice president at security vendor Websense Inc.
To its credit, Microsoft is fighting such "phishing" attacks by configuring its new Internet Explorer 7 Web browser to alert users if they're visiting a dicey-seeming website. Internet Explorer 7 is already available for free download.
But IE7's phish-catching method alone is limited: It is based on a "black list" of sites known to be up to no good. Outside security experts say that will not stop the increasingly savvy attackers who constantly morph their tactics, sometimes every few hours.