April 4, 2007 4:00 AM PDT

Cursor flaw gives Vista security a black eye

Microsoft's release of a "critical" patch on Tuesday poked holes in Vista's security promises, but security experts advise against discounting the new operating system.

The software giant broke with its monthly patch cycle Tuesday to fix a bug that cybercrooks had been using since last week to attack Windows PCs, including those running Vista.

"As far as software vulnerabilities go, Vista's cover is blown," said Nand Mulchandani, a vice president at Determina, the company that discovered the latest security bug. "It is not Superman; it is just a human being. It is just software. Vista is going to be very similar to the other operating systems Microsoft has delivered in terms of bugs."

Microsoft officially launched Vista for consumers in January, promoting the operating system as the most secure version of Windows yet. It is the first client version of Windows built with security in mind, meaning that it should have fewer coding errors that might be exploited in attacks, Microsoft has said.

Yet the "critical" hole that affected much older Windows versions also hit Vista. The vulnerability lies in the way Windows handles animated cursors and could let an attacker commandeer a PC when the user views a malicious Web site or e-mail message.

The cursor flaw lies in the operating system code. This means that any application that relies on the operating system to handle animated cursor files could be an attack vector. This includes alternative browsers, such as Firefox.

Click here to Play

Video: Hacking a Vista PC
Determina experts explain how to exploit animated-cursor flaw.

It is a flaw that should have been caught by Microsoft's code-vetting processes for Vista, called the Security Development Lifecycle, some experts said. The flaw is also evidence that faulty code from previous Windows versions has been copied into Vista, they said.

"It is a little premature to attack the whole effort altogether, but this is something that the Security Development Lifecycle should have caught," said Amol Sarwate, a research manager at vulnerability management company Qualys.

The buffer overflow vulnerability in the cursor function in particular should have already been fixed because a bug in the same Windows component was patched two years ago, said Rohit Dhamankar, manager of security research at TippingPoint, a seller of intrusion prevention products. That should have prompted re-examination of the code, Dhamankar said.

Microsoft disputes that it should have caught the cursor bug before. People who say so don't understand security vulnerabilities because not all bugs are created equal, said Stephen Toulouse, senior product manager in Microsoft's Security Technology Unit.

"In the case of the cursor vulnerability, even though something may look similar to the outside, that doesn't mean the code is anything alike to the previous vulnerability," Toulouse said. "The SDL was never meant to catch every single vulnerability, period."

But Dhamankar argues that Microsoft forgot to recheck all the possibilities that could lead to a buffer overflow after the original bug was found and patched in 2005.

Mulchandani agreed. "The dirty little secret is that Microsoft clearly did not write Vista from scratch. They did not completely build a whole new code base for this operating system. Every version of Windows since Windows NT has had this flaw in it," he said.

Microsoft does acknowledge that Vista will have vulnerabilities. "There are going to be other vulnerabilities. The SDL is not a process by which no vulnerabilities will ever occur. There is no process on this planet that can do that," Toulouse said.

The cursor flaw is like a sign post for the bug hunters. Hackers will now be looking for bugs in similar Windows components to find ways to attack Vista.

"This has been a very significant break and it definitely gives a big pointer," Dhamankar said. "If more such errors are found later, Vista is not going to be able to offer the great protection that's claimed."

Still, Microsoft's Vista security promise doesn't fall apart because of this single vulnerability. Vista is more secure than XP or any other Microsoft client operating system, Sarwate said. "If you consider Windows 2000, XP, 2003, I would still say that Vista is more secure than all the other operating systems," he said.

Mulchandani also said that, while Microsoft has taken way too big a bite at the security message, Vista is more secure than its predecessors because of features such as User Account Control and others that limit privileges on the operating system.

And that's just the goal Microsoft was aiming for, Toulouse said.

"You have to look at Vista versus XP. A lot of people are holding Vista up and saying in a vacuum it will reach some nirvana of security," Toulouse said. "Our whole goal with Windows Vista was to create a fundamentally more secure operating system than we have ever created previously."

