Get Smart about Business Spending
- Related Stories
-
Vista for the masses
April 4, 2007 -
Attackers exploit zero-day Windows flaw
March 30, 2007 -
Cursor hole puts Windows PCs at risk
March 29, 2007 -
Symantec wants to lend a hand with Vista security
January 10, 2007
The software giant broke with its monthly patch cycle Tuesday to fix a bug that cybercrooks had been using since last week to attack Windows PCs, including those running Vista.
"As far as software vulnerabilities go, Vista's cover is blown," said Nand Mulchandani, a vice president at Determina, the company that discovered the latest security bug. "It is not Superman; it is just a human being. It is just software. Vista is going to be very similar to the other operating systems Microsoft has delivered in terms of bugs."
Microsoft officially launched Vista for consumers in January, promoting the operating system as the most secure version of Windows yet. It is the first client version of Windows built with security in mind, meaning that it should have fewer coding errors that might be exploited in attacks, Microsoft has said.
Yet the "critical" hole that affected much older Windows versions also hit Vista. The vulnerability lies in the way Windows handles animated cursors and could let an attacker commandeer a PC when the user views a malicious Web site or e-mail message.
The cursor flaw lies in the operating system code. This means that any application that relies on the operating system to handle animated cursor files could be an attack vector. This includes alternative browsers, such as Firefox.
Video:
Hacking a Vista PC
Determina experts explain how to exploit animated-cursor flaw.
It is a flaw that should have been caught by Microsoft's code-vetting processes for Vista, called the Security Development Lifecycle, some experts said. The flaw is also evidence that faulty code from previous Windows versions has been copied into Vista, they said.
"It is a little premature to attack the whole effort altogether, but this is something that the Security Development Lifecycle should have caught," said Amol Sarwate, a research manager at vulnerability management company Qualys.
The buffer overflow vulnerability in the cursor function in particular should have already been fixed because a bug in the same Windows component was patched two years ago, said Rohit Dhamankar, manager of security research at TippingPoint, a seller of intrusion prevention products. That should have prompted re-examination of the code, Dhamankar said.
Microsoft disputes that it should have caught the cursor bug before. People who say so don't understand security vulnerabilities because not all bugs are created equal, said Stephen Toulouse, senior product manager in Microsoft's Security Technology Unit.
"In the case of the cursor vulnerability, even though something may look similar to the outside, that doesn't mean the code is anything alike to the previous vulnerability," Toulouse said. "The SDL was never meant to catch every single vulnerability, period."
But Dhamankar argues that Microsoft forgot to recheck all the possibilities that could lead to a buffer overflow after the original bug was found and patched in 2005.
Mulchandani agreed. "The dirty little secret is that Microsoft clearly did not write Vista from scratch. They did not completely build a whole new code base for this operating system. Every version of Windows since Windows NT has had this flaw in it," he said.
Microsoft does acknowledge that Vista will have vulnerabilities. "There are going to be other vulnerabilities. The SDL is not a process by which no vulnerabilities will ever occur. There is no process on this planet that can do that," Toulouse said.
The cursor flaw is like a sign post for the bug hunters. Hackers will now be looking for bugs in similar Windows components to find ways to attack Vista.
"This has been a very significant break and it definitely gives a big pointer," Dhamankar said. "If more such errors are found later, Vista is not going to be able to offer the great protection that's claimed."
Still, Microsoft's Vista security promise doesn't fall apart because of this single vulnerability. Vista is more secure than XP or any other Microsoft client operating system, Sarwate said. "If you consider Windows 2000, XP, 2003, I would still say that Vista is more secure than all the other operating systems," he said.
Mulchandani also said that, while Microsoft has taken way too big a bite at the security message, Vista is more secure than its predecessors because of features such as User Account Control and others that limit privileges on the operating system.
And that's just the goal Microsoft was aiming for, Toulouse said.
"You have to look at Vista versus XP. A lot of people are holding Vista up and saying in a vacuum it will reach some nirvana of security," Toulouse said. "Our whole goal with Windows Vista was to create a fundamentally more secure operating system than we have ever created previously."
