Submitted by Microsoft has shipped the first critical security update for Windows Vista, the next version of its flagship operating system. Over the weekend, the company released patches for beta testers running the Windows Vista December CTP and Windows Vista Beta 1, and warned that the new operating system was vulnerable to a remote code execution flaw in the Graphics Rendering Engine.
and we were all expecting the new system to be more secure, and it is hit while still in beta stage ?
hopefully, they get things sorted and locked down before the big release
Place your bets! How long after the full release of Vista until a security hole so HUGE is discovered MS will have to install the fix and reboot your PC without you even knowing!
Sorry, sir, holes found before the release don’t count.
Sigh. Depressing isn’t it? Maybe this will point them to increased security over intergrating all the “cool” features they can find, let’s hope so anyway.
Hey hey, how long after the full release of the next Ubuntu/FC/Mandrake/OS X until a huge security hole is discovered?!
Here’s a friggin’ clue: No OS is perfect, and they all have holes. Screaming bloody murder about one camp, while ignoring the fact that your camp can be just as insecure, is idiocy.
As far as Fedora goes, while there’s no doubt something will turn up, given the wonderful things Red Hat has done with selinux it would be quite far from a huge security hole. An OpenSSH hole is about the only thing I can think of at this point that could potentially do major damage to your Fedora system. Good luck finding a hole in that app.
Edited 2006-01-17 01:08
Here’s a friggin’ clue: No OS is perfect, and they all have holes. Screaming bloody murder about one camp, while ignoring the fact that your camp can be just as insecure, is idiocy. —Linux Is Poo
Agreed. That said at least with Linux I don’t have to worry as much about some backdoor built in to the system suddenly being exposed! Nor do I need to wait while the Soft sits on its ass hoping it can wait until Patch Tuesday to release a fix they had within hours of the backdoor’s exposure. Nor do I have to worry that a background image as part of a website’s border will be used as a way to take over my system without a single click or command from me.
Also before you attempt to make comments about the huge lists of patched vulnerabilities over on Secunia bear in mind that these lists are so huge because they include as part of the distro all the distro’s applications. I’d love to see an honest comaprision done with Windows and various installed applications and see what the results would look like.
In any case I think you should really follow your own advice and remember that people who live in glass hoeses shouldn’t throw stones.
Oh yeah, MS intentionally put a backdoor in Windows. Good one.
Oh yeah, MS intentionally put a backdoor in Windows. Good one. —sappyvcv
I take it you haven’t hear Steve Gibson’s take on the WMF vulnerability then?
http://www.grc.com/sn/SN-022.htm
–bornagainpenguin
I heard it. Steve Gibson is a crock, go read about his history. Even if he wasn’t, why would I believe one guy that makes a claim that it was put in intentionally?
Please, there is no way such a thing would get past so many people at MS.
Not only that, you have to have some sort of proof. Any proof. And there is none, so such a claim is nothing more than speculation and pointless to argue about.
Edited 2006-01-17 03:03
Please, there is no way such a thing would get past so many people at MS.
This presumes that the so-called “backdoor” (I don’t believe it either) wasn’t designed in as part of the OS. Others believe differently about a different, so-called NSA, backdoor.
But if they have the policies, tools and skills in place to detect and prevent a backdoor from being included in their product (without it being put in there by corporate decision) why can’t they detect and prevent the [insert huge but undefined number here] other security issues inhering in the system? To me this looks a whole lot like one of the many of ease of use features that were implemented with no regard to the security consequences.
So arguing that it can’t be there because it couldn’t “get past so many people at MS” is as unsupportable as saying that it may have been done by some rogue programmer. Possibly more unsuppportable since there is more than adequate proof in the form of admissions by MS that providing customers with more choices drove the inclusion of the ease of use bugs.
Based on analysis by others that points out that Gibson’s assertion that only a specific impossible construction in the metafile could have triggered it is wrong and that even correctly formed metafiles could trigger the defect I still don’t believe that it’s a backdoor. But the “many eyes” of MS doesn’t hold any water either.
But if they have the policies, tools and skills in place to detect and prevent a backdoor from being included in their product (without it being put in there by corporate decision) why can’t they detect and prevent the [insert huge but undefined number here] other security issues inhering in the system? To me this looks a whole lot like one of the many of ease of use features that were implemented with no regard to the security consequences.
I would think the answer is obvious, but apparently not. A coding error which ends up as a security vulnerability is a mistake, an oversight. Something small, where someone forget to validate input (usually). A backdoor is explicit. You’re talking about at least 1 engineer and some executives conspiring to put a backdoor in the most widely used desktop operating system. One that has gone unnoticed for a long long long time. If there was a backdoor put there, it would have likely been used and found out way before now. You’re also assuming that no other engineers caught that the backdoor was put there.
It’s simply ridiculous to think this was intentional.
But the “many eyes” of MS doesn’t hold any water either.
In the case of a backdoor, I think it does.
http://www.sysinternals.com/blog/2006/01/inside-wmf-backdoor.html
Now, what were you saying?
So I guess those 130-something-odd updates FC4 wants me to install after I boot it for the first time are just for new features?
Please.
The point is Windows is still the same old Windows, loads of Kludges to make it safe to surf the good ‘ol InterWeb. They’ve had what, 6 years? Spent How much on research, and what have we got? NT7? And some fancy transparent windows.
BTW please LiP don’t call me a Linux fan, cuz I’m not. My OS of choice has terrible security, but it’s just so insignificant no one cares about it..
The point is Windows is still the same old Windows, loads of Kludges to make it safe to surf the good ‘ol InterWeb. They’ve had what, 6 years? Spent How much on research, and what have we got? NT7? And some fancy transparent windows.
If that’s all you think Vista amounts to, you haven’t done much research.
I’ve read quite a bit on it thanks, I really can’t see anything that’s:
a) Worth the Hardware upgrade
b) worth upgrading over Windows 2000, never mind XP
c) worth the alleged 6 Billion, BILLION!!, USD that MS spend on research each year, for how many years have they been working on this?
But I can see lots they’ve borrowed off MacOS.
But heck, I’ve never used it, maybe it would be worth giving more money to Microsoft.
Two steps to Windows safety:
1. Don’t use IE.
2. Don’t run as Administrator if you have a habit of running any EXE file that pops up in front of you.
And Microsoft does more than just develop operating systems. If you want to see what they’ve been up to in terms of research — http://research.microsoft.com/
Has anyone tested the vuln on IE7 in Vista?
Also, does IE7 run under protected mode on Vista yet?
Microsoft only chance to survive in the future is to drop compatibilty and start redesigning windows to be secure. Every 5 years I don’t demand my software to be compatible with future OS. It’s like automobile industry, if the manufacturer finds that a part in the car causing much trouble he will stop producing it and build a new one.
Anyway even with top compatibility MS is promising, you still have to change the firewall, antivirus, disk utilities, and other software when upgrading to Vista. So there is no execuse for MS if I drop Windows Platform and start looking for alternatives.
I posted before in the forums that I was able to infect vista 5270 after visiting some bad web sites(as for testing purposes only) and that windows explorer is horribly crashable every 2 minutes. More bueatiful features are not important to me and to alot of other users, stability & Security are.
So the only way out of this misery is to drop compatability from MS future products and code from scratch alot of their OS if not all.
Realistically I would agree with you. The old windows architecture is over 15 years old. It needs a total revision and a total rewrite.
However not many companies would like to reinvest in technology that works and has worked for a long time. Companies invest in current software that has to run on new and existing platforms.
Software companies don’t help much either. Microsoft is the biggest offender by not changing.
I think changing things and dropping compatibility is a far greater flaw in the software industry than maintaining compatibility. Why, for instance, is everyone changing from the old big iron OSes like z/OS and VMS to UNIX when these older OSes have so many problems already solved? It’s mostly because there were hardware tie-ins and the commodity hardware is just so much cheaper.
The software industry seems to just constantly reinvent the wheel just for the sake of selling new software, for whatever reason. Microsoft does this too, but their backwards compatibility story at least makes this less painful for their customers. Still, though, there is no reason corporate types should upgrade from Win2K if their environment just works. It’s not like the new systems will offer them anything. But that alternative would be bad for MSFTs revenue stream.
Wow, flaws in unfinished beta software. Would you believe it.
Also note that vista is based on the W2K3 kernal which is very, very secure. I’m sure the first flaws to be found after launch will be application level faults, i.e. IE
The only thing I’m surprised about is that Microsoft had to publically release a patch, rather than just update it internally and have it fixed with the next build.
How many people are using the Vista Betas that aren’t beta testers of some kind, anyway?
If you’re at a major university with MSDN-AA you can be a beta tester too!
(My 5-year-old hardware isn’t strong enough to handle Vista, unfortunately.)
Wow, your really put Linux security holes on the scale of Windows!. People say Linux is more secure because it don’t have market share like Windows, so which is it?
WMF STILL affects Vista and the fact is they didn’t even see it coming, this shows that they simply don’t take security seriously even in beta. Same old story, same old crap and you talk as though Microsoft have never had this issue before. Get you facts straight because your comments are going down hill under the bridge, where all the trolls are.
WMF STILL affects Vista and the fact is they didn’t even see it coming, this shows that they simply don’t take security seriously even in beta. Same old story, same old crap and you talk as though Microsoft have never had this issue before. Get you facts straight because your comments are going down hill under the bridge, where all the trolls are.
This shows you have little understanding of the situation. Vista is not all new code. Much of the Win32 and lower-level code is based off the most current released Windows code, and would have the same issues as released code unless some changes in the beta broke behavior that the exploit was dependent upon.
Releasing a patch for the currently released betas is standard operating procedure, and has been done in past betas. MS also fixes issues they find while working on beta code and backports any applicable fixes downlevel to released products. Beta 1 and 5270 were released before the WMF issue was known. No new build is going to be released until February, so releasing a patch is the most expediant way of fixing the issue until a new build is released. It also covers cases where everyone isn’t going to install the latest build.