See more CNET content tagged:
Stephen Toulouse, flaw, vulnerability, Microsoft Windows Vista, bug

118 comments

Join the conversation!
Add your comment
Does that mean...
all of us Vista buyers where ripped off by Microsoft? Does the lemon law apply to operating systems also? Could I return Vista for an even trade of Windows XP Professional (Their are many other issues with Vista)? I sure would like to know and please, Mac's and Linux are NOT an option. I need Microsoft!
Posted by Ted Miller (305 comments )
Reply Link Flag
Come on.....
Why would you ask that question? Vista is more secure than other versions of windows is true...does that mean it won't be attacked...NO...

Does that mean it does not have it's flaws NO...

No software in the world is 100% secure...even if the Linux and Mac heads tell you otherwise..

Grow up...
Posted by yardman (16 comments )
Link Flag
As if macs did not run windows as well
Need i remind macs can run windows too as well (if not many
times better , than most PCs do either through virtualization of
via bootcamp? you do your windows stuff offline and then switch
back to your mac os x enviroment when done and enjoy a
modern operating system. As for issues with vista i would
expect this one to be the first and unfortunately not the last
given microsoft track record on the matter , for the last 30 years
they have been selling the next version with the pretext that the
upcoming version would be more secure than the last ... it
seems they have not yet given up the practice yet) . And it would
have as a company very little reason to ever do so in terms of
revenues.

And since microsoft is pushing vista with a revenge i would
expect them not to accept exchanging copies of vista against
old XP (as of the contrary to Apple that kept 10.3.9 alive while
10.4 was still in its infancy and had a few problems (none of
these security related but mostly functionality related)).
Posted by MacHeads (70 comments )
Link Flag
Rediculous
If you read the article, you would understand that this flaw pertains to previous versions and downgrading to XP or 2000 would only leave you more vulnerable.
Posted by hack311 (10 comments )
Link Flag
Lemon Law not applicable here
If you read the article, you would understand that this flaw pertains to previous versions and downgrading to XP or 2000 would only leave you more vulnerable.
Posted by hack311 (10 comments )
Link Flag
The Most Secure Windows Ever!
Like claiming a Pinto was the most fireproof car ever. . .

Hilarious.
Posted by Sumatra-Bosch (526 comments )
Reply Link Flag
Come on ????? what do you mean
With over 50 million Lines of code, how could it ever be secure.
Posted by Sniche (108 comments )
Link Flag
Consider the source
In the case of claims in the security of Windows, consider the source.
Posted by rcardona2k (318 comments )
Link Flag
That's a relative thing
Windows has security holes big enough to drive a truck through. But in Vista, there are fewer holes, and you have to drive a smaller truck....
Posted by Get_Bent (534 comments )
Link Flag
Why not just fix XP first as an example....
Of what Microsoft can do in the way of security? M$ will say it is too costly and complex but is really more complex than spending 6 years developing a new OS that seems to follow in XP's footsteps as far as Flaws? No it is not.

What it boils down to here is building a new revenue stream at any cost including overlooking blatant security holes.

I would like to hear from Microsoft when they plan on releasing Service Pack 3 for Windows XP if they are so concerned with security.
It's a laugh because it will never happen. Microsoft is going to leave XP users in the cold and that doesn't say much for their products when you can count on them doing it.

So why repeat a mistake when you know you are going to get left out in the cold unless you fork over hundreds of dollars to M$ after you have already done so?

SuSE Linux Enterprise Desktop version 10 for existing PCs and Macs for new systems is looking more attractive to many people now that M$ is neglecting their existing customer base.
Posted by fred dunn (793 comments )
Reply Link Flag
They are fixing XP...
<a class="jive-link-external" href="http://www.microsoft.com/windows/lifecycle/servicepacks.mspx" target="_newWindow">http://www.microsoft.com/windows/lifecycle/servicepacks.mspx</a>

Actually, according to the above link from Microsoft's website, they are releasing Service Pack 3 for XP in the first half of 2008. Maybe you should do research before posting an ill-informed comment.
Posted by Gock31 (4 comments )
Link Flag
Blown out of proportion
There is no remote exploit for it. It's no blaster that can jump from machine to machine without user assistance. It still comes down to opening an attachment from an unknown source or similar vectors. The update from MS isn't even categorized as critical.

