Compartilhar via

My Take on Windows Vista Security “Vulnerabilities”

  • Artigo

I love looking at and analyzing security bugs, but I also enjoy observing how people react to knowledge of security bugs. Over the last few weeks, I’ve seen a number of interesting articles about Windows Vista security that made me smile. So I thought I would paraphrase the articles and re-write them with an opposing and cynical view! Here goes.

If there was no new TCP/IP stack in Windows Vista.

In Windows Vista, Microsoft rewrote retained the entire TCP/IP networking stack that is built on the existing networking stack found in Windows NT 3.51, some of which dates to the original TCP/IP add-on for MS-DOS. While this is probably a good thing long-term, improvements have certainly been made to this code, the shaky security foundations of this code ensure because this is new code, we can continue to expect a host of new vulnerabilities as the code is tested.

If we had never done UAC

In Windows Vista, Microsoft has not done anything introduced User Account Control (UAC) that helps users recognize when they’re taking administrative actions on their system. Because of this, While this is a step in the right direction in fostering limited privileges, UAC doesn’t work because it raises too many prompts: users will just get used to clicking OK and malicious code will continue to be loaded on user’s systems.

 

A little more context about the Sticky Keys ‘vulnerability’ article

In Windows Vista, it’s possible for a user with administrator privileges to replace the executable for “Sticky Keys” sethc.exe with another file and call it at the logon screen when they’re at the system’s console. Vista’s Trusted Installer makes this more difficult, but you can get around this by running commands on the system as a user with administrator privileges and change the permissions on the file. However, Aa user with administrator privileges who is at the system’s console could also log on and could use this to add a new user to the system and add them to the local administrators group.

Perhaps I’m just getting old and grumpy!

Comments

  • Anonymous
    March 16, 2007
    PingBack from http://winblogs.security-feed.com/2007/03/16/my-take-on-windows-vista-security-%e2%80%9cvulnerabilities%e2%80%9d/

  • Anonymous
    March 16, 2007
    Hah, yeah I think we're all getting a bit old and grumpy.

  • Anonymous
    March 17, 2007
    The comment has been removed

  • Anonymous
    March 17, 2007
    The comment has been removed

  • Anonymous
    March 17, 2007
    I don't usually do this on weekends, but I found a lot going on in the past few days, so here's a special

  • Anonymous
    March 17, 2007
    I don't usually do this on weekends, but I found a lot going on in the past few days, so here's a special

  • Anonymous
    March 18, 2007
    Michael, do you have pointers to the original articles?

  • Anonymous
    March 18, 2007
    The comment has been removed

  • Anonymous
    March 18, 2007
    Whatever MSFT does, some will complain it is the wrong thing. What's more annoying is that with every new operating system, we are told to wait a year or more to upgrade.  If we followed the advice of the major PC magazines, we'd be running DOS 6.0. UAC is not a panacea.  It really does little good when most uneducated users will click on Yes because they know and learn clicking No means nothing will happen.  They'd rather something happens, so they'll allow the malware to install. But there are many of us out there who WILl raise an eyebrow when an unexpected administrative privilege was being asked for.  It's like when a software firewall suddenly shouts at you about some process you've never seen... ever... asking about some port you know you don't care about.  You can't help but say "What the heck is on my system?"

  • Anonymous
    March 18, 2007
    A lot more fine-tunning is definitely needed. Just go and create a folder called "Blah" under "Program Files." I agree that a warning message is needed, but you get exactly 4! Please don't tell me this is ok!

  • Anonymous
    March 19, 2007
    paperino, this isn't meant to call out one specific story or report, but more to reflect a tone that we see in some stories on Vista security.  

  • Anonymous
    March 19, 2007
    Mihai, this is on the radar for fixing :)

  • Anonymous
    March 20, 2007
    I really get tired of the headline grabbing and have "complained" about it several times recently.  I am beginning to think that some journalists get paid per view.  Thus, by including Vista or IE7 in the headline, they get more attention. Recent complaints: http://securitygarden.blogspot.com/2007/02/rant-re-microsoft-probes-ie-7-vista-bug.html http://securitygarden.blogspot.com/2007/01/sensationalism-irresponsible-journalism.html http://securitygarden.blogspot.com/2007/02/issue-regarding-windows-vista-speech.html  

  • Anonymous
    March 20, 2007
    @Peter Ritchie: "It's not productive.  Rather than these people simply complaining about things like UAC they should be offering what they think are solutions." Peter, that is another world. It's called Linux, where people CAN offer solutions to be taken honest, and CAN make things better. Nat

  • Anonymous
    March 21, 2007
    The comment has been removed

  • Anonymous
    March 21, 2007
    Nathalie, so how do you rate Linux security, and what metric are you using? I'm just curious.