Windows

Vista (in)security: Hacking into the new OS


A recently released Microsoft report reveals that 52% of admitted Vista security problems have not yet been resolved.

"Safety and security is the overriding feature that most people will want to have Windows Vista for," said Jim Allchin of Microsoft in January. "Even if they are not into home entertainment or in any of the specialty areas, they are just going to feel safer and more secure by using it."

Well, Insecure.org did a point-by-point dissection of a six-months-later Microsoft security review, and they're not alone in debunking Redmond's partisan analysis as being skewed. One BetaNews poster read the above and noted that, with only 48% of Vista's 25 security problems fixed as per the Microsoft report, Red Hat 4 has a far better batting average with an 81% closure rate.

When that critique is added to the latest of three Symantec security reports, plus reports of speech recognition, buffer overflow and 'sticky keys' exploits, and the exclusion of PatchGuard from all but 64-bit systems, it appears Microsoft is not there yet when it comes to Vista security.

Some IT shops are holding off on Vista deployment because their trusted security tools just don't work. Is yours one of them? Do you trust the Microsoft security-by-obscurity model, or do you find comfort in knowing what's wrong will lead to quicker fixes, as per open source advocates? Join the discussion.

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

42 comments
Fil0403
Fil0403

"Some IT shops are holding off on Vista deployment because their trusted security tools just don???t work. Is yours one of them?" No, mine is not one of the very few IT shops that are (ignorantly) holding off on Vista deployment because I don't have an IT shop, but if I had one it certainly wouldn't be one of them, as if I had one I would work to make my security tools work in the latest and best OS, instead of being lazy and blaiming the OS. "Do you trust the Microsoft security-by-obscurity model, or do you find comfort in knowing what???s wrong will lead to quicker fixes, as per open source advocates?" No, I don't trust the unknown-to-me Microsoft security-by-obscurity model, but I do trust the Microsoft security-by-full-disclosure-and-fix model, which is the only one I know, and yes, I do find comfort in knowing what's wrong will lead to quicker fixes (that's why I don't like Apple's model and like Microsoft's one), which is different from feeling fake comfort in knowing anyone with any kind of experience can (incorrectly) fix the many bugs my incompatible OS has, which is open-source model.

Deadly Ernest
Deadly Ernest

standard command sets, MS doesn't use them. They use their own, which they change with every version of Windows, thus making it harder for people to write software that's compatible with multiple versions of Windows (that requires multiple command sets to be installed). there's a reason for establishing industry standards, but MS aren't interested in knowing or doing that. As to fixing bugs in MS, why is it the first 80 or so bugs found in the new versions of Windows are the same bugs found in earlier versions, and require the same patches? Now that's really fixing the problem, I don't think. MS is so good that their latest products aren't compatible with their earlier products, and they're the only people who do things that way.

apotheon
apotheon

"[i]the Microsoft security-by-full-disclosure-and-fix model, which is the only one I know[/i]" What planet do you live on?