See more CNET content tagged:
Stephen Toulouse, flaw, vulnerability, Microsoft Windows Vista, buffer-overflow
Does that mean it does not have it's flaws NO...
No software in the world is 100% secure...even if the Linux and Mac heads tell you otherwise..
Grow up...
times better , than most PCs do either through virtualization of
via bootcamp? you do your windows stuff offline and then switch
back to your mac os x enviroment when done and enjoy a
modern operating system. As for issues with vista i would
expect this one to be the first and unfortunately not the last
given microsoft track record on the matter , for the last 30 years
they have been selling the next version with the pretext that the
upcoming version would be more secure than the last ... it
seems they have not yet given up the practice yet) . And it would
have as a company very little reason to ever do so in terms of
revenues.
And since microsoft is pushing vista with a revenge i would
expect them not to accept exchanging copies of vista against
old XP (as of the contrary to Apple that kept 10.3.9 alive while
10.4 was still in its infancy and had a few problems (none of
these security related but mostly functionality related)).
Hilarious.
What it boils down to here is building a new revenue stream at any cost including overlooking blatant security holes.
I would like to hear from Microsoft when they plan on releasing Service Pack 3 for Windows XP if they are so concerned with security.
It's a laugh because it will never happen. Microsoft is going to leave XP users in the cold and that doesn't say much for their products when you can count on them doing it.
So why repeat a mistake when you know you are going to get left out in the cold unless you fork over hundreds of dollars to M$ after you have already done so?
SuSE Linux Enterprise Desktop version 10 for existing PCs and Macs for new systems is looking more attractive to many people now that M$ is neglecting their existing customer base.
Actually, according to the above link from Microsoft's website, they are releasing Service Pack 3 for XP in the first half of 2008. Maybe you should do research before posting an ill-informed comment.
Everyone knew that something would eventually be discovered. No OS from any company has ever been perfect. I think security and news orgs were hoping for something more catastrophic but didn't get it. Biased stories like this are the reaction to that disappointment. Blow it out of proportion and make it sensational!
Case closed.
This is only a secret if you've been living under a rock for the last 5 years. Seems like everyone knows the embarrassing story of how Microsoft *tried* to write Vista from scratch, failed, and had to "reboot" the project, starting over with Windows Server 2003 as the codebase.
It was not, is not and never has been true.
No modern OS is ever rewritten entirely from scratch. Not OSX, Not Linux. MS never intended to rewrite everything. You've been clearly living under a slightly different rock.
I am sure many did not know this and there is nothing wrong with updating it.
whats more is cnet news linked to the zert patch, which was never going to be picked up by the majority of microsoft consumers of vulnerable machines, making the availability of the patch coutner productive and giving aid to international hackers than the international network world wide of vulnerable microsoft machines.
something needs to be done so these third party patches can't reach the bad guys, and third party patches shouldn't be publicly available in order to make sure of this.
if eEye and ZERT etc insist on building third party patches, they should only allow trusted official security sources to have the availability, in order to make sure the bad guys can't use them to patch their bot nets.
trusted official security sources should have to register to be part of a third party patch service and those regsitered should be verified by zert, eEye etc before any third party patch is made available.
moreover, microsoft could offer an early patch service for trusted regsitered users, who can be trusted not to push out a patch before the official public launch.
i think for corporate, trusted private researchers and official security sources there is a market for third party or early microsoft patches, but offering them to the public at large only guarantees the bad guys can patch their bot nets and make legitimate rogue and malicious patches pretending to be a third party patch, so the bad guys can install trojan horses and keylogging software onto a victims system.
something needs to be done before the next 0-day comes along to stop the availability of third party patches to the bad guys...................
the situation is a disgrace and a shambles allowing just any tom, dick and harry to download third party patches before an official patch is available.
n3td3v
Did UAC prevent the machine from being rooted? Yes
So the security improvements in Vista took what would have been a completely compromised machine and made it into something that a reboot would clear.
That is a black eye?
