The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Is Vista Really Bug-Plagued as the NY Times Claims?
Time: 08:10 EST/13:10 GMT | News Source: BetaNews | Posted By: John Quigley

Last week's discovery of a non-critical bug affecting the old 32-bit Windows API, which BetaNews reported on at the time, was picked up by The New York Times this morning, although its severity was substantially elevated in the process. Under the headline "Flaws Are Detected in Microsoft's Vista," the message box problem was touted as triggering "an early crisis of confidence in the quality of its Windows Vista operating system." Yet tests of the flaw conducted by BetaNews suggest that, while the bug can crash Windows XP, its roots in the Win32 API dating back to Windows 3.1, coupled with the fact that the source code for the proof-of-concept appears to be straight ANSI C, directly contradict the Times' implication that the bug somehow afflicts Internet Explorer 7.0.

Write Comment
Return to News

  Displaying 1 through 25 of 352
Last | Next
  The time now is 2:52:51 PM ET.
Any comment problems? E-mail us
#1 By 7711 (71.168.203.4) at 12/27/2006 8:47:59 AM
"picked up by The New York Times this morning, although its severity was substantially elevated in the process."

What a surprise.....

All the news that's fit to distort......

#2 By 8556 (12.207.97.148) at 12/27/2006 9:28:31 AM
A slow news day in NYC.

#3 By 7754 (216.160.8.41) at 12/27/2006 11:28:02 AM
Fact-checking obviously not a priority at NYT. Sells more papers, y'know!

Actually, considering how high the stakes are to be the one to report "the first Vista vulnerability," how insignificant this bug is, that the Vista betas were publicly available for months, and that the RTM version has already been out for awhile, I think it speaks quite highly for Vista's security.

This post was edited by bluvg on Thursday, December 28, 2006 at 11:12.

#4 By 13759 (71.196.228.57) at 12/27/2006 6:09:19 PM
The Time spied and soldiers died.

I see more truth out of the National Enquirer than the NYT.

#5 By 23275 (68.17.42.38) at 12/27/2006 7:22:42 PM
Well said, MR2!!!!

#6 By 15406 (74.104.251.89) at 12/27/2006 10:20:56 PM
#3: If I was a bad guy and found a major hole in Vista, would I announce it to the world or would I sit on it until people are actually using the OS so that there were systems to exploit? Just because you don't see something doesn't mean it isn't there.

#7 By 7754 (75.72.148.247) at 12/28/2006 12:21:51 AM
#6: you would announce it to the world to gain the distinction of being the first--particularly if you are a security research firm. If it were that easy, certainly you could find more later to exploit for the money, right?

#8 By 21203 (71.237.195.76) at 12/28/2006 4:14:41 AM
Latch: In a phrase - "Just because I'm paranoid doesn't mean they aren't out to get me."

If you want to believe there are holes, fine. The hardest part of hacking Vista isn't Vista itself. It's people like me, and lots of other people who read this board -- not the OS. I'm referring to social engineering. Things are locked down for a reason in Vista, and after following that modus operandi, no malicious program could have the rights to cause damage unless the user basically asked for it.

Does that make it the OS's fault? Well, I tend to think it's like blaming the gun company for shootings. If you put enough safety nets out there, and make it difficult to remove those safety nets (for all of you saying "UAC is eeevil! Don't use it!"), then the responsibility shifts back to the "idiot operator".

Does that mean that there are no holes in Vista? Of course not, but it seriously diminishes the damage of those holes. Noone is claiming perfection with Vista, they're claiming that you should follow the secure principles they started back with the Trusted Computing Initiative: Firewall, Anti-virus, and Auto-updates. Now, they just add on UAC for a "let's protect against accidents" and force internet-centric programs like mail/browser to run forcibly in low-security modes. It's all smart moves, and generally prevents any holes from creating any damage even if found. The most destructive hole is still the user themselves.

This post was edited by mram on Thursday, December 28, 2006 at 04:22.

#9 By 15406 (216.191.227.68) at 12/28/2006 8:07:48 AM
#7: The people looking to actively exploit OS holes are typically not security researchers, they are computer criminals. It's not in their best interests to publicize any vulnerabilities found.

#8: I'm confused. First you start off by mocking me for believing there are unfound holes in Vista. At the end, you're saying that there are likely unfound holes in Vista. Which is it?