Neon Samurai
Neon Samurai

Where does this hostility come from? Why do you take so much offense to someone mentioning that shops are holding off on upgrading to Vista? Again you have to call someone you don't know and have never met "ignorant". It sounds like you actually mean "stupid" being that "ignorant" is a lack of choosing to obtain available information rather than an inability to comprehend freely available information. You end by saying that you don't have a comptuer shop but if you did it wouldn't be holding off on Vista. Woopee for you. So you don't actually know what your talking about though. Stay in school. That's all I can say. Stay in school for all our sakes. Now, to clarify "shops" would presumably be in reference to IT departments in businesses since consumer stores have already had Vista shoved onto there shelves to keep end users from easily continuing to buy WinXP. "Microsoft security-by-full-disclosure-and-fix model" - What? Really, you honestly wrote that and expected to retain any credability at all, on a tech site? Really, Microsoft's average of 30 months or more to fix found and disclosed bugs versus Open Source patch turn around times of (in some cases) minutes between discovery and publicly available patch? I'll say it again; someone took your money. If this is what your learning in school then you got robbed. The alternative is that your demonstraiting true ignorance and not reading anything required in your classes or freely available from uncountable sources. "(that's why I don't like Apple's model and like Microsoft's one" Care to explain the differences between the two models? Last I checked, they where both profit driven closed source software companies who's only real motiviation (due to corporate law) is providing the shareholders with more money. "which is different from feeling fake comfort in knowing anyone with any kind of experience can (incorrectly) fix the many bugs my incompatible OS has, which is open-source model." So, in short, you don't have a clue how Open Source development projects work then do you. yup, anyone can find and fix a bug. They must then submit the bug to the project leader who confirms that it is a good fix. This done by a very experienced programmer (read, more than just a student posturing). If a bad fix does get into the distributed software, another of the thousands of highly skilled programmers (you know, that program as a day job) will find it. It's ok that you like Microsoft. You can keep using Microsoft's products and I truly hope they work well for you. But please, please, pleeease.. don't try to tell us these unsubstantiated and flat out incorrect assumptions like it was fact handed down to you by Baud himself. (if you don'g get the "Baud" bit then your such a newbie and Baud save us all when you graduate and enter the real working world) Please do this for us in the hopes of making for better conversation. Install more than one OS. Learn to admin more than one OS. Ideally, install at least three or more different OS and learn them until you are equally comfortable with any of them. Then, having an actual basis for opinion, come back and discuss the differences in technical terms. Calling others ignorant in the midst of demonstraiting your own lack of information just doesn't cut it there big guy.

j-mart
j-mart

a point of view in discussing a topic, if this point is argued in technical terms rather than emotive dribble, they will always be taken much more seriously, even if their viewpoint is different than mine. At least you can then consider them as a valid pro and not a dreamer

apotheon
apotheon

I sometimes run across someone else who posts something brief and to the point -- succinct and elegant, as it were -- that exactly conveys what I had previously spent 1500 words trying to express in another comment in the same thread. I don't recall exactly who has done this when, in the past -- I don't tend to keep score so much as I just gradually build an impression of someone's intellectual value in discussions. As such, I know you're someone worth reading but don't always remember exactly why. I do know that I've had that moment of "Crap, I wish I'd thought to put it that way!" as well, though. In any case, thanks much for the compliment. I do try to give an appropriate response from time to time.

Neon Samurai
Neon Samurai

If everyone had the same opinion, this would be a very boring place to read and post. It's the differences of opinion and knowledge that make it a place for learning and sharing of information. As often happens, Apoth managed to express my own response in an elegant single comment. I often try to provide or correct information when I should instead post a quick response and write the troll off (in such cases as this particular one). (I get so wordy when talking tech, any other topic but one and I've have very little to say)

pcreso
pcreso

What alternatives are there? Anyone wrestling with Vista & MS only has themselves to blame. In the corporate arena, make some noise & voice your dissatifaction instead of whining in forums like this. Set up & demo some alternatives, like BSD/Linux based servers (web/file/database/mail/etc) I switched to Linux & Open Source about 6 years ago (desktop/workstation/web & db server) & have never looked back, Security is not an issue, stability is great, compatability with most common applications is generally fine. My issue is which distro to use, not whether to downgrade to Vista. Currently I'm very pleased with OpenSuse. Novell are working hard on Windows interoperability, It's a shame MS don't see this is the way forward, instaed of trying to lock customers in to restrictive (& faulty) proprietary software & reduce their customers' available options.

Fil0403
Fil0403

"Security is not an issue" Yeah, and every security report proves just that, LOL. "stability is great" No wonder, stability is inversily proportional with compatibility. "compatability with most common applications is generally fine" LOL, that was a good joke. "My issue is which distro to use, not whether to downgrade to Vista." I guess your definition of downgrade is to change from a given OS to a more secure, productive and compatible one. "Novell are working hard on Windows interoperability, It's a shame MS don't see this is the way forward, instaed of trying to lock customers in to restrictive (& faulty) proprietary software & reduce their customers' available options." That's an interesting (ignorant) comment, if we have in mind Microsoft was the one who took the initiative of making a deal with Novell to improve ineroperability between software from the two companies, it's a shame ignorants like you don't see this without the usual short-minded anti-Microsoft attitude, instead of trying to push users to incompatible (and unsecure) open source software and (greatly) reduce their customers' available options in terms of software compatibility.