At a time when education is so highly acclaimed and the genius minds at ms having so many years of expereince to add, as well as the over all intelligent development of society as a whole, why are we are encouraged to accept the less than mediocre, to accept whatever is offered and make allowances for the ever growing number of flaws, failures and fopaws.
The ms social engineers and marketeers would like us to forget and minimize all the negatives, the expectations for a solid product, and decide things are just way too complicated for our simple minds to possibly grasp.
symantec is on record as having their own concerns about the vista product. The beta, pre-, and release having been nothing but plagued with bs and problems,.... So we had to wait forever for a new o/s, that does not mean we have to accept it nor that it is an inevitability.
Vetting, which is the new marketing term for Quality Assuring, which was the new term for doing a half decent job without creating a special department or process for it is the bell ringer of poor education and development. A huge erosion of the quality of work and effort and society's bleeting lamb acceptance of it as an "inevitability" ("what can I do").
If there is a whole deptartment, branch, group, name for checking to make sure everything is ok and they can not complete this task are you going to listen to half azd excuses?
This is what you call spinning your wheels. A whole lot of something amounting to nothing. So the i/f is a lil more confounding to the typical yahoo and their casual attempts to bypass the o/s, this definitely does not make it a more secure version of the winduhs o/s.
No I am sorry but I have been advertising these facts for 9 months now and it seems that at every turn am proven well founded in my concerns.
The roots are the typical business model and education system confined to thinking structure is the same as regimentation and that there are precise, specific orders to ALL things that can be managed. That is confinment in a box and it seems as though there are no air holes.
I challenge my children all the time making them vicious guardians of the common sense and social rights to real unfettered expectations from businesses, as well as in their outlook of the world. Who is challenging ms to think outside their stale little environment.
You wait so long for an overburdened hunk of s/w and will wait just as long for it to be safe and stable, if ever.
My version of XP, from what I could tell, wasn't vulnerable to this new attack because the previous patch worked like it was supposed to. Last night, I recieved the new patch anyway, with a disclaimer saying it could bread the HD audio control center... sheesh, what nuckleheads. They should be glad it didn't break mine, it's vitally important that my audio cards and software work.
I think you are living in your own naive world.
Why not?
[QUOTE]Who created the problem to begin with??[/QUOTE]
Um the folks who told the public about the vulnerabilty and exploit code before Microsoft was ready to release a patch?
[QUOTE] Let ME, the consumer, decide whose patch I apply. [/QUOTE]
Microsoft's patch is always the best patch, they have the source code to the operating system.
[QUOTE]Do you think I would automatically trust Microsoft??[/QUOTE]
If you don't trust Microsoft or their patches then why on earth do you run their operating system to begin with?
[QUOTE]I think you are living in your own naive world.[/QUOTE]
yeah right. i'm a security professional, what are you? i montior this stuff 24 hours a day, i know the issues.
you clearly don't understand the broader issue of hackers using third party patch trends to their advantage, and the lack of international availability of those third party patches to the larger scope of microsoft consumers.
ZERT etc just don't have the ability to reach every microsoft operating system.
whats the point in releasing a third party patch where 1% or less of operating systems are going to be patched by it?
they are opening up the door to hackers to have the ability to spawn fake patches and use third party patches to patch compromised systems.
now hackers are going say if ZERT can do it, we can too.
accept the hackers patches won't patch the system, they'll exploit it.
if ZERT , eEye get their way, consumers will start trusting patches from just anyone, leading to further uncertainty that the patch is real or fake!
lets see, phishing with fake patches,,,, i can see the headlines to come.
wait, it's already happening.
thanks ZERT etc!
people are going to start realizing this as more and more of these vulnerabilities emerge which just doesn't affect vista but affects other versions as well. i wonder when microsoft will quit lying to customers? is this their version of "trustworthy computing?"
@#%?!!!
I have upgraded 5 clients, and 2 of my boxes to it, and I am done
with it. For me now, it's XP, Linux, and Mac.
Done with Vista.
The Pig Lives.