#10 By 21203 (71.237.195.76) at 12/28/2006 11:07:46 AM
Latch: You made a comment about sitting on a hole for exploit purposes. The nutshell answer is that all software has holes, and that just because you may or may not know a product has them doesn't mean they are destructive.

My answer in #8 goes into minor detail of how it largely wouldn't matter if you found a hole. The NYT article and Betanews response specifically call the "exploit" instead "nuisance code" instead -- it cannot be launched via Internet Explorer and must be run by the user themselves, and causes no real OS damage, since it never elevates privelage.

You can have your tinfoil-hat conspiracy theories that Vista has holes. That's easy, because everything does. However, you must ground them at least in some reality -- like for example, what contexts the holes would end up being run in if exploited, and where those exploits are largely focused. Internet Explorer / Email is the basis for a significant amount of the vulnerabilities presented in Windows. On Vista, those applications are run in the lowest possible security contexts. It's the technical equivalent of breaking into a prison cell. Why bother? That's why all the Vista so-called security holes have been via social engineering -- trying to convince users that UAC is "evil" and turning it off, etc, etc.

This post was edited by mram on Thursday, December 28, 2006 at 11:27.

#11 By 7754 (216.160.8.41) at 12/28/2006 11:24:36 AM
#9: If you think the security researchers aren't burning the midnight oil and climbing over each other to be able to claim they've "discovered the first Vista vulnerability," you've been living on another planet. And, if you look at the history of OS exploits, the vast majority of threats emerge after exploit details/code samples were published.

If this is the best they've come up with so far, it bodes very well for Vista.

#12 By 15406 (216.191.227.68) at 12/28/2006 1:23:07 PM
#10: History has shown that every MS product has holes, so it is inevitable that Vista will have some. Accept it.

#11: Put your strawman away. I never said that there weren't security guys poring over Vista looking for holes so they can claim the glory. Our positions are not incompatible, so I don't know what you're getting all worked up about. But fear not, exploits will be found eventually. The combination of included legacy code as well as new layers of complexity make it inevitable.

#13 By 7754 (216.160.8.41) at 12/28/2006 1:52:32 PM
every MS product has holes

And that's not true about non-MS products? If not, why the inclusion of "MS" in that statement?

My argument is not a strawman. The vast majority of tactics used by the "bad guys" leverage the fruits of the security researchers' labors.

#14 By 15406 (216.191.227.68) at 12/28/2006 2:21:02 PM
#13: I never said other products don't have holes. Why the inclusion of 'MS'? This is an MS site, no? And in this thread we're talking about Vista, an MS product right? And yes, your argument is a strawman argument by definition. You're attributing a fallible position to me that I never said and then knocking it down:

http://en.wikipedia.org/wiki/Straw_man

Just because I said that Vista will have security holes, it does not mean that other products have no holes. But the status of other products is irrelevant to this discussion about Vista security since we are not doing a comparison between products. You're starting to sound like Parkkker.

To sum it up: Vista has as-yet undiscovered holes since all software products have holes. To claim that Vista will have no security holes is grossly optimistic at best and blindly stupid at worst. MS' claim about Vista being 'our most secure product ever' is technically true but totally irrelevant marketing-speak.

#15 By 7754 (216.160.8.41) at 12/28/2006 2:49:08 PM
I'm well aware what a strawman is, and simply calling the argument one doesn't make it so. You assume that I was "knocking down" your position; I'm not--I'm clarifying and adding to it. What I'm saying is this: the reality is that it's not really the "bad guys" that are finding the flaws--the security researchers are finding them, disclosing them, and the "bad guys" are exploiting them.

As for the inclusion of "MS," it's redundant regardless of whether it's an MS site or not. Those that know your history of posts here would understand why it would be called into question.

#16 By 21203 (71.237.195.76) at 12/28/2006 2:56:09 PM
#13: I have accepted it -- A quote from my other post, please actually read it: "Does that mean that there are no holes in Vista? Of course not..."

Now - are you saying that Vista is somehow inherently worse than every other OS out there? And if so, which one is best, and why? Have you done any comparative analysis and risk assessment, intrusion inspections?

Otherwise, you're just playing with your tinfoil hat. When any OS has reduced most problems to social engineering isses, then the OS is no longer a security factor -- you are.

