![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
Microsoft appears to be in denial over the Vista animated-cursor vulnerability for which it just released a critical update yesterday.
"It is a little premature to attack the whole effort altogether, but this is something that the Security Development Lifecycle should have caught," said Amol Sarwate, a research manager at vulnerability management company Qualys.
The root of the controversy is that this vulnerability, or one externally indistinguishable from it, has affected every version of Windows since NT. Detractors say that the animated cursor code should have been examined more carefully before re-using it in Vista, at the very least, since Vista is supposed to be so much more secure.
The buffer overflow vulnerability in the cursor function in particular should have already been fixed because a bug in the same Windows component was patched two years ago, said Rohit Dhamankar, manager of security research at TippingPoint, a seller of intrusion prevention products. That should have prompted re-examination of the code, Dhamankar said.
Microsoft basically says that doesn't count, that this may look similar, but it's a completely new — if externally indistinguishable — vulnerability. Wait, this is supposed to make it better? They're saying that they re-implemented code previously known to have buffer overflow vulnerabilities, with a stricter code auditing regimen and security process in place, and still managed to let a functionally identical bug slip through? And we're supposed to be reassured by this?
[...] Dhamankar argues that Microsoft forgot to recheck all the possibilities that could lead to a buffer overflow after the original bug was found and patched in 2005.
Mulchandani agreed. "The dirty little secret is that Microsoft clearly did not write Vista from scratch. They did not completely build a whole new code base for this operating system. Every version of Windows since Windows NT has had this flaw in it," he said.
Qualys' Sarwate says Vista is still more secure than previous Windows versions. But this seems to show that just because Microsoft knows about a vulnerability in older Windows versions doesn't mean to say they went to any special pains to make sure it was fixed in Vista. Perhaps this represents too much faith in Vista's new security mechanisms. Either way, even if Microsoft isn't examining its codebase now to make sure older vulnerabilities haven't been replicated, you can bet crackers will be re-probing all the old holes to see if any more of them have been re-opened.
no subject
no subject
"Ha, ha, I pwn3d your mouse cursor."