Everyone knew that something would eventually be discovered. No OS from any company has ever been perfect. I think security and news orgs were hoping for something more catastrophic but didn't get it. Biased stories like this are the reaction to that disappointment. Blow it out of proportion and make it sensational!
Posted by smilin:) (889 comments )
Reply Link Flag
No news
This would actually be real news if Microsoft hadn't already patched it. Hmm. Vulnerability found, vulnerability patched.

Case closed.
Posted by Vegaman_Dan (6683 comments )
Link Flag
What dirty little secret?
"The dirty little secret is that Microsoft clearly did not write Vista from scratch."

This is only a secret if you've been living under a rock for the last 5 years. Seems like everyone knows the embarrassing story of how Microsoft *tried* to write Vista from scratch, failed, and had to "reboot" the project, starting over with Windows Server 2003 as the codebase.
Posted by xeroply (4 comments )
Reply Link Flag
Mulchandani is an idiot
MS *NEVER* said Vista was a rewrite from scratch nor did MS even attempt such a rewrite. The dirty little secret is that some fool started spreading that as a rumor and a pack of other fools picked it up.

It was not, is not and never has been true.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
That's not accurate either
It's a module by module thing. The network stack for instance *was* completely rewritten from scratch. Notepad wasn't.

No modern OS is ever rewritten entirely from scratch. Not OSX, Not Linux. MS never intended to rewrite everything. You've been clearly living under a slightly different rock.
Posted by smilin:) (889 comments )
Link Flag
Sounds bashing
The purpose of it being brought forward here is to help remind the potential customer what garbage he is getting into if he decides to buy it.

I am sure many did not know this and there is nothing wrong with updating it.
Posted by Dragon Forge (96 comments )
Link Flag
Since XP Windows has been a treat
XP has been stable as a rock for me and these vulnerabilities only pertain to those surfing websites with potential exploits, which is something most tech savvy people will not encounter and if you practice safe surfing and wear your "net trojan"(i.e. Security Software)you'll find yourself a happy camper. I'll upgrade to Vista when the program compatibility is fixed.
Posted by hack311 (10 comments )
Reply Link Flag
Vista has a lot of flaws
and I suspect we shall find more. Just the driver issues are enough that I won't switch over to it unless I buy a system with it preinstalled.
Posted by Orion Blastar (590 comments )
Reply Link Flag
But far less than any other desktop OS.
Vista is still by far the most secure desktop Operating System ever if you look at the vulnerability count since launch.
Posted by richto (895 comments )
Link Flag
actually
preinstalled systems are the worst as someone that works with it every day,simply buy a full package and clean install it ...vista has about 31,000 drives in it so driver issues are not a big deal..im using ultimate fine on my 7 year old hp!!
Posted by ITprosupport (30 comments )
Link Flag
I'm calling BS
Did the flaw affect Vista? Yes.
Did UAC prevent the machine from being rooted? Yes

So the security improvements in Vista took what would have been a completely compromised machine and made it into something that a reboot would clear.

That is a black eye?
Posted by catch23 (436 comments )
Reply Link Flag
WHAT A LOT OF HOOWIE! ! !
Security experts!?!? What security experts?!?!

At a time when education is so highly acclaimed and the genius minds at ms having so many years of expereince to add, as well as the over all intelligent development of society as a whole, why are we are encouraged to accept the less than mediocre, to accept whatever is offered and make allowances for the ever growing number of flaws, failures and fopaws.

The ms social engineers and marketeers would like us to forget and minimize all the negatives, the expectations for a solid product, and decide things are just way too complicated for our simple minds to possibly grasp.

symantec is on record as having their own concerns about the vista product. The beta, pre-, and release having been nothing but plagued with bs and problems,.... So we had to wait forever for a new o/s, that does not mean we have to accept it nor that it is an inevitability.

