Microsoft’s own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system’s new, baked-in defenses, according to the developer who is often the public persona of the company’s Security Development Lifecycle process. Michael Howard, a senior security program manager in Microsoft’s security engineering group, said that the Microsoft Security Response Center is being too conservative in its Vista vulnerability rating plans. Because Vista includes security techniques and technologies that Windows XP lacks, the MSRC should reconsider how it ranks Vista when a vulnerability affects both Microsoft’s new operating system and its predecessor, he said.
I think this quote in the article sums things up.
“Windows Vista will not be treated any differently, and severity ratings for any issues will be based on vulnerability traits and merits, along with technical mitigating factors,”
If a vulnerability is found in Vista, the serverity rating should be based in Vista’s own ability to deal with that problem. Not how well XP can deal with it. Who cares if Vista has better security than XP. If the vulnerablity is server, it should be rated as such.
I really wish Microsoft would stop whining. If they put all the time and effort their exects and PR guys spend whining into development and bug fixes, maybe we would see more progress.
Actually, it does make sense to have different rating for Vista.
For example, if a bug is found in IE7 and:
– on XP it may allow remote attacker to take complete control over the system, delete system files, etc,
– on Vista, due to the fact that IE7 runs in protected mode, same bug can’t be exploited and do no damage at all
Hence, it is not the same.. I think
A remote exploit that gives the attacker the privilege of an ordinary user suffices to install a spambot, steal the attacked person’s credit card numbers (often stored in the browser’s history), delete all the user’s files, and do all other kinds of mischief. It’s true that it’s easier for malware to hide itself if it can be installed with administrator privilege, but it’s good enough for most purposes.
But IE7 on Vista runs in protected mode, which has *fewer* privileges than “ordinary user”. So an IE7 exploit on Vista would not allow the attacker to “delete all the user’s files, and do all other kinds of mischief” because IE7 does not have access to the user’s files. Whereas on XP, the same exploit in IE7 would allow an attacker to muck with the user’s data (if running as ordinary user) or system files (if running as admin). So the IE7 exploit in question could receive “extremely critical” rating on XP but “not critical” rating on Vista.
(I doubt your “credit card numbers are often stored in the browser’s history” scenario; I don’t think browsers store https data in browser history, and even if the did, it’s https data and so would be encrypted.)
Well said.
http://rainrecording.co.uk/vista/performance
Which is the opposite of all other benchmarks so far – and this benchmark is done by some obscure company which is clearly not trustworthy considering the look of contents of the website.
I really wish Microsoft would stop whining. If they put all the time and effort their exects and PR guys spend whining into development and bug fixes, maybe we would see more progress.
True; Microsoft is trying to play the victim game, the ‘look at us, we’re victims of this grand anti-Microsoft conspiracy!’.
The reality is that the vulnerability is analysed, the seriousness of it is then analysed, and the final rating is a culmination of the bugs seriousness and possible impact over all – which takes into marketshare as well.
The problem with Microsoft is this; they want to rush their products out the door, chock them to the brim with features then hope that they have enough time to work through their bug database issuing bugs before they’re found.
Like I said with the Solaris review, its weighing up whether you want a bleeding edge product which the latest and greatest features, or something that is more conservative – Microsoft has decided to go down the track of ‘features, features, feaures’ whilst at the same time pushing aside prudent code auditing.
Hence my skepticism when Microsoft claimed they had ‘stopped production and sent their programmers back to school’; secure programming can’t be taught once your application has already been established, I don’t doubt that the classes might have improved the quality in some instances, but at the same time, however, ultimately, what we’re seeing today is the result of stupid decisions made 10 years ago – the old story, you reap what you sow.
True; Microsoft is trying to play the victim game, the ‘look at us, we’re victims of this grand anti-Microsoft conspiracy!’.
I actually agree with them on this – however, the fact that this is true is only because EVERYONE ELSE has been victim to a “grand anti-Everyone Else conspiracy” on Microsoft’s part. So don’t expect me to have any sympathy for them any time soon. (I know, you weren’t!)
I agree with you on the rest.
In related news, “People in Hell want ice water.”
“My car has a higher ENCAP safety rating, therefore the person who crashes into me won’t going as fast as with normal cars.”
What a surprise… the release management director whose job depends on how successful his software development process proves to be in reducing the number and severity of bugs wants the QA team to artificially deflate the severity of bugs that occur in software developed with his procedure. Anyone with experience at a large commercial software vendor is familiar with these tactics.
Release management is the art of drafting well-meaning but often counter-productive procedures in the hopes that defect rates will go down, allowing the release management team to take credit for what was mostly the work of the development teams–and also the art of massaging the data to make even problematic development cycles look good. Every once and a while there has to be some emails telling developers to cancel their old bugs if they don’t plan on fixing them anytime soon. Having a bunch of old bugs on the long-term wish list is a good idea for developers but looks bad for management.
Contrast this response to that of the OpenBSD team’s recent vulnerability. No, you couldn’t exploit an OpenBSD machine from just anywhere on the Internet. But despite the limitations, the OpenBSD folks decided that if the attack can come from any other computer, then it is indeed a remote hole.
Having stack overflow protection doesn’t mean that a heap overflow vulnerability is any less severe. Running a static analysis tool on the code doesn’t mean that you’re properly validating userspace data before, say, using it to index an array in the kernel. A bug is a bug, and the only way to classify its severity is based on the probability that a customer would hit it and the potential impact that it would cause.
“””
What a surprise… the release management director whose job depends on how successful his software development process proves to be in reducing the number and severity of bugs wants the QA team to artificially deflate the severity of bugs that occur in software developed with his procedure. Anyone with experience at a large commercial software vendor is familiar with these tactics.
“””
As someone who does not have experience at a large commercial software vendor, I thank you for pointing this out.
It’s all too easy to think of MS as one big Satan, forgetting all the little, competing, Satan wannabes inside.
Or perhaps that’s not the best way to put it. These little “Satans” may just be “doing their jobs”… trying to “feed their families”… or keep making the payments on that sexy red Porsche. 😉
This guy wants security vulnerabilities ranking reduced, therefore, if it is not marked “critical” most people will ignore it.
I will end up with more spam in my inbox.
UAC will only protect as long as everyone does not blindly click OK as they do with XP.
This guy wants security vulnerabilities ranking reduced, therefore, if it is not marked “critical” most people will ignore it.
I will end up with more spam in my inbox.
UAC will only protect as long as everyone does not blindly click OK as they do with XP.
You’re right, and even right now, when you run “Internet Explorer 6”, you’ll find that people are still asked ‘do you trust this publisher’ and asked whether they would like an activex component installed, along with various other quesitons, and these very people simply go ok.
Ultimately it Microsofts fault for making elevation so easy; for the end user to put in the password, warn the end user what *could* possibly happen – that putting in the password will allow the programme to do what ever it wants with the system – and could possibly infect it with a virus or corrupt files.
Not scare tactics, but warning about the impact of their decision when they make it – and ultimately, I think its the end users who have to take responsibility, whilst at the same time, software companies need to say, “yes, we’ve done the best we can to inform the customer about the decision they make, but they still continue on”
With that being said, most of WIndows problems squarely lay around just simply crappy code more than it being the result of end users making stupid decisions.
The problem with UAC is the typical Microsoft kissup is already recommending it be turned off. The problem is You can Turn It OFF.
Once again Windows is Just As Secure as Unix, on paper.
Once again Windows is Just As Secure as Unix, on paper.
Whew! Glad I don’t get my Unix on paper.
What a stupid comment! How can you compare a server operating system to one used by 90% of the online public to browse and download porn?
Unix isn’t really a server OS. It has generally lived as a workstation OS and at the same time was somewhat popular as a server OS (against what really was a server OS: VMS).
Today it’s even more popular as a server OS, especially Linux on really cheap servers (web servers). And it’s also popular for HPC and gaining for desktops (all be it slowly).
To call Unix a server OS is a bit silly. It’s not even designed as one… The things that make it interesting: A well pipe-able shell+utilities, X11 aren’t interesting on the server but on the advanced users desktop.
If MS had used more of their time improving the OS, instead of infecting it with DRM/activation/WGA, they would not have to worry about as many bugs.
but that wouldnt work, then they couldnt keep claiming they dont want windows pirated, which they really really do
Don’t be surprised if you see a bug that’s, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place.
I find it somewhat disturbing when someone asks us not to be disturbed by something that’s supposed to be naturally expected.
[Windows] either has the vulnerability or it doesn’t,” said Marc Maiffret
Well said, end of line.
A gun is only safe in anyone’s hands when the safety is on…especially a child’s hands…
A gun isn’t safe in a child’s hand especially if it’s loaded and it so easy to flick the safety off (I wont be giving my son a 9mm any time soon).
With Vista its so easy to turn off UAC and so irritating you want to turn it off. My take is it wont be long before we have Vista SPAM bots.
I don’t see how UAC is so irritating, it doesn’t ask me for a password any more often than my Kubuntu box. Maybe it’s only irritating if you aren’t used to that sort of behaviour, or if you are looking for something to complain about.
It asks some people more than others. It does depend on your application set.
If you’re using an application that depends on admin rights to work you’ll get prompted every time you start that application. And it’s something application users should be fixing, although I think Microsoft is punching holes in UAC to fix application binaries that get large numbers of complaints.
> cut Windows Vista some slack and rate its vulnerabilities differently
What a complete load of Longhorn cow pies. A security hole is a security hole. Doesn’t matter if it is 1mm wide or 1m wide, damage can still be done.
“For example, if a bug is found in IE7 and:
– on XP it may allow remote attacker to take complete control over the system, delete system files, etc,
– on Vista, due to the fact that IE7 runs in protected mode, same bug can’t be exploited and do no damage at all
Hence, it is not the same.. I think ”
OK. I also can run Firefox on linux inside on a virtualization program or a chroot environment and say the same.
I can also run IE6 on linux using wine and a fake drive. No linux damage but this doesn’t imply that IE is secure.
OK. I also can run Firefox on linux inside on a virtualization program or a chroot environment and say the same.
I can also run IE6 on linux using wine and a fake drive. No linux damage but this doesn’t imply that IE is secure.
I never said you can’t do it on Linux. I was comparing IE7 on XP and Vista.
On the other hand, how many “Joe Sixpack” users would know how to do that on Linux? On Vista, IE7 runs in protected mode by default.
The Computerworld article is putting words into Michael Howard’s mouth. He never said MSRC should reconsider their ratings for Vista. He basically said he personally wasn’t thrilled about it in the context that a vulnerability may have the same rating despite the presence of mitigations that lessens the actual impact on Vista machines, but he accepted the status quo, and did not advise MSRC change its methodology.
There is one thing you will see that I’m not too thrilled about, but it is what it is. The MSRC rarely reduces the severity of a buffer-related security bug because a defense with no security guarantees such as /GS or /SafeSEH is in place. UAC will be a speed bump, but I doubt we would reduce the severity of many bulletins if UAC is the sole mitigation. The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don’t be surprised if you see a bug that’s, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place. As I understand it, the MSRC will call out defenses that come into play.
http://blogs.msdn.com/michael_howard/archive/2007/03/08/how-i-will-…
Edited 2007-03-16 21:39
n4er has a point. Too many people who wish to see Microsoft in a bad light take words from an individual in the company and use it to paint broad strokes about the whole firm. It’s even worse when people cite “news” articles that take these words, add their own interpretations and then brand them as facts. Michael Howard is a Microsoft employee and he has a penchant for talking up Windows security features (and talking down others’ features, particularly Oracle), but he’s not an idiot and I haven’t seen him say anything that’s clearly a lie.
He is actually serious about security and never fails to acknowledge that bugs get out there and need to be fixed regardless of the amount of work that’s done to prevent them. What most above posters are forgetting is that exploiting code flaws is often hard, clever work (I assert that design flaws are less onerous to exploit). Adding more security checks and mitigations makes the puzzle harder and can make the difference between a trivial exploit and a harder, less reliable one.
The reason he’s not happy about the severity ratings game is that it fails to acknowledge that the same bug on Vista will be less reliably exploitable in practice than it is on XP. He never says that the rating should change. Just view this as a few words of marketing for himself and his Security Oragnization.
Ok, who else thinks that patch Tuesday was purposely “skipped” this month?