Neon Samurai
Neon Samurai

You sound like you've a great deal to learn still. Please include OS architecture and a smidgen of reality in your reading. Try, with an open mind, to read and consider information not published by Microsoft?s marketing department. You where good enough to cherry pick word combinations and present them completely out of context so let's have another go at that comment you replied too shall we? ?Security is not an issue? ? if you read the previous comment you?ll see that this is in reference to *nix based OS which, due to architectural design, are much more robust than other more closed source OS. Security is always something to keep in mind but for Unix like OS, not an *issue*. ?stability is great? ? again, in reference to Unix like OS. Go home and setup two machines, one with Windows and one with FreeBSD. Put them under a workload (nope, you don?t get to just leave your Windows machine untouched). Come back and tell us which one got flakey and crashed first. But please, explain how the heck stability is related to compatibility? You completely lost me at that bit. Please explain the issues of compatibility. Should you be referring to hardware compatibility issues, please show where and how this is not due to lack of support from the hardware manufacturer rather than the fault of Microsoft (who produced very few drivers) and any *nix distribution distributor. I think you?ll find the issues are not due to either OS but rather a lack of provided drivers or driver specs. "compatability with most common applications is generally fine" ? you dropped a great seagull turd on that one but failed to provide any further explanation. ?most common applications? would be referring to the saved file formats. Please further your education by looking into proprietary closed formats and there use in unfair competition by monopoly business possessions. "My issue is which distro to use, not whether to downgrade to Vista." ? again a comment referring to the *choice* that a user gains by looking outside of a single brand of OS based on a closed system designed to lock customers into a profit generating cycle. But your own comment; ?I guess your definition of downgrade is to change from a given OS to a more secure, productive and compatible one.? Please. Tell me you?re not honestly hinting that Vista or any of its predecessors are more secure, productive and ?compatible? (which you still need to clarify) than *nix based systems. Oh, that?s rich. That really just shows how much you need to learn. Stay a student as long as you can and again, do some reading from a source other than a marketing department. (the ?Get the FUD? marketing campaign doesn?t count) In response to your last comment; Don?t assume bad faith and go calling someone else ?ignorant? for having a difference of opinion or not having all the information unless your going to provide *supporting information* of your own. Microsoft took the initiative to extend a patent protection racket offer to Novell which it took for reasons of its own; presumably in party; to improve interoperability between OS. You know, keep *choice* and *competition* in the market place. You demonstrate your own true ignorance: ?instead of trying to push users to incompatible (and insecure) open source software and (greatly) reduce their customers' available options in terms of software compatibility? - who?s pushing users to an incompatible format, far as I can see someone is only mentioning that there is more than one very viable choice in software though other?s don?t have the same marketing budget that some do. - Insecure open source? Please, explain that opinion in detail. If you mean it?s more insecure because the source is freely available to be audited by any developer, security researcher or potential client with a vested interest in security then you?re completely wrong. - Last time I checked, pointing out other potential options did not reduce a user?s choice. (see what I did there, I quoted you but retained the entire bit less your shallow insults to maintain the context of your opinion which is sadly lacking education) If this is what you?re learning in school then someone is taking your money. If you?d like further information on security through visibility the Open Source development model or similar readings that would benefit your education and broaden your understanding, I?d be happy to provide a few starting links. My fear though is that you?re to troll along reading your own blather in the hope of somehow feeling better about yourself. In that regard, this is more for the other readers who may be mislead by your misinformation.