Vetting, which is the new marketing term for Quality Assuring, which was the new term for doing a half decent job without creating a special department or process for it is the bell ringer of poor education and development. A huge erosion of the quality of work and effort and society's bleeting lamb acceptance of it as an "inevitability" ("what can I do").

If there is a whole deptartment, branch, group, name for checking to make sure everything is ok and they can not complete this task are you going to listen to half azd excuses?

This is what you call spinning your wheels. A whole lot of something amounting to nothing. So the i/f is a lil more confounding to the typical yahoo and their casual attempts to bypass the o/s, this definitely does not make it a more secure version of the winduhs o/s.

No I am sorry but I have been advertising these facts for 9 months now and it seems that at every turn am proven well founded in my concerns.

The roots are the typical business model and education system confined to thinking structure is the same as regimentation and that there are precise, specific orders to ALL things that can be managed. That is confinment in a box and it seems as though there are no air holes.

I challenge my children all the time making them vicious guardians of the common sense and social rights to real unfettered expectations from businesses, as well as in their outlook of the world. Who is challenging ms to think outside their stale little environment.

You wait so long for an overburdened hunk of s/w and will wait just as long for it to be safe and stable, if ever.
Posted by Dragon Forge (96 comments )
Reply Link Flag
Thank You
You have spoken well!
Posted by Ted Miller (305 comments )
Link Flag
symantec should..
symantec should have enough shame to not comment on ms or any of thier operating systems...good lord has anyone seen or used the uninstall norton tool published on symantecs website..I mean what kind of crap product has to publish thier on removal tool? symantec has gone down the drain in antivrus protection because thier programmers are perhaps the worst in the world!!
Posted by ITprosupport (30 comments )
Link Flag
Just like I thought...
We'll have to wait for vista to be patched over and over again before it's worth it. Lack of drivers, OS not built from scratch, code copied from previous versions. Bleeeeech!

My version of XP, from what I could tell, wasn't vulnerable to this new attack because the previous patch worked like it was supposed to. Last night, I recieved the new patch anyway, with a disclaimer saying it could bread the HD audio control center... sheesh, what nuckleheads. They should be glad it didn't break mine, it's vitally important that my audio cards and software work.
Posted by mattumanu (599 comments )
Reply Link Flag
You're blaming the messenger
Don't blame third-parties for producing patches ahead of Microsoft! Who created the problem to begin with?? I, for one, want patches that will protect my systems from compromise. Let ME, the consumer, decide whose patch I apply. Do you think I would automatically trust Microsoft??

I think you are living in your own naive world.
Posted by rcardona2k (318 comments )
Reply Link Flag
Vista was rewritten, with old NT code...
for years people have said that windows needs to be re-written from the ground up to fix all of its security problems. so, microsoft, after years and years of development on longhorn, comes back and says "it's re-written". yah right, and this latest exploit shows that they're still using old code in the OS.

people are going to start realizing this as more and more of these vulnerabilities emerge which just doesn't affect vista but affects other versions as well. i wonder when microsoft will quit lying to customers? is this their version of "trustworthy computing?"
Posted by SparXXXie (16 comments )
Reply Link Flag
It's still Windows
You can dress up a pig with fancy special effects and visuals, but it's still a pig.
Posted by Xenu7-214951314497503184010868 (153 comments )
Reply Link Flag
No kidding
I bought a new Gateway Media Center PC in February with Window Vista Premium Edition installed. I was excited to finally have a new ground up version of Windows to use, and I couldn't wait to boot it up. Needless to say, I was dismayed to catch a glimpse of the MS DOS boot sequence window upon start up.

@#%?!!!
Posted by kingofgrills (16 comments )
Link Flag
Exactly My Experience
Yes, that is exactly been my experience with Vista.

I have upgraded 5 clients, and 2 of my boxes to it, and I am done
with it. For me now, it's XP, Linux, and Mac.

