Vista’s fatal flaw?
Backwards compatibility. It’s something that many vendors strive for and Microsoft is certainly one that has placed a value on making things backwards compatible for third party software. According to this story at Sci-Tech Today, Symantec thinks this eagerness to be backwards compatible may be a big issue for Vista’s security. They expect several “privilige escalation” vulnerabilities to be found and say that if those such vulnerabilities are discovered in the prompt for user consent…. well essentially all of the systems security precautions could be undermined. The whitepaper on the details talks about several issues that have been patched at this stage in the Vista development process, but the main question is how many are out there?
Imagine in a linux environment if the su (switch user) command was found to have a bug where by throwing a 4567 character username would crash it out to give root priviliges that would be bad and hopefully easy to prevent by good coding. In many ways I am concerned about Vista’s security for several reasons…..
Maintain compatibility – translation…. in certain areas we need to present the same bugs and flaws that we always have because other software vendors have come to expect those design flaws and bugs to exist. As you can imagine this is a bad idea…. If there are flaws with a legacy approach either in the design or implementation – fix it, break compatibility, just fix the design AND implementation and let the 3rd party vendors deal with working with a BETTER design. Sell it as an improvement because IT IS.
Scrap and redesign from the ground up – translation…. tear everything down and start over from scratch. This sounds tempting in SO many places. Especially if there are design flaws. If it’s just the immplementation though is it REALLY too hard to fix? Might there not be NEW bugs brought in by doing a complete rewrite? Are the lessons learned from prior poor design and implementation? I know, these thoughts sound contradictory to the idea expressed above – “just fix it and break compatibility” argument, but in many ways it’s not…. it would be possible to write from scratch a program that’s compatible with text files the same way it’s possible to modify an existing program to deal with text files. The real issue relates to TESTED CODE versus untested code. Let me put it this way… there are some unix-based programs that have code that’s tried and tested for decades. Yes, many things have been updated, but there is a good deal of legacy code. IF some of those were thrown away and re-started from scratch, how many new bugs do you think would be brought in? Possibly quite a few.
Anyway, I’m sure we haven’t heard the last of Windows security issues. Hopefully they ARE getting better. That would be great, however, today as the targetting of vulnerabilities gears more towards the software on the client…. privilige escalation vulnerabilities become very critical.
Popularity: 1% [?]
Related Posts - Powerpoint zero day This has been a rough quarter for Office vulnerabilities... there seems to be a pattern, Microsoft patch day, then.... zero-day exploit within a week for an Office component. First Word, then Excel and now this month our vulnerable app is Powerpoint. The Security Fix has some coverage and notes the......
- Microsoft Update day for September.... AND Flash... AND Apple Yesterday, of course, Microsoft released it's monthly patches. I found the Windows update site to be painfully slow (and in some cases unresponsive.) It wasn't quite a huge update day by recent standards, but here's the summary.... Incidents.org has a nice chart showing the two re-released patches (one is actually......
- Adobe Acrobat reader update On the heels of yesterdays massive update day from Microsoft, Adobe has released an update for the free Adobe Reader. The Adobe reader is one of those ALMOST essential applications that MOST everyone has installed. So, this will be of particular interest to MOST computer users. A SERIOUS security flaw......
Related Websites - Security Innovation Introduces Software Security Summer Series WILMINGTON, Mass. – July 12, 2011 -- Security Innovation today introduced its inaugural Software Security Summer Series, where the company will offer six free eLearning courses from its industry-leading curriculum over the next six weeks. The courses are part of TeamProfessorTM, the company’s computer-based training library with an emphasis on......
- 3 steps Forward.... I scored a new computer! A slightly used Dell Server, big, as in VERY BIG, desktop tower. It's running Windows XP, and soon will dual boot with Ubuntu Linux (I may get a second harddrive and see what's possible by way of a 'hackintosh' for a 3rd OS)! I missed......
- How to Install Window Boxes Window boxes add charm to any home and they are so easy to install that anyone can do it. You're going to need to get a few things together before you get started. Your tools will include: window box brackets a level that is longer than the window box you......
Similar Posts
- Multiple Apple updates as Mac goes to version 10.4.8
- Microsoft’s speed to get security patches out
- 3 Critical Microsoft Updates, 1 Important, 1 Moderate and 1 re-released
- Firefox code under the microscope
- Microsoft’s unpatched security bugs