Neon Samurai
Neon Samurai

The irony being that I had more variation in computer education in Highschool than in University. In Uni, the Comp Sci folk got to use Unix every other OS. Regular students used a bit of Unix but really only to setup there email forwarding preferences. In clases it was all Microsoft and SAP. SAP for "Enterprise Solutions" and MS for everything else. Novell was gone by my University time so we got stuffed with Active Directory as a "training aid" (student branding tool) for network management courses. I don't slam Fil for being taught on only MS products as workstation software; you use what the teacher designs there course around. I slam him for the missinformation above and beyond the software he may be forced to use as a training platform. That and anouncing it like it was holy scripture while, at the same time, calling everyone else ignorant for not being as undereducated as him/her.

j-mart
j-mart

Some of the rubbish that this student has come up with is commonly taught. Many courses only teach Microsoft and not "Computers" and thus many a student has to step out of the box to learn for a given purpose that there is sometimes a better solution than the Microsoft supplied one

poflynn
poflynn

I would like to know why machines are getting faster but are actually running increasingly slower because of an operating system. (I'm just pointing out the Irony) Further I don't think that the security measures are really well thought out. It seems to rely more and more on making a user do more to ensure their authenticity and forcing manufacturers to cough up the $$ to certify MS compliance (last I heard this was in the order of tens of thousands of dollars).

FightingSpirit1
FightingSpirit1

I received one of the first beta copies of Windows 1.0 from my brother who worked at "Ma Bell" back in 1986. Since that first copy, I have yet to see any version put out by Microsoft work properly out of the gate. I still have a bitter taste from 3.0, the original crasher, when Microsoft was telling users they'd have to purchase the new and improved 3.1. Back then, we didn't have the internet for patches and fixes... just new versions. I still to this day recommend clients wait at least 1 year before buying or upgrading. I'd like to know when Microsoft will start paying us to fix their problems. Where's the lemon law for faulty software? If I had this type of track record, I'd be out of business. My Mac sure looks better every day!

ramnet
ramnet

I find Vista a huge disappointment on all levels. I especially loathe the fact that things that were intuitive and easy to do in XP are now either impossible or buried layers deep in the operating system and require special tricks or fudges to get them working. Inexcusable design , incredibly slow performance , a complete ignorance of what users want from an operating system are at the forefront. Who cares about security when you cannot connect to a network printer , cannot repair/restore after a motherboard failure or disk crash , cannot run anything when IE7 is downloaded via updates and then crashes the system or other updates curtail usability or induce new faults.Concentrate on giving us the basics properly first. Gloss and pretty icons is a poor substitute over an already proven working operating system like XP. Already the market here in Australia is costing me money as I cannot sell Notebooks with VISTA on it and I cannot get Notebooks with XP. So the market is cutting its own throat and deserves to die through its own arrogance , ignorance and gross stupidity. Ken

Deadly Ernest
Deadly Ernest

some now have a very Windows look and feel, simply to make getting the swap over market easier to grab.

mypl8s4u2
mypl8s4u2

MS has forced all vendors to sell only Vista, you don't have a choice. And they wonder why people pirate their software. For a couple of reasons, the main being it's so easy to crack. Security, to this day MS still doesn't have a clue. But it's ok, they got tons of money to screw whoever they wish, and the consumer is the whore in this case.

laitiatemo
laitiatemo

How can I utilize the Static IP address provided by the ISP to setup a web server connected via wireless router. Please detail the steps to configure the ADSL router and Wireless router. I am bit confused with the configurations provided by some of the guides available online. I would like to know LAN side of configuration on ADSL router, the IP addresses to be used, DHCP configuration etc. And, on the Wireless Router side how would I configure it to talk to ADSL router and where would I use the static IP provided by the ISP.

K7AAY
K7AAY

Do you feel your Vista deployment is delayed because of security concerns?

Sharps2010
Sharps2010

At the end of the day MS programs are always going to be inadequate for some people, We can moan all we want about their faults but at the end of the day if their software and applications worked perfectly out of the box then myself and I'm fairly certain a fair few others on here would be out of a job overnight. Just a thought??