Done with Vista.

The Pig Lives.
Posted by dansterpower (2511 comments )
Link Flag
Start from Scratch, MS!
If Microsoft really wants to make a better product, they will need to start from scratch. Apple did this with OSX, and as far as I am concerned, it went pretty smoothly (I started using OSX when it was beta -- 10.0).

The problem will come with Microsoft's partners. Apple controls the hardware and software, so a transition to a new OS was much simpler without having to deal with all of the possible configurations. Of course, MS could pull a 'Zune' -- build its own hardware and software, while alienating partners (online purchased music can only come from the Zune store, not any of the other partners like Napster, Rhapsody, et cetera -- of course you can still load music from CDs). Otherwise, Windows will continue to bloat, have more exploitable code, et cetera.

I wonder how long it will take to develop the next version of Windows (insert service pack number here _____)? Five years? Ten?
Posted by jypeterson (181 comments )
Reply Link Flag
Apple did not do that with OSX
Apple is so skilled at writing an OS that they threw it out and did a cut and paste job from FreeBSD.
You'll note some of their bug fixes are related to that.
Posted by catch23 (436 comments )
Link Flag
The world wouldn't mind another 5 years
I figure the OS will truly be irrelevant by then.
Posted by rcardona2k (318 comments )
Link Flag
MS Can't Start from Scratch
The reason for Microsoft's OS market share is the fact that they are backward compatible to Windows 95 and Win32 API software. There is a huge amount of legacy software in existence that relies on this backward compatibility. The cost of rewriting this software is what prevents many corporations from moving to better platforms like Linux or OSS. If Microsoft wants to really improve its operating system, it will need break this backward compatibility. This will mean that all companies will be faced with the choice of rewriting their legacy software for Linux, OSX, or the new Microsoft OS. All things being equal, most corporations would prefer to move to a non-proprietary vendor-independent platform.
Posted by fcekuahd (244 comments )
Link Flag
or maybe not
apple osx is so great that they have managed to capture maybe 10% of the market so your strategy would have ms capture 10% and drop the other 80% ...brillant..lmao
Posted by ITprosupport (30 comments )
Link Flag
Simple Solution...
For all who complain about the "modern" operating systems: Go back to using DOS or Windows 3.x.

That wouldn't be of much use, but, hey, how many hackHeads are going to target such "simple" systems? You know those "types" like a "challenge".

Also, think of how blazingly fast those older OS's would be when installed on a system with today's advanced hardware!

Duke Nukem, here I come!!!

:-)

End.
Posted by DemePoole (33 comments )
Reply Link Flag
The Bottom Line
Let's face it, Microsoft has to answer to its investors like any other business in the world. The problem they are facing is the same one that Ford, GM, Chrysler and all the other major corporations face. It's called market saturation. The big red line has been climbing off the chart for well over 2 decades, but suddenly (Oh My!) the line is starting to drop. Big surprise there eh? Of course it is, everyone who wants a computer, has a computer, and it has a functioning OS as well. The automobile manufacturers faced this same problem in the 70's and 80's and they figured out that 85% of the market, already owned a vehicle. So, they decided to adapt, and began to sell a "second vehicle". This went both directions, a second more luxurious vehicle, or a second more economical vehicle. They didn't try to convince the world that every car owner should have their engine replaced and a new paint job. They actually designed vehicles for purposes other than basic transportation.
Posted by Wiz Wildstar (15 comments )
Reply Link Flag
Good point, Wiz Wildstar
Also, as I am sure everyone knows, that, at least in America, citizens have (some) freedom of choice.

Some companies might "push" thier products harder than other companies, but it still comes down to CHOICE.

People need to understand that business is about making M-O-N-E-Y. Companies will get your money anyway they can; even if it means embellishing on the "truth" a little!

No one seriously expects a Burger King Whopper to look like it does in the commercial, but, yet, people still eat at Burger King. Burger King knows that if they showed a commercial with some pimply faced teenager, wiping his/her nose WHILE they are making YOUR food, that they would be out of business. Its called MARKETING; or make money first, fix the problems later.