Look at Linux. It has many holes. They are constantly patched. The reason that people universally (generally) accepted Linux as being more secure is because most users ran in a low security context. Well guess what? That exists now for Vista. The problem is no longer the OS when it comes to Vista, it has shifted to the software vendors for the most part -- they must code their apps to be more friendly in a low security context, and for the most part, they are by default. It also shifts to the users, since they must adapt to knowing what this low security context is and how it works for them.

How many Windows problems are there reported my Secunia for XP Pro: 169

Now lets break it down. Of those problems....
How many of those problems are IE6: 108
How many of those are Outlook Express 6: 23
Windows Messenger: 1
Windows Media Player 9: 9
Windows Media Player 8: 4
etc etc

I could break it down more and more but the nutshell is that these are all internet facing applications that are all being run in low security contexts in Vista, and are thusly non-issues in Vista. Now that's 85% of all the patches issued for XP in the last four years, leaving only 24 patches that might be some other facet. Well, then you have to break down the other barriers that Vista has for security: Memory randomization, privelage escalation prevention, etc. Some good detail can be found in the following links:

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp

I'll say it one more time: Even if you could find a hole in Vista, and I'm sure there are many -- there isn't much they could do. Examine the detail. Look at the track record, examine the detail, and don't just assume blindly.

#17 By 15406 (216.191.227.68) at 12/28/2006 3:27:51 PM
#15: Let me refresh your memory: "If you think the security researchers aren't burning the midnight oil and climbing over each other to be able to claim they've "discovered the first Vista vulnerability," you've been living on another planet."

I never said anything about that, but thanks for shooting down my non-opinion.

#16: You're doing the same thing as bluvg -- putting words in my mouth that I never said and then arguing against them. Show me where I said anything about Vista compared to other OSes or products. And you keep bringing up this tinfoil hat reference in some silly effort to label me. XP was hailed as MS' latest 'most secure ever!' product until it was punctured like a cheap balloon. 2 major service packs and many hotfixes later, it could finally stand up but there are new bugs found on almost a monthly basis. With Vista they have added all kinds of doodads to increase security, but it is only a matter of time before something is found that will allow remote code execution.

#18 By 21203 (71.237.195.76) at 12/28/2006 3:31:33 PM
#17: Well, to my defense, you can't blindly poke holes in a singular OS without accepting that as a paradigm for all OS's unless you have some sort of agenda. Since you won't come out and say it, I'll just assume that you hate Microsoft and think they couldn't possiby code an OS more secure than whatever alternate you do prefer.

Maybe that is putting words in your mouth, but at least I'll make a stand and back it up.

As for the "most secure ever" -- every vendor says that, it is in comparison to the version previous. And in every case, they have detail to back it up. It's not just a new coat of paint on an old problem in Microsoft's case. Check my links. XP was Microsoft's "most secure OS ever" too, and in the day, the context was accurate. It doesn't take any vulnerability to diminish that fact.

This post was edited by mram on Thursday, December 28, 2006 at 15:33.

#19 By 15406 (216.191.227.68) at 12/28/2006 3:56:30 PM
#18: You must be new here. I definitely am prejudiced against MS, or more specifically their unethical business practices, their stifling of innovation and competition at consumer's expense, and general hypocrisy. I am not comparing them to anything in this thread. I am not saying they are better/worse than x. I am making statements about Vista as it relates to their long track record of security problems. It could be argued that Vista is the best OS ever made by anyone, but that does not put it above criticism. I take exception to MS' claim about "most secure ever" because it's a nothing statement. The thing hasn't even been released to the public yet outside of a limited beta test. You could argue that XP pre-SP1 out of the box was much less secure than W2K SP4+all hotfixes and that would render their XP "most secure ever" statement as the nonsense it was. Just as their Vista statement is nonsense since the relative security of a product can only be evaluated historically.

#20 By 7754 (216.160.8.41) at 12/28/2006 3:57:01 PM
Clarifying and adding, not shooting down. Did I ever say I was shooting down anything? I can play the "I never said that" game, too.

I'm not trying to pick on you... you like Rush (the band), so you can't be all that bad. ;) But don't think we have no memory here--we know what positions you like to take.

#21 By 32132 (64.180.219.241) at 12/28/2006 6:07:51 PM
#12 "History has shown that every MS product has holes, so it is inevitable that Vista will have some."