Neon Samurai
Neon Samurai

Currently we have a Windows bolstered Support industry. My theory is that we'd instead have a very healthy Service industry if MS quality improved. The difference is subtle but rather then spending all our time fixing borked Windows installs, we'd be providing services like design, installation and ongoing maintenance. The IT industry would become smaller than it is due to not requiring so much overhead to simply keep a machine booting from day to day. Like an old boss used to say; "Bless Microsoft. Without them we'd setup a businesses systems then would be able to visit them weekly on billable time." - I'm curious to see the other side of that scale.

stanley.king
stanley.king

We will be upgraded within the next 2 months. It will be interesting to see how well Vista will work.

jc2it
jc2it

...to security issues. We are fed up with the cost of Microsoft's upgrades. The OS has become so bloated that it's hardware requirements are astronomical. We do not need to have all of that hardware to provide quality customer service to our customers. We are currently evaluating Red Hat as an alternative on the desktop, and for 85% of our users it will be a no-brainer. Where we are having a sticky problem is in our design departments (Graphics has been using MACs for years). Holdouts like AutoCAD and Solid Works tend to gum up a switch like that. Accounting wants to have Excel as well, although 99% of what they use it for can be done in Open Office. I say all of this to make the point we are on the cusp of switching 85% of our user base to non-microsoft operating systems. We save money at so many levels it is amazing. No cost for Office software. No cost for AV software. No cost for generating a PDF document. Cheaper Administration costs. It quickly becomes an issue of economics.

j-mart
j-mart

Due to most of the top applications being only available on windows platform is something we are unfortunately stuck with. The same thing seems to apply with financial software commonly used in the work place. I like the idea of using industrial strength Linux such as Red Hat for the servers etc with windows running the required applications on desktops well protected by the linux based lan. Vista will of course eventually filter through to the workplace if Microsoft wants it to as they will eventually give us no choice

j-mart
j-mart

Once there was UNIX versions of much of this CAD-CAM software Autocad 11 was the last with UNIX version from Autodesk, Pro Engineer started with UNIX versions. Some of the players in CAD software only had PC versions available when 486 PC's came out as these were first PC's powerfull enough. I remember an article in a CAD magazine looking at UNIX version of Autocad 11 and getting excited at superior performance to PC version. You could even have two dwg's open at same time.

Neon Samurai
Neon Samurai

Each tool for it's own job; as they say. If you have to use an application which only runs on the Win32/Win64 platform then Windows is your ownly choice. Now, is that because your an AutoCAD shop or does Windows retain a deathgrip on most CAD/CAM setups?

rvermaak
rvermaak

testing vista on my laptop p4 centrino 1.73 ghz 1 gig ram (hp nc6120) found the following . 1.DHCP / tcp/ip is screwy at best doesn't reconnect after sytandby using dhcp or static address . 2. UAC is easy to turn off . 3. Accessing network printers is not that easy to use ( access is denied ) 4.Un believably slow with earo and visual features turned on . 5.Cool Task manager/Resource monitor 6.Cool/Nice looking solitair . 7.Most non microsoft apps stop working or start crashing . 8.TrendMicro Officescan edition doesn't work see no 7. 9. IE7 is stable can open it 7 times with about 5 pages per instance before it crashes Security is almost the least of my worrys .

marka
marka

And beyond what others have stated, which all apply to me, 3rd party software which we are mandated to run, doesn't work on vista. At this point, I am likely skipping this entire generation. Previous managers have used us as beta testers which created a massive workload. I think I am going to take this generation off to watch others beta test. Time for more interesting projects than simple os issues.

Locrian_Lyric
Locrian_Lyric

be the first one with the new tech and edge out your competitors. anyone who tries to do that is a fool. All you will end up doing is providing beta-testing to the vendors and a better product for your competitors who wait 6mos to 1yr for the bugs to get worked out. Delayed because Vista is yet another product that proves the new rule.

mhbowman
mhbowman

are just as important like: 1. Vista requires a minimum of 1 gig of RAM. Upgrades of nearly 9000 end-user PC's for hospital wide conversion is expensive. 2. Being the early bird gets you nothing but bugs, incompatibilities, and waiting for patches. 3. I fail to see any REAL substance to the new OS to warrant a change at this point. 4. What used to take a few clicks to configure XP, now takes many more steps, answering questions, confirmations etc. with Vista. 5. Finally... I got into IT because I liked working with new technologies and learning new things, not learning the NEW method of doing the same thing every 3 years.

boguscomputer
boguscomputer

"... I got into IT because I liked working with new technologies and learning new things, not learning the NEW method of doing the same thing every 3 years." AMEN!

1dennis3
1dennis3

I agree, I also work for a hospital and our company owns 180 hospitals around the country. We will not buy a PC with Vista. It is incompatable with so many things and would cost a large fortune to bring everything into compliance with Mocrosoft. I've been workinig with PCs well before Windows came around and have worked with every version they have come out with. Vista has to be close to the top of the list of worst. (ME still holds the top position)

j-mart
j-mart

rolling out vista in the workplace just yet. Security concerns will only be a small part of this. If your present system is working there is no point in changing. Why go to all that bother, disruption or expense for no gain.

Fil0403
Fil0403

rolling out Vista in the workplace already. According to a recent inquiry, security concerns are actually the biggest "part of this". If your present system is working, there is a huge point in changing, namely more security, reliability/stability and productivity, if not for the fact that most software is already being optimized for Vista and sooner or later will be exclusive of it. Your last sentence is just the perfect proof of how little you know about what your talking about (Vista) and certainly gives a good laugh to anyone who uses Vista or at least had the trouble of actually learning something about it.

j-mart
j-mart

This was the last Microsoft OS I really liked. When I look back at the amount of work,and how fast we use to complete projects Autocad 12, a good 486 on DOS 6.2, I'm sure the work was often done faster than it is now done with Solid Works and P4 machines that are used today. I tell the younger staff at work, that the biggest productivity improvement I have seen in my career was HP Designjet plotters replacing the old pen plotters.

Deadly Ernest
Deadly Ernest

By the time of DOS 6, many of the security issues in DOS had been fixed. It's very interesting that DOS 6 with Win 3.11 was a lot more secure than Win 95 which replaced it. That difference was due to Microsoft designing back doors into Win 95 (and every version of Windows since) to enable them to get better performance out of the other MS software by giving them quicker and easier access to the operating system and the kernel. The majority of security issues since then have resulted from others taking advantage of these extra access points.

Neon Samurai
Neon Samurai

CP/M or MS-Dos (er.. whichever CP/M clone it was anyhow) was meant to be a stand alone OS. The idea of it being on a network was inconceivable when originally designed so consequently, all security was provided by the key in the computer chassis office's locked door. MS continued to build on there initial purchase through Dos 6.22, Win95 and onward. Even today, Dos is hidden away in the layers on onion skins that make Windows. (Supporting Dos viruses .est 1980s) The result of all this is that security has always been a distant afterthought when finally considered at all. It's also done a great deal to bolster the security software industry (or antivirus parasites as some would call Norton/Mcafee). Your bang on the money though; security is a part of OS architecture not a third party after market add on like better windshield wipers on your car. The more robust OS look at viruses and such as indications of a programming bug to be corrected with the next version release rather than something to add on yet another piece of software. That is, however, my humble understanding having grown up with MS systems and more recently anything else I can get hands on.

j-mart
j-mart

Microsoft products have always had security as an add on almost an after thought. The best security comes from basic architecture and is best designed into a system at the start

apotheon
apotheon

Support for your arguments becomes even more important when you're telling someone he doesn't know anything. The fact that, as far as I recall, you have [b]never[/b] seen you provide some supporting evidence for [b]anything[/b] you've said doesn't help your case much. Please cite your sources.

Neon Samurai
Neon Samurai

Good for you, you like Vista. Your last sentance is the perfect proof that your just trolling against anyone who doesn't blindly fall in love with the newest Redmond marketing tool. That's not to say I don't want to explore Vista when I can get ahold of a legal Ultimate license. That's just to say that your Fanboy droppings through the forums over the last few weeks or so haven't gone unnoticed.

seanryan52
seanryan52

There are no gains to using vista in the workplace or corporate environment. Vista is a candy shell for the home user basicly. It has mild upgrades frm XP, but not enough to justify a complete corporate rollout.