I'm in IT and I don't plan on using Vista any time soon, unless I have to or I can get a free eval copy. Not to mention that I don't want to shell out the bucks, just yet, for an OS that JUST came out. Heck, I don't even own a computer that is capable of running the hog!

For now I will stick with what works.

All in all, it comes down to choice. Stick with what works or go with something that is still, basically, in the testing phase.

End.
Posted by DemePoole (33 comments )
Link Flag
Actually...
The car analogy was a touch off, but here's what happened:

The reason Ford, GM, et al were hating life in the 1970's and on began during the 1974 OPEC oil embargo.

Suddenly, it wasn't so cool (and comfortable) to have a huge V-8 engine and a land-barge sized 6,000 lb vehicle anymore. Then, here come thefficient gas-sipping engines and no-frills designs that basically just worked.

Now fast-forward a little to the late '70's when inflation made everyone feel the fiscal pinch. You're now stuck with choosing between buying an expensive ol' bloated vehicle that wasn't much (if any) improvement over earlier models (you know, like Vista), vs. a less expensive, efficient, flexible, and while not luxurious, it was a still highly useful vehicle (like, say, Linux...)

Nowadays, the Honda or Toyota are king, and everyone finds them comfy, useable, and (e.g. the "ricer" crowd) very customizable.

Detailed history puts things into real perspective, no? :)

You are right about car companies adapting, however. The domestic muscle cars and the oil-tanker-sized cars practically evaporated come the early '80s, as they all did their level best to chase the memes that captured hearts, minds, and --most importantly-- wallets. The results were often damned ugly (Dodge K-Car, anyone?), with few successes.

The SUV sprung from a combination of the minivan and the Jeep. The minivan itself and the SUV are the only real innovations to have come from US car companies since the 70's, IMHO... and both came from one player which had wasted away on the fringes for years - Chrysler (which serves as a wonderful corollary to Apple, no?).

As far as car companies, I'd put it this way:

MSFT = Ford or GM: Stuck with chasing trends and institutionally unable to do more than copy the work of others and rely on brand loyalty to keep them alive.

Apple = Daimler-Chrysler: Able to come up with innovations and improvements (SUV, Minivan, Viper, etc), and a somewhat familiar brand, though not as agile as...

Linux = Toyota, Honda, Hyundai, etc: Agile, able to adapt, places a premium on functionality over form, but still manmages to look pretty slick, though nowhere near as liable to spin up the word "luxury" in most minds offhand... at least not yet.

/P
Posted by Penguinisto (5042 comments )
Link Flag
Actually...
The car analogy was a touch off, but here's what happened:

The reason Ford, GM, et al were hating life in the 1970's and on began during the 1974 OPEC oil embargo.

Suddenly, it wasn't so cool (and comfortable) to have a huge V-8 engine and a land-barge sized 6,000 lb vehicle anymore. Then, here come the JApanese cars - with efficient gas-sipping engines and no-frills designs that basically just worked.

Now fast-forward a little to the late '70's when inflation made everyone feel the fiscal pinch. You're now stuck with choosing between buying an expensive ol' bloated vehicle that wasn't much (if any) improvement over earlier models (you know, like Vista), vs. a less expensive, efficient, flexible, and while not luxurious, it was a still highly useful vehicle (like, say, Linux...)

Nowadays, the Honda or Toyota are king, and everyone finds them comfy, useable, and (e.g. the "ricer" crowd) very customizable.

Detailed history puts things into real perspective, no? :)

You are right about car companies adapting, however. The domestic muscle cars and the oil-tanker-sized cars practically evaporated come the early '80s, as they all did their level best to chase the memes that captured hearts, minds, and --most importantly-- wallets. The results were often damned ugly (Dodge K-Car, anyone?), with few successes.

The SUV sprung from a combination of the minivan and the Jeep. The minivan itself and the SUV are the only real innovations to have come from US car companies since the 70's, IMHO... and both came from one player which had wasted away on the fringes for years - Chrysler (which serves as a wonderful corollary to Apple, no?).

