bigbrovar
August 11th, 2008, 03:42 PM
so much for the over hyped vista security .. http://blogs.zdnet.com/hardware/?p=2387&tag=nl.e539
So, in a stroke, two security researchers (Mark Dowd of IBM and Alexander Sotirov or VMware) at Black Hat have set browser security back 10 years and rendered Vista’s security have been rendered useless (PDF of paper here - site currently Slashdotted …).
Some random thoughts in no particular order …
* First off, I’m surprised that it took this long for the walls to come tumbling down, but I have to admit I didn’t expect all of them to come down at once like that! After boasting about Vista’s heightened security, Microsoft is now left with a serious amount of egg on its face.
* While there’s a lot of cool stuff discussed in the paper, many of the vulnerabilities come down to running insecure applications. Not only does Microsoft need to up its game, it needs to get developers who are pumping out applications to do the same.
* The sky isn’t falling in, but this does make things a lot easier for the bad guys.
* You can’t trust software to protect itself, and we need to combine hardware and software. One example - under Vista DEP (Data Execution Prevention) isn’t enforced well enough. It’s only partially enabled and if switched fully on too many applications fail. This is unacceptable. I’m sure that DEP isn’t perfect either, but it’s another layer that hackers have to get through.
* It’ll be interesting to see how Microsoft spins this. The paper has huge implications and fixing these issues is going to be tricky. Given how long we can expect Vista to be around I expect that Microsoft will try to fix things in a future service pack. These issues are going to haunt Windows for years.
* Where does this leave Windows 7? I would have expected Microsoft to have ported the security features from Vista into 7, but this paper kinda makes that obsolete. If Microsoft is going to make a stab at fixing these issues then this could very well delay Windows 7.
* Now that Vista’s defenses have been crippled, we’re back to relying on third-party security applications to detect malicious code … some things don’t change.
So, in a stroke, two security researchers (Mark Dowd of IBM and Alexander Sotirov or VMware) at Black Hat have set browser security back 10 years and rendered Vista’s security have been rendered useless (PDF of paper here - site currently Slashdotted …).
Some random thoughts in no particular order …
* First off, I’m surprised that it took this long for the walls to come tumbling down, but I have to admit I didn’t expect all of them to come down at once like that! After boasting about Vista’s heightened security, Microsoft is now left with a serious amount of egg on its face.
* While there’s a lot of cool stuff discussed in the paper, many of the vulnerabilities come down to running insecure applications. Not only does Microsoft need to up its game, it needs to get developers who are pumping out applications to do the same.
* The sky isn’t falling in, but this does make things a lot easier for the bad guys.
* You can’t trust software to protect itself, and we need to combine hardware and software. One example - under Vista DEP (Data Execution Prevention) isn’t enforced well enough. It’s only partially enabled and if switched fully on too many applications fail. This is unacceptable. I’m sure that DEP isn’t perfect either, but it’s another layer that hackers have to get through.
* It’ll be interesting to see how Microsoft spins this. The paper has huge implications and fixing these issues is going to be tricky. Given how long we can expect Vista to be around I expect that Microsoft will try to fix things in a future service pack. These issues are going to haunt Windows for years.
* Where does this leave Windows 7? I would have expected Microsoft to have ported the security features from Vista into 7, but this paper kinda makes that obsolete. If Microsoft is going to make a stab at fixing these issues then this could very well delay Windows 7.
* Now that Vista’s defenses have been crippled, we’re back to relying on third-party security applications to detect malicious code … some things don’t change.