Vista’s fatal flaw?



Backwards compatibility. It’s something that many vendors strive for and Microsoft is certainly one that has placed a value on making things backwards compatible for third party software. According to this story at Sci-Tech Today, Symantec thinks this eagerness to be backwards compatible may be a big issue for Vista’s security. They expect several “privilige escalation” vulnerabilities to be found and say that if those such vulnerabilities are discovered in the prompt for user consent…. well essentially all of the systems security precautions could be undermined. The whitepaper on the details talks about several issues that have been patched at this stage in the Vista development process, but the main question is how many are out there?


Imagine in a linux environment if the su (switch user) command was found to have a bug where by throwing a 4567 character username would crash it out to give root priviliges that would be bad and hopefully easy to prevent by good coding. In many ways I am concerned about Vista’s security for several reasons…..

Maintain compatibility – translation…. in certain areas we need to present the same bugs and flaws that we always have because other software vendors have come to expect those design flaws and bugs to exist. As you can imagine this is a bad idea…. If there are flaws with a legacy approach either in the design or implementation – fix it, break compatibility, just fix the design AND implementation and let the 3rd party vendors deal with working with a BETTER design. Sell it as an improvement because IT IS.

Scrap and redesign from the ground up – translation…. tear everything down and start over from scratch. This sounds tempting in SO many places. Especially if there are design flaws. If it’s just the immplementation though is it REALLY too hard to fix? Might there not be NEW bugs brought in by doing a complete rewrite? Are the lessons learned from prior poor design and implementation? I know, these thoughts sound contradictory to the idea expressed above – “just fix it and break compatibility” argument, but in many ways it’s not…. it would be possible to write from scratch a program that’s compatible with text files the same way it’s possible to modify an existing program to deal with text files. The real issue relates to TESTED CODE versus untested code. Let me put it this way… there are some unix-based programs that have code that’s tried and tested for decades. Yes, many things have been updated, but there is a good deal of legacy code. IF some of those were thrown away and re-started from scratch, how many new bugs do you think would be brought in? Possibly quite a few.

Anyway, I’m sure we haven’t heard the last of Windows security issues. Hopefully they ARE getting better. That would be great, however, today as the targetting of vulnerabilities gears more towards the software on the client…. privilige escalation vulnerabilities become very critical.

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft releases official VML patch!! The big news this afternoon is that Microsoft HAS gone out of the routine patch cycle to release a security fix for the VML vulnerability that's been actively exploited in recent days for everything from sneak keylogger installs to massive spyware installs. Sans has a few links, if you de-registered......
  • Adobe Acrobat reader update On the heels of yesterdays massive update day from Microsoft, Adobe has released an update for the free Adobe Reader. The Adobe reader is one of those ALMOST essential applications that MOST everyone has installed. So, this will be of particular interest to MOST computer users. A SERIOUS security flaw......
  • MS06-040 update MS06-040 is one of last weeks Windows updates and is the one that was probably the biggest target for "wormable" activity. There's a good deal of news from over the weekend with regards to this. First: Snort signatures, the MS06-040 exploit was spotted actively "in the wild", and of course,......
Blog Traffic Exchange Related Websites
  • Browser History Hijacking Flaw Browser history hijacking is a flaw in a web browser that allows certain websites access to all the sites a user has ever visited.  This is a techniques used by sporting, news, movie, financial and porn websites to better place ads and check to see if you have visited any......
  • How to Install Window Boxes Window boxes add charm to any home and they are so easy to install that anyone can do it. You're going to need to get a few things together before you get started. Your tools will include: window box brackets a level that is longer than the window box you......
  • Stained Glass Windows Antiques -> Architectural and Garden -> Stained Glass Windows-> Pre-1900 Stained glass windows are more than just functional windows, they are works of art that can express exalted meanings or simply beautify a room. When you are shopping for antique stained glass, it’s important to understand the amount of time......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site