ITWire

Home opinion-and-analysis Fuzzy Logic Vista 'vulns' maybe not so critical, but missing drivers are

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Vista 'vulns' maybe not so critical, but missing drivers are

Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


Microsoft security expert Michael Howard believes Vista’s ‘critical’ vulnerabilities are less serious that those on XP, but Vista’s biggest vulnerability is the slow pace of driver updates.

Michael Howard, who calls himself ‘a simple security software guy at Microsoft’, has written in his blog that Vista’s security vulnerabilities should receive a different rating to the critical vulnerabilities found in Windows XP due to Vista’s much more hardened security layers and core.

While you should read Howard’s blog entry to see everything that he says, which includes a prediction that the next couple of years will see up to 50% fewer critical vulnerabilities compared with Windows XP, a couple of interesting passages are as follows: “There is one thing you will see that I’m not too thrilled about, but it is what it is. The MSRC rarely reduces the severity of a buffer-related security bug because a defense with no security guarantees such as /GS or /SafeSEH is in place. UAC will be a speed bump, but I doubt we would reduce the severity of many bulletins if UAC is the sole mitigation”.

Howard continues that “The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don’t be surprised if you see a bug that’s, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place. As I understand it, the MSRC will call out defenses that come into play.”

Howard then tells us why he thinks this is the case. He says: “Why am I making these claims? I know the SDL [Security Development Lifecycle] works, and we will continue to evolve SDL over time as we learn of new vulnerability types and new defenses, but Windows Vista is the first Windows to go through SDL from start to finish. We know that when you focus on something intensely, you can make a big difference”.

Of course, not everyone agrees, with plenty of analysts believing that the system should stay as it currently stands, and that just because Microsoft (or at least Michael Howard) might believe Vista is more secure, doesn’t mean that hackers won’t be just as clever at finding new ways through Microsoft’s admittedly greatly improved defenses.

But what’s the real vulnerability that Vista has to deal with? Please continue onto page 2 for the conclusion...

RECRUITMENT & RETENTION REPORT 2013

HIRE OR FIRE? BUY OR BUILD

2013 is well underway and Australian companies need to know whether they should invest in IT skills training or pay a premium for the people they need.

If you want to know which choices are being made in your sector, what skills are hard to find, which sectors intend to hire or fire and where the IT spend is going, this free report is must have.

GET YOUR REPORT NOW

Alex Zaharov-Reutt

joomla counter

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks, including stints as presenter of Ch 10’s Internet Bright Ideas, Ch 7’s Room for Improvement and tech expert on Ch 9’s Today Show, among many other news and current affairs programs.

More in this category: « Mayhem for MySpace with Month of Bugs? CBS NCAA March Madness: viewers, money and YouTube »
back to top


Services

Company

Community

Connect

http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=tf&c=19&mc=imp&pli=5460041&PluID=0&ord=[2000]&rtu=-1