As far as car companies, I'd put it this way:

MSFT = Ford or GM: Stuck with chasing trends and institutionally unable to do more than copy the work of others and rely on brand loyalty to keep them alive.

Apple = Daimler-Chrysler: Able to come up with innovations and improvements (SUV, Minivan, Viper, etc), and a somewhat familiar brand, though not as agile as...

Linux = Toyota, Honda, Hyundai, etc: Agile, able to adapt, places a premium on functionality over form, but still manmages to look pretty slick, though nowhere near as liable to spin up the word "luxury" in most minds offhand... at least not yet.

/P
Posted by Penguinisto (5042 comments )
Link Flag
Not quite.
Actually Internet Explorer Protected Mode prevents an exploit.

If you run an insecure browser like Firefox then you are still potentially screwed...

Possibily UAC will then protect you.
Posted by richto (895 comments )
Reply Link Flag
The Bottom Line
Let's face it, Microsoft has to answer to its investors like any other business in the world. The problem they are facing is the same one that Ford, GM, Chrysler and all the other major corporations face. It's called market saturation. The big red profit line has been climbing off the chart for well over 2 decades, but suddenly (Oh My!) the line is starting to drop. Big surprise there eh? Of course it is, everyone who wants a computer, has a computer, and it has a functioning OS as well. The automobile manufacturers faced this same problem in the 70's and 80's and they figured out that 85% of the market, already owned a vehicle. So, they decided to adapt, and began to sell a "second vehicle". This went both directions, a second more luxurious vehicle, or a second more economical vehicle. They didn't try to convince the world that every car owner should have their engine replaced and a new paint job. They actually designed vehicles for purposes other than basic transportation.
The computer hardware vendors know this, and they build systems for every level of computing. If "Joe Sixpack" wants to surf the web and chat, and e-mail, all he needs is a pentium 3 machine and a barebones OS with really good networking. If "Mr.Big Business" wants all the bells and whistles, give him a dual or quad core with Server as his OS. And if "The bleary-eyed Gamer" wants a jillion gigahertz box with 20 jillion meg of video with 10 processors, give him a megabuck OS to go along with his mega buck box. But please don't try and convince the world that your ONE new OS is the Do-All Be-All OS for everyone.
If you want the major market share, give the people what they want. Microsoft has 2000 Pro, XP and Vista. The first two more than meet the needs of millions of people, so keep on selling it. If the customer liked his first pickup truck, you can pretty well bet he'll be back to buy his next one from the same place too. But don't try to convince him that your new sooper dooper "mini-suv" is gonna be just what he needs. He liked his pickup, so sell him a new one with all the new features. He knew when he bought it, the warranty would eventually expire, and he'd have to buy another one. Give the consumer a little credit here. They are not all techno-geeks, but they're not stupid either. Charge a fair price, support it for a specified length of time and if the product is good, they will return to buy another.
People become comfortable with everything they possess, and when they are told that one of their beloved possessions is obsolete and must be "put down" on the word of some outsider, it will not sit well with them at all. If you can offer them a replacement that looks and feels about the same, they will at least give it a look. But DO NOT force them into hundreds of dollars of hardware upgrades or completely new systems BEFORE they're required to pay hundreds more dollars just so they can have the same thing they had, but with a really pretty front window. Trust me on this one, they aren't gonna take very kindly to the idea.
Microsoft should continue to offer it's existing "stable" product line and offer major updates, even for a fee, as well as adding new products to the line. No matter how many "flavors" of Cadillac you sell, some people still want their 1 ton pickup trucks!
Posted by Wiz Wildstar (15 comments )
Reply Link Flag
MS did get ONE thing right
We continue to test Vista before any upgrade recommendation.

I found a website this morning that tried to pass on the Exploit:Win32/Anicmoo.A as identified on the Microsoft Live OneCare Site. This is an exploit of Windows improperly handling animated cursor (.ani) files.

Windows Live OneCare did identify and delete the threat without incident.
Posted by techbiz (1 comment )
Reply Link Flag
Eh?
Calling Firefox insecure is just plain ignorant. As the video pointed out, Firefox was only vulnerable because it was using a component straight from Microsoft. The real question here is why Microsoft has Vista restricting permissions of IE (so they can claim security) while giving another browser, Firefox, full write capabilities to the entire operating system. They're holding Firefox to a higher standard than their own Internet Explorer, and when Firefox has a vulnerability, they're able to say "See, it had a problem that could screw your whole computer". If Internet Explorer has the same vulnerability, Microsoft can say "Well, it was run in a sandbox and didn't have access to your system, so it's ok". That's the real question. If Vista is so secure, why can a third party app access the entire hard drive that easily? Why don't they restrict all browsers at the same security level they restrict IE at?
Posted by Netrilix (7 comments )
Reply Link Flag
Oops
Meant to reply to richto.
Posted by Netrilix (7 comments )
Link Flag
because..
the people behind firefox demanded it that way honey...next question?
Posted by ITprosupport (30 comments )
Link Flag
I *don't* trust Microsoft
That's why I run Windows in a snapshot-backed virtualization jail
--where it belongs.

Any "security professional" should do the same...

Windows doesn't belong on the hardware, period.
Posted by rcardona2k (318 comments )
Reply Link Flag
Microsoft shouldn't make promises
Microsoft are shooting their selves in the foot if they want to claim that Vista will be the most *secure* OS yet. Windows is a hacker's candy bag. Exploits will be found and patches will be applied time and time again. I hope Vista has less security holes found than XP.
Posted by pentium4forever (192 comments )
Reply Link Flag
Read the promise before you say they broke it
The actual quote from the article is "most secure version of Windows yet". You left out "version of Windows" which is a much smaller claim than most secure OS.

Here's another claim, if I put spray some perfume on some dog poo, it might well be "the most pleasant smelling dog poo yet", but it will still not be very pleasant smelling.
Posted by refusalspam (3 comments )
Link Flag
It ALWAYS amazes me...
how Windows users try to rationalize and justify the security (or
lack thereof) of Windows.

And the worse part is, they try to drag every other OS down with
'em.

Windows has more glory holes than a German bathhouse :-)
Posted by kentonr (25 comments )
Reply Link Flag
The Most Fireproof Pinto - EVER!
Who else in the universe could develop an operating system with a dangerously exploitable cursor but Microsoft?

At least Ford can make a car that isn't plagued by its tires spontaneously bursting into flames.
Posted by Sumatra-Bosch (526 comments )
Reply Link Flag
lmao
dangerously exploitable cursor!!?? you sound like someone that would actually buy a pinto!!what the hell would you want an animated cursor for?? Get serious and grow up!!
Posted by ITprosupport (30 comments )
Link Flag
Disgusted with Vista
I have put three of my clients on Vista boxes in the past 10 days
-- two migrated from Win 2000 and one from XP. All run
businesses on their PC's.

All three of them have called me to tell me how frustrated they
are with the migration, with incompatibilies in older apps,
especially one business critical app with some older visual basic
code.

All three of them have lost in my recommendation.

Apart from Vista's handling of 10bit graphics for future HD
applications in Dental Imaging (an industry I service) I must say
that Vista is a HUGE dissappointment to me: I don't like the
interface, I think Microsoft has totally botched the security, UAC
is a Complete and Annoying Joke, and so many old Microsoft
annoyances and GUI flaws still exist.
Posted by dansterpower (2511 comments )
Reply Link Flag
Can You Say Vistapocalypse?
Almost everyone who boots Vista regrets it.

Can you tear it out and go back to NT and XP?
Posted by Sumatra-Bosch (526 comments )
Link Flag
You blame Vista and MS
ITS YOUR FAULT! I specialize in SBS support, I will move customers to Vista...only when I have tested it for them.

Crazy what you did.
Posted by Lindy01 (443 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.