Vista’s fatal flaw?



Backwards compatibility. It’s something that many vendors strive for and Microsoft is certainly one that has placed a value on making things backwards compatible for third party software. According to this story at Sci-Tech Today, Symantec thinks this eagerness to be backwards compatible may be a big issue for Vista’s security. They expect several “privilige escalation” vulnerabilities to be found and say that if those such vulnerabilities are discovered in the prompt for user consent…. well essentially all of the systems security precautions could be undermined. The whitepaper on the details talks about several issues that have been patched at this stage in the Vista development process, but the main question is how many are out there?


Imagine in a linux environment if the su (switch user) command was found to have a bug where by throwing a 4567 character username would crash it out to give root priviliges that would be bad and hopefully easy to prevent by good coding. In many ways I am concerned about Vista’s security for several reasons…..

Maintain compatibility – translation…. in certain areas we need to present the same bugs and flaws that we always have because other software vendors have come to expect those design flaws and bugs to exist. As you can imagine this is a bad idea…. If there are flaws with a legacy approach either in the design or implementation – fix it, break compatibility, just fix the design AND implementation and let the 3rd party vendors deal with working with a BETTER design. Sell it as an improvement because IT IS.

Scrap and redesign from the ground up – translation…. tear everything down and start over from scratch. This sounds tempting in SO many places. Especially if there are design flaws. If it’s just the immplementation though is it REALLY too hard to fix? Might there not be NEW bugs brought in by doing a complete rewrite? Are the lessons learned from prior poor design and implementation? I know, these thoughts sound contradictory to the idea expressed above – “just fix it and break compatibility” argument, but in many ways it’s not…. it would be possible to write from scratch a program that’s compatible with text files the same way it’s possible to modify an existing program to deal with text files. The real issue relates to TESTED CODE versus untested code. Let me put it this way… there are some unix-based programs that have code that’s tried and tested for decades. Yes, many things have been updated, but there is a good deal of legacy code. IF some of those were thrown away and re-started from scratch, how many new bugs do you think would be brought in? Possibly quite a few.

Anyway, I’m sure we haven’t heard the last of Windows security issues. Hopefully they ARE getting better. That would be great, however, today as the targetting of vulnerabilities gears more towards the software on the client…. privilige escalation vulnerabilities become very critical.

Related Posts

Blog Traffic Exchange Related Posts
  • Sun java update process vulnerable The Java Runtime Environment from Sun has a vulnerability that's due in large part to a poor approach to updating it. IF you have not uninstalled previous versions of the JRE on your PC, they are likely still there EVEN after an update AND to make things even worse, a......
  • Microsoft Update day for September.... AND Flash... AND Apple Yesterday, of course, Microsoft released it's monthly patches. I found the Windows update site to be painfully slow (and in some cases unresponsive.) It wasn't quite a huge update day by recent standards, but here's the summary.... Incidents.org has a nice chart showing the two re-released patches (one is actually......
  • Other MS patch news as well as a Yahoo vulnerability? Or lack of currently available patch as the case may be. From the previous link it appears that there was at least one previously announced vulnerability that was not addressed in the recent patch day from Microsoft. From MS... "this is a DoS only issue that was not addressed in......
Blog Traffic Exchange Related Websites
  • KashFlow Software: KashFlow Promotional Code KashFlow accounting software: finally, accounting software designed for small business owners, not accountants! The difference between KashFlow’s multiple award winning software and other accounting software products is simple: KashFlow was designed by small business owners, to be used by small business owners. Everything else seems to be designed by accountants and......
  • Security Innovation Introduces Software Security Summer Series WILMINGTON, Mass. – July 12, 2011 -- Security Innovation today introduced its inaugural Software Security Summer Series, where the company will offer six free eLearning courses from its industry-leading curriculum over the next six weeks. The courses are part of TeamProfessorTM, the company’s computer-based training library with an emphasis on......
  • Free Help for Household and Technology Product Repairs Baby boomers typically own a lot of "stuff" around the house.  It seems that one thing or another is always in need of repair.  If its a kitchen appliance or some electronic gadget, our tendency is to just throw it away because the actual or perceived cost of repair exceeds......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site