Vista’s fatal flaw?



Backwards compatibility. It’s something that many vendors strive for and Microsoft is certainly one that has placed a value on making things backwards compatible for third party software. According to this story at Sci-Tech Today, Symantec thinks this eagerness to be backwards compatible may be a big issue for Vista’s security. They expect several “privilige escalation” vulnerabilities to be found and say that if those such vulnerabilities are discovered in the prompt for user consent…. well essentially all of the systems security precautions could be undermined. The whitepaper on the details talks about several issues that have been patched at this stage in the Vista development process, but the main question is how many are out there?


Imagine in a linux environment if the su (switch user) command was found to have a bug where by throwing a 4567 character username would crash it out to give root priviliges that would be bad and hopefully easy to prevent by good coding. In many ways I am concerned about Vista’s security for several reasons…..

Maintain compatibility – translation…. in certain areas we need to present the same bugs and flaws that we always have because other software vendors have come to expect those design flaws and bugs to exist. As you can imagine this is a bad idea…. If there are flaws with a legacy approach either in the design or implementation – fix it, break compatibility, just fix the design AND implementation and let the 3rd party vendors deal with working with a BETTER design. Sell it as an improvement because IT IS.

Scrap and redesign from the ground up – translation…. tear everything down and start over from scratch. This sounds tempting in SO many places. Especially if there are design flaws. If it’s just the immplementation though is it REALLY too hard to fix? Might there not be NEW bugs brought in by doing a complete rewrite? Are the lessons learned from prior poor design and implementation? I know, these thoughts sound contradictory to the idea expressed above – “just fix it and break compatibility” argument, but in many ways it’s not…. it would be possible to write from scratch a program that’s compatible with text files the same way it’s possible to modify an existing program to deal with text files. The real issue relates to TESTED CODE versus untested code. Let me put it this way… there are some unix-based programs that have code that’s tried and tested for decades. Yes, many things have been updated, but there is a good deal of legacy code. IF some of those were thrown away and re-started from scratch, how many new bugs do you think would be brought in? Possibly quite a few.

Anyway, I’m sure we haven’t heard the last of Windows security issues. Hopefully they ARE getting better. That would be great, however, today as the targetting of vulnerabilities gears more towards the software on the client…. privilige escalation vulnerabilities become very critical.

Related Posts

Blog Traffic Exchange Related Posts
  • Powerpoint zero day This has been a rough quarter for Office vulnerabilities... there seems to be a pattern, Microsoft patch day, then.... zero-day exploit within a week for an Office component. First Word, then Excel and now this month our vulnerable app is Powerpoint. The Security Fix has some coverage and notes the......
  • Microsoft's priorities... I didn't really think of this in context, but George Ou points out that Microsoft issued an "out of cycle" patch for their DRM software in response to the FairUse4WM software that stripped DRM protections from Windows Media Files. It took a mere 3 days from being made aware of......
  • Microsoft releases official VML patch!! The big news this afternoon is that Microsoft HAS gone out of the routine patch cycle to release a security fix for the VML vulnerability that's been actively exploited in recent days for everything from sneak keylogger installs to massive spyware installs. Sans has a few links, if you de-registered......
Blog Traffic Exchange Related Websites
  • Steadfast Finances was Hacked, Now Restored. (Thanks HostGator!) Last week, several lines of "seemingly malicious code" found its way into SF's theme. This prompted Google, Firefox, Google Chrome and even Twitter, to quickly label this blog as a "Reported Attack Site". If you happened to visit SF from the RSS feed, the email subscriber list, or basically clicked......
  • KashFlow Software: KashFlow Promotional Code KashFlow accounting software: finally, accounting software designed for small business owners, not accountants! The difference between KashFlow’s multiple award winning software and other accounting software products is simple: KashFlow was designed by small business owners, to be used by small business owners. Everything else seems to be designed by accountants and......
  • Security Innovation Introduces Software Security Summer Series WILMINGTON, Mass. – July 12, 2011 -- Security Innovation today introduced its inaugural Software Security Summer Series, where the company will offer six free eLearning courses from its industry-leading curriculum over the next six weeks. The courses are part of TeamProfessorTM, the company’s computer-based training library with an emphasis on......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site