The problem will come with Microsoft's partners. Apple controls the hardware and software, so a transition to a new OS was much simpler without having to deal with all of the possible configurations. Of course, MS could pull a 'Zune' -- build its own hardware and software, while alienating partners (online purchased music can only come from the Zune store, not any of the other partners like Napster, Rhapsody, et cetera -- of course you can still load music from CDs). Otherwise, Windows will continue to bloat, have more exploitable code, et cetera.
I wonder how long it will take to develop the next version of Windows (insert service pack number here _____)? Five years? Ten?
You'll note some of their bug fixes are related to that.
That wouldn't be of much use, but, hey, how many hackHeads are going to target such "simple" systems? You know those "types" like a "challenge".
Also, think of how blazingly fast those older OS's would be when installed on a system with today's advanced hardware!
Duke Nukem, here I come!!!
:-)
End.
Some companies might "push" thier products harder than other companies, but it still comes down to CHOICE.
People need to understand that business is about making M-O-N-E-Y. Companies will get your money anyway they can; even if it means embellishing on the "truth" a little!
No one seriously expects a Burger King Whopper to look like it does in the commercial, but, yet, people still eat at Burger King. Burger King knows that if they showed a commercial with some pimply faced teenager, wiping his/her nose WHILE they are making YOUR food, that they would be out of business. Its called MARKETING; or make money first, fix the problems later.
I'm in IT and I don't plan on using Vista any time soon, unless I have to or I can get a free eval copy. Not to mention that I don't want to shell out the bucks, just yet, for an OS that JUST came out. Heck, I don't even own a computer that is capable of running the hog!
For now I will stick with what works.
All in all, it comes down to choice. Stick with what works or go with something that is still, basically, in the testing phase.
End.
The reason Ford, GM, et al were hating life in the 1970's and on began during the 1974 OPEC oil embargo.
Suddenly, it wasn't so cool (and comfortable) to have a huge V-8 engine and a land-barge sized 6,000 lb vehicle anymore. Then, here come thefficient gas-sipping engines and no-frills designs that basically just worked.
Now fast-forward a little to the late '70's when inflation made everyone feel the fiscal pinch. You're now stuck with choosing between buying an expensive ol' bloated vehicle that wasn't much (if any) improvement over earlier models (you know, like Vista), vs. a less expensive, efficient, flexible, and while not luxurious, it was a still highly useful vehicle (like, say, Linux...)
Nowadays, the Honda or Toyota are king, and everyone finds them comfy, useable, and (e.g. the "ricer" crowd) very customizable.
Detailed history puts things into real perspective, no? :)
You are right about car companies adapting, however. The domestic muscle cars and the oil-tanker-sized cars practically evaporated come the early '80s, as they all did their level best to chase the memes that captured hearts, minds, and --most importantly-- wallets. The results were often damned ugly (Dodge K-Car, anyone?), with few successes.
The SUV sprung from a combination of the minivan and the Jeep. The minivan itself and the SUV are the only real innovations to have come from US car companies since the 70's, IMHO... and both came from one player which had wasted away on the fringes for years - Chrysler (which serves as a wonderful corollary to Apple, no?).
As far as car companies, I'd put it this way:
MSFT = Ford or GM: Stuck with chasing trends and institutionally unable to do more than copy the work of others and rely on brand loyalty to keep them alive.
Apple = Daimler-Chrysler: Able to come up with innovations and improvements (SUV, Minivan, Viper, etc), and a somewhat familiar brand, though not as agile as...
Linux = Toyota, Honda, Hyundai, etc: Agile, able to adapt, places a premium on functionality over form, but still manmages to look pretty slick, though nowhere near as liable to spin up the word "luxury" in most minds offhand... at least not yet.
/P
The reason Ford, GM, et al were hating life in the 1970's and on began during the 1974 OPEC oil embargo.
Suddenly, it wasn't so cool (and comfortable) to have a huge V-8 engine and a land-barge sized 6,000 lb vehicle anymore. Then, here come the JApanese cars - with efficient gas-sipping engines and no-frills designs that basically just worked.
