[pchelpers] Flaws areDetected in Microsoft's Vista

• From: Gerald Gollinger <gerald3nyc@xxxxxxxxx>
• To: pchelpers@xxxxxxxxxxxxx
• Date: Mon, 25 Dec 2006 09:59:30 -0800 (PST)

From today's The New York Times.  Since the Internet edition of this newspaer 
is by free subscription I gave a copy and paste of the article on Microsoft 
Vista flaws. - Gerald
   
   
   
   
  December 25, 2006
  
  Flaws Are Detected in Microsoft?s Vista   By JOHN MARKOFF
    SAN FRANCISCO, Dec. 24 ? Microsoft is facing an early crisis of confidence 
in the quality of its Windows Vista operating system as computer security 
researchers and hackers have begun to find potentially serious flaws in the 
system that was released to corporate customers late last month.
  On Dec. 15, a Russian programmer posted a description of a flaw that makes it 
possible to increase a user?s privileges on all of the company?s recent 
operating systems, including Vista. And over the weekend a Silicon Valley 
computer security firm said it had notified Microsoft that it had also found 
that flaw, as well as five other vulnerabilities, including one serious error 
in the software code underlying the company?s new Internet Explorer 7 browser. 
  The browser flaw is particularly troubling because it potentially means that 
Web users could become infected with malicious software simply by visiting a 
booby-trapped site. That would make it possible for an attacker to inject rogue 
software into the Vista-based computer, according to executives at Determina, a 
company based in Redwood City, Calif., that sells software intended to protect 
against operating system and other vulnerabilities.
  Determina is part of a small industry of companies that routinely pore over 
the technical details of software applications and operating systems looking 
for flaws. When flaws in Microsoft products are found they are reported to the 
software maker, which then produces fixes called patches. Microsoft has built 
technology into its recent operating systems that makes it possible for the 
company to fix its software automatically via the Internet. 
  Despite Microsoft assertions about the improved reliability of Vista, many in 
the industry are taking a wait-and-see approach. Microsoft?s previous operating 
system, Windows XP, required two ?service packs? issued over a number of years 
to substantially improve security, and new flaws are still routinely discovered 
by outside researchers.
  On Friday, a Microsoft executive posted a comment on a company security 
information Web site stating the company was ?closely monitoring? the 
vulnerability described by the Russian Web site. It permits the privileges of a 
standard user account in Vista and other versions of Windows to be increased, 
permitting control of all of the operations of the computer. In Unix and modern 
Windows systems, users are restricted in the functions they can perform, and 
complete power is restricted to certain administrative accounts.
  ?Currently we have not observed any public exploitation or attack activity 
regarding this issue,? wrote Mike Reavey, operations manager of the Microsoft 
Security Response Center. ?While I know this is a vulnerability that impacts 
Windows Vista, I still have every confidence that Windows Vista is our most 
secure platform to date.?
  On Saturday, Nicole Miller, a Microsoft spokeswoman, said the company was 
also investigating the reported browser flaw and that it was not aware of any 
attacks attempting to use the vulnerability.
  Microsoft has spent millions branding the Vista operating system as the most 
secure product it has produced, and it is counting on Vista to help turn the 
tide against a wave of software attacks now plaguing Windows-based computers. 
  Vista is critical to Microsoft?s reputation. Despite an almost 
four-and-half-year campaign on the part of the company, and the best efforts of 
the computer security industry, the threat from harmful computer software 
continues to grow. Criminal attacks now range from programs that steal 
information from home and corporate PCs to growing armies of slave computers 
that are wreaking havoc on the commercial Internet.
  Although Vista, which will be available on consumer PCs early next year, has 
been extensively tested, it is only now being exposed to the challenges of the 
open Internet.
  ?I don?t think people should become complacent,? said Nand Mulchandani, a 
vice president at Determina. ?When vendors say a program has been completely 
rewritten, it doesn?t mean that it?s more secure from the get-go. My 
expectation is we will see a whole rash of Vista bugs show up in six months or 
a year.?
  The Determina executives said that by itself, the browser flaw that was 
reported to Microsoft could permit damage like the theft of password 
information and the attack of other computers. 
  However, one of the principal security advances of Internet Explorer 7 is a 
software ?sandbox? that is intended to limit damage even if a malicious program 
is able to subvert the operation of the browser. That should limit the ability 
of any attacker to reach other parts of the Vista operating system, or to 
overwrite files. 
  However, when coupled with the ability of the first flaw that permits the 
change in account privileges, it might then be possible to circumvent the 
sandbox controls, said Alexander Sotirov, a Determina security researcher. In 
that case it would make it possible to alter files and potentially permanently 
infect a target computer. This kind of attack has yet to be proved, he 
acknowledged.
  The Determina researchers said they had notified Microsoft of four other 
flaws they had discovered, including a bug that would make it possible for an 
attacker to repeatedly disable a Microsoft Exchange mail server simply by 
sending the program an infected e-mail message.
  Last week, the chief technology officer of Trend Micro, a computer security 
firm in Tokyo, told several computer news Web sites that he had discovered an 
offer on an underground computer discussion forum to sell information about a 
security flaw in Windows Vista for $50,000. Over the weekend a spokesman for 
Trend Micro said that the company had not obtained the information, and as a 
result could not confirm the authenticity of the offer. 
  Many computer security companies say that there is a lively underground 
market for information that would permit attackers to break in to systems via 
the Internet.

 __________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Re: Flaws areDetected in Microsoft's Vista
• » [pchelpers] Flaws areDetected in Microsoft's Vista

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription