Promised Vista security falls flat in betas

[unixronin]

We've been yearing for years now about Windows Vista, formerly called Longhorn, and how it's going to be so much more secure than previous versions of Windows and will prevent the kind of trivially-executed machine compromises that have plagued existing versions, leading to the creation by crackers of zombie botnets of tens of thousands of compromised PCs.

Symantec calls bullshit.

And no-one will be surprised to know that all the usual suspects are responsible:

"We discovered a number of implementation flaws that continued to allow a full machine compromise to occur," Matthew Conover, principal security researcher at Symantec, wrote in the report titled "Attacks against Windows Vista's Security Model."  The report was made available to Symantec customers last week and is scheduled for public release sometime before Vista ships, a Symantec representative said Monday.

Conover looked at the February preview release of Vista.  The report describes how an attacker could commandeer a Vista PC with Internet Explorer 7, the reinforced version of Microsoft's Web browser.  The final version of Vista is not expected to be broadly available until January.

The attack starts out by planting a malicious file on a Vista PC when a rigged Web site is visited.  The placing of the file involves using a specially crafted Web program called an ActiveX control, which exploits a security hole.  The report then describes how the malicious program could gain privileges and ultimately give an attacker full control of the PC.

Microsoft claims to have addressed the issues raised by Symantec.  But they've claimed a lot of things about Windows security before that have turned out to be false.

The biggest single thing Microsoft could do to improve the security of Windows is perfectly simple:  Decouple Internet Explorer from the operating system and rip the inherently insecure ActiveX out of it.  But Microsoft will never do it, because they're afraid of losing browser market share -- for a browser that they don't actually sell as a distinct product or make any money from anyway.

Comments

[ithildae.livejournal.com]

I agree. How has that impacted Micro$loth's bottom line? What is the impetus for change? I don't see anything significant for either answer.

Government should be the final guarantor of protections from identity theft. (Is this really me saying that?) Corporations are not properly concerned about it. However, government seems to be beholden to the major players in this fight. (Witness the stupidity in MA and the ODF "fight".)

I really feel a bit helpless in this conflict. But I absolutely do not expect Micro$loth to change it's proven behavior or tactics. They have a monopoly to lose. They will do anything to protect that. Even if that means leaving end users to the wolves.

"If you make yourselves into sheep, the wolves will eat you." -- B. Franklin

[unixronin.livejournal.com]

All sad, but true. Microsoft has gotten rich on peddling an OS that never saw a virus it didn't like.