Now fast-forward a little to the late '70's when inflation made everyone feel the fiscal pinch. You're now stuck with choosing between buying an expensive ol' bloated vehicle that wasn't much (if any) improvement over earlier models (you know, like Vista), vs. a less expensive, efficient, flexible, and while not luxurious, it was a still highly useful vehicle (like, say, Linux...)
Nowadays, the Honda or Toyota are king, and everyone finds them comfy, useable, and (e.g. the "ricer" crowd) very customizable.
Detailed history puts things into real perspective, no? :)
You are right about car companies adapting, however. The domestic muscle cars and the oil-tanker-sized cars practically evaporated come the early '80s, as they all did their level best to chase the memes that captured hearts, minds, and --most importantly-- wallets. The results were often damned ugly (Dodge K-Car, anyone?), with few successes.
The SUV sprung from a combination of the minivan and the Jeep. The minivan itself and the SUV are the only real innovations to have come from US car companies since the 70's, IMHO... and both came from one player which had wasted away on the fringes for years - Chrysler (which serves as a wonderful corollary to Apple, no?).
As far as car companies, I'd put it this way:
MSFT = Ford or GM: Stuck with chasing trends and institutionally unable to do more than copy the work of others and rely on brand loyalty to keep them alive.
Apple = Daimler-Chrysler: Able to come up with innovations and improvements (SUV, Minivan, Viper, etc), and a somewhat familiar brand, though not as agile as...
Linux = Toyota, Honda, Hyundai, etc: Agile, able to adapt, places a premium on functionality over form, but still manmages to look pretty slick, though nowhere near as liable to spin up the word "luxury" in most minds offhand... at least not yet.
/P
If you run an insecure browser like Firefox then you are still potentially screwed...
Possibily UAC will then protect you.
The computer hardware vendors know this, and they build systems for every level of computing. If "Joe Sixpack" wants to surf the web and chat, and e-mail, all he needs is a pentium 3 machine and a barebones OS with really good networking. If "Mr.Big Business" wants all the bells and whistles, give him a dual or quad core with Server as his OS. And if "The bleary-eyed Gamer" wants a jillion gigahertz box with 20 jillion meg of video with 10 processors, give him a megabuck OS to go along with his mega buck box. But please don't try and convince the world that your ONE new OS is the Do-All Be-All OS for everyone.
If you want the major market share, give the people what they want. Microsoft has 2000 Pro, XP and Vista. The first two more than meet the needs of millions of people, so keep on selling it. If the customer liked his first pickup truck, you can pretty well bet he'll be back to buy his next one from the same place too. But don't try to convince him that your new sooper dooper "mini-suv" is gonna be just what he needs. He liked his pickup, so sell him a new one with all the new features. He knew when he bought it, the warranty would eventually expire, and he'd have to buy another one. Give the consumer a little credit here. They are not all techno-geeks, but they're not stupid either. Charge a fair price, support it for a specified length of time and if the product is good, they will return to buy another.
People become comfortable with everything they possess, and when they are told that one of their beloved possessions is obsolete and must be "put down" on the word of some outsider, it will not sit well with them at all. If you can offer them a replacement that looks and feels about the same, they will at least give it a look. But DO NOT force them into hundreds of dollars of hardware upgrades or completely new systems BEFORE they're required to pay hundreds more dollars just so they can have the same thing they had, but with a really pretty front window. Trust me on this one, they aren't gonna take very kindly to the idea.
Microsoft should continue to offer it's existing "stable" product line and offer major updates, even for a fee, as well as adding new products to the line. No matter how many "flavors" of Cadillac you sell, some people still want their 1 ton pickup trucks!
- MS did get ONE thing right
- by techbiz April 4, 2007 3:37 PM PDT
- We continue to test Vista before any upgrade recommendation.
- Reply to this comment
-
Showing 1 of 2 pages (121 Comments)I found a website this morning that tried to pass on the Exploit:Win32/Anicmoo.A as identified on the Microsoft Live OneCare Site. This is an exploit of Windows improperly handling animated cursor (.ani) files.
Windows Live OneCare did identify and delete the threat without incident.