History has also shown that IIS 6 has had only 3 minor holes which is a huge improvement over IIS5. Apache 2.x, the competing product has had 36 security holes.

History has also shown that SQL 2000 SP4+ and SQL 2005 have had very few security issues (SQL 2005 has had none). Oracle and DB2, competing products, have had a huge number of security holes.

History has shown that IE6 has had way fewer critical holes in 2006 than its prime competitor Firefox.

"I am not saying they are better/worse than x."

Of coure not. You would prefer to compare it to a mythical product that has zero security holes. In the real world, IIS6 and SQL 2005 has shown that Microsoft can produce a product with a trivial amount of security issues. And Firefox has proven that a major browser can have significantly more security vulnerabilities that IE6 ... and prove that some companies never learn.

Microsoft has proven that it can learn.


This post was edited by NotParker on Thursday, December 28, 2006 at 18:08.

#22 By 21203 (71.237.195.76) at 12/28/2006 8:59:01 PM
NotParker, don't use logic. Trends mean nothing to Latch. His stance was simply: Just because you don't see something doesn't mean it isn't there. So using that logic, every OS is insanely bug and vulnerability ridden.

Latch, have you looked at Linux's "long track record of security problems"? Thought not. Definite hypocrisy here.

This post was edited by mram on Thursday, December 28, 2006 at 22:08.

#23 By 15406 (216.191.227.68) at 12/29/2006 8:11:01 AM
#20,21,22: You guys just don't get it. While it's interesting to know that various MS products have fewer holes than some of their competitors, what does that have to do with likelihood that Vista will have a remote code exploit discovered in the future? That's what this thread started with, but somehow you've turned into a comparison of everything BUT Vista as compared to other products. It's irrelevant. It's like me saying, "I don't like yogurt" and having all of you yell back at me "Yogurt has less calories than butter!". While fascinating, it's irrelevant to the fact that I don't like yogurt. It is inevitable that Vista will have at least one remote code execution bug, and claims that Vista is MS' "Most secure ever" product are nonsense. It would be more correct to say the Vista was "designed to be our most secure product ever", but the proof of the pudding is in the eating and we won't know if it's their "most secure ever" OS for at least a couple of years.

#24 By 13030 (198.22.121.110) at 12/29/2006 9:08:31 AM
#23: I know you're trying to keep this thread on track, but I have to add that I like Rush too. They're my favorite rock band. Thinking man's rock...

#25 By 23275 (68.17.42.38) at 12/29/2006 10:40:19 AM
Abject ignorance. It isn't Latch's position that offends many here - that is well known and he often presents good challenges to those of us building some of our solutions using Microsoft software. Clearly, he's not an advocate - never has been and likely never will be.

The thing that was guaranteed to generate so many threads under this post was the abject ignorance reflected in the articles opposite Vista's security model - arguably the best example of a defense in depth strategy surrounding an operating system with components that face the public networks, including the Internet.

Feeding from this one article, I have heard long standing and well respected tech pundits espouse some real garbage - blatantly false information about Vista that reveals just how little they actually know about the new OS. That is what I hope, in any case - otherwise they do know and they simply have an agenda set against anything Microsoft. They are of course, the same "non-response" crowd opposite Islamic Theocrats and our efforts to secure ourselves in that regard - a posture I do not find ironic at all.

All, feeding off this one article... some have said, "Well... in Vista, it still, by default, has one run as ROOT.." Uh..WRONG. The root level account is in fact, disabled by default. A user level administrative account is used to create standard users - the recommended daily use role.

The same dorks stated, "Well... in Vista, it doesn't prompt for a password as is required in OS X..." WRONG again. We all know it does each time a UAC event threshold is crossed where the user is logged in as a standard user.

They of course didn't even begin to look into the protected desktop, or how to check if a system had the zero execution bit enabled in the BIOS by default, and thus enabling memory randomization by default - they addressed none of what they should have - as tech experts.

They held out as fact, that which is not fact - either according to a set agenda, or as I will give them, out of abject ignorance and that is as kind as one may be opposite this article and the pundits celebrating what it appears to suggest.

Write Comment
Return to News
  Displaying 1 through 25 of 352
Last | Next
  The time now is 2:52:51 PM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *