Vista’s fatal flaw?



Backwards compatibility. It’s something that many vendors strive for and Microsoft is certainly one that has placed a value on making things backwards compatible for third party software. According to this story at Sci-Tech Today, Symantec thinks this eagerness to be backwards compatible may be a big issue for Vista’s security. They expect several “privilige escalation” vulnerabilities to be found and say that if those such vulnerabilities are discovered in the prompt for user consent…. well essentially all of the systems security precautions could be undermined. The whitepaper on the details talks about several issues that have been patched at this stage in the Vista development process, but the main question is how many are out there?


Imagine in a linux environment if the su (switch user) command was found to have a bug where by throwing a 4567 character username would crash it out to give root priviliges that would be bad and hopefully easy to prevent by good coding. In many ways I am concerned about Vista’s security for several reasons…..

Maintain compatibility – translation…. in certain areas we need to present the same bugs and flaws that we always have because other software vendors have come to expect those design flaws and bugs to exist. As you can imagine this is a bad idea…. If there are flaws with a legacy approach either in the design or implementation – fix it, break compatibility, just fix the design AND implementation and let the 3rd party vendors deal with working with a BETTER design. Sell it as an improvement because IT IS.

Scrap and redesign from the ground up – translation…. tear everything down and start over from scratch. This sounds tempting in SO many places. Especially if there are design flaws. If it’s just the immplementation though is it REALLY too hard to fix? Might there not be NEW bugs brought in by doing a complete rewrite? Are the lessons learned from prior poor design and implementation? I know, these thoughts sound contradictory to the idea expressed above – “just fix it and break compatibility” argument, but in many ways it’s not…. it would be possible to write from scratch a program that’s compatible with text files the same way it’s possible to modify an existing program to deal with text files. The real issue relates to TESTED CODE versus untested code. Let me put it this way… there are some unix-based programs that have code that’s tried and tested for decades. Yes, many things have been updated, but there is a good deal of legacy code. IF some of those were thrown away and re-started from scratch, how many new bugs do you think would be brought in? Possibly quite a few.

Anyway, I’m sure we haven’t heard the last of Windows security issues. Hopefully they ARE getting better. That would be great, however, today as the targetting of vulnerabilities gears more towards the software on the client…. privilige escalation vulnerabilities become very critical.

Related Posts

Blog Traffic Exchange Related Posts
  • The security of remote tech support (ultravnc sc or x11vnc with wrapper script) Well, I've got a nice way of doing "easy" one click (or one cut and paste) light desktop support for windows or linux, one uses ultravnc sc, the other uses x11vnc with a special wrapper script. So, what security flaws are there in this process? Well, for starters, I see......
  • Microsoft Update day for September.... AND Flash... AND Apple Yesterday, of course, Microsoft released it's monthly patches. I found the Windows update site to be painfully slow (and in some cases unresponsive.) It wasn't quite a huge update day by recent standards, but here's the summary.... Incidents.org has a nice chart showing the two re-released patches (one is actually......
  • MS06-040 update MS06-040 is one of last weeks Windows updates and is the one that was probably the biggest target for "wormable" activity. There's a good deal of news from over the weekend with regards to this. First: Snort signatures, the MS06-040 exploit was spotted actively "in the wild", and of course,......
Blog Traffic Exchange Related Websites
  • 10 Basic Tips for Securing Your Computer Today, most people have personal information, including financial information and family photos on their personal computer. All it takes is one virus or worm to destroy all of your information, making it vital to protect your computer. Protecting your computer is the best way to ensure all of your personal......
  • Stained Glass Windows Antiques -> Architectural and Garden -> Stained Glass Windows-> Pre-1900 Stained glass windows are more than just functional windows, they are works of art that can express exalted meanings or simply beautify a room. When you are shopping for antique stained glass, it’s important to understand the amount of time......
  • Security Innovation Introduces Software Security Summer Series WILMINGTON, Mass. – July 12, 2011 -- Security Innovation today introduced its inaugural Software Security Summer Series, where the company will offer six free eLearning courses from its industry-leading curriculum over the next six weeks. The courses are part of TeamProfessorTM, the company’s computer-based training library with an emphasis on......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site