backtop

Print E-mail del.icio.us 64 comment(s) - last by Zoomer.. on Nov 28 at 4:46 PM
Fix won't come around until next Vista service pack

Microsoft's Windows Vista operating system is one of the most maligned operating systems Microsoft has ever produced. The operating system has been panned by some users and critics and has become the brunt of jokes in commercials from rival Apple for its Mac computer systems.

One of the key things that many point to with Vista is the amount of hacks and viruses that can take advantage of holes in the design and security of the OS. Despite the fact that Vista isn't alone in having security issues, what was described as a huge hole in open source software including Linux was discovered in May, it still gets more press for issues than the other operating systems available.

The latest significant issue with operating system security again falls on Vista's shoulders with a new kernel vulnerability that has been discovered. The vulnerability was discovered by Thomas Uterleitner from the Austrian security company Phion. Friday Unterleitner announced that he had warned Microsoft about the flaw in October, but a fix would not be offered until the next Vista service pack was launched.

The flaw is in the network input/output subsystem of Vista. Certain requests sent to Vista's iphlpapi.dll API can cause buffer overflow errors that can corrupt Vista's kernel memory leading to a blue-screen-of-death (BSOD) crash.

Unterleitner told ZDNet UK, "[the] exploit can be used to turn off the computer using a (denial-of-service) attack. This buffer overflow could (also) be exploited to inject code, hence compromising client security."

The flaw has been verified in Windows Vista Enterprise and Ultimate editions and it is assumed that all other versions of the operating system will be susceptible to the flaw as well. According to ZDNet UK Microsoft told it that while Microsoft was aware of the issue, it was not aware of any malicious code that can take advantage of the flaw.

Microsoft also didn't confirm that a fix for the flaw would be offered in the next service pack for Vista.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Before the discussion gets too out of hand...
By Smilin on 11/25/2008 10:09:12 AM , Rating: 5
"Asked about the severity of the flaw, Unterleitner pointed out that administrative rights were needed to execute a program calling the function that would cause the buffer overflow. "

So essentially you have to:
1. Gain admin rights to a machine.
2. Perform a buffer overflow.
3. Attempt to insert arbitrary code.
4. Hope that your code lands in an executable page so you don't get an instant BSOD.
5. Execute said code before a thread swap because Vista is going to bugcheck the moment it see's the exiting page's header overwritten.
6. Hope that there is a 1/256 chance that Vista's ASLR left your intended culprit in the right place.
7. Hope in the other 255 cases you still have #1 available after the bugcheck to try again.
8. Hope after several of #7 the user hasn't started to notice anything funny.

The vulnerability researcher says it can be used as a DOS attack...of course it's a DOS attack...you keep bugchecking the box nimwit!! The improvements in Vista's kernel is designed to prevent exactly what you are doing and it's going to be hell to get any of your code to run.

Linux, Apple fanboys stand up with me here in a bipartisan fashion in the name of common sense and support this statement: If you need admin access to a box to hack it then your hack is a fail.




By bobsmith1492 on 11/25/2008 12:26:11 PM , Rating: 5
You know what I can do on my Vista box? I can reformat all the hard drives and wipe EVERYTHING. How's THAT for security, eh?

*Admin privileges required


By Smilin on 11/25/2008 12:43:25 PM , Rating: 4
OMG Micro$oft must sux0rs! You can't do that on an Apple*

*without admin privileges


By Zoomer on 11/28/2008 4:46:16 PM , Rating: 2
I don't see why you need admin rights to do that*.

*Physical access required


By therealnickdanger on 11/25/2008 3:48:21 PM , Rating: 2
+937


By ThePooBurner on 11/25/2008 3:52:02 PM , Rating: 2
Give this a 6 and place it at the top of the page please.


RE: Before the discussion gets too out of hand...
By sprockkets on 11/25/2008 4:31:03 PM , Rating: 2
Well, for most machines to get admin rights, simply say yes to the "Windows needs your permission to continue" box.

Nowhere near as bad as it used to be, but again, remember the vast majority of people who use computers.


By InternetGeek on 11/25/2008 5:03:30 PM , Rating: 3
Wrong. By default programs are not executed with admin rights anymore. To do that now you need to right click, run as and then tell, by checking, the os you want to give this program unlimited rights to the system.


By omnicronx on 11/26/2008 11:30:11 AM , Rating: 2
quote:
Linux, Apple fanboys stand up with me here in a bipartisan fashion in the name of common sense and support this statement: If you need admin access to a box to hack it then your hack is a fail.
Haha you could not be more correct. This is only an internal security flaw, and if you have admin rights, you don't need to do not need to take advantage of this flaw anyways. I can do a lot more damage than injecting code and turning off a computer with admin rights.


*sigh*
By therealnickdanger on 11/25/2008 9:38:50 AM , Rating: 5
For every version of Windows, I see all these "warnings" and "prophets of doom" telling me how unsafe Windows is. But guess what? I've never had a virus, never had my identity stolen, never lost anything of value...

I'm of the opinion that outside of a targeted, dedicated, brute force attack by a skilled hacker, every security flaw in Windows is user-created.




RE: *sigh*
By arazok on 11/25/2008 9:44:16 AM , Rating: 5
Do what all my friends seem to do. Install limewire and download every .exe file related to porn or music you can get your hands on.


RE: *sigh*
By AnnihilatorX on 11/25/08, Rating: 0
RE: *sigh*
By Flunk on 11/25/2008 3:26:00 PM , Rating: 2
Then how are you going to execute applications? If the default action for .exe files is set to anything but execute you would boot up your system and be left sitting at a blank desktop because the Explorer would not have executed, try to get out and taskmgr.exe won't run.

Yes, your solution makes a lot of sense.


RE: *sigh*
By PhoenixKnight on 11/25/2008 8:27:55 PM , Rating: 3
That's his entire point. It's called sarcasm, perhaps you've heard of it before.


RE: *sigh*
By afkrotch on 11/25/2008 10:06:13 AM , Rating: 5
User stupidity is a bigger threat than OS vulnerabilities.


RE: *sigh*
By PhoenixKnight on 11/25/2008 8:30:07 PM , Rating: 2
Don't forget liquor. A friend of mine once accidentally formatted his hard drive while drunk.


RE: *sigh*
By Darkk on 11/26/2008 12:02:06 AM , Rating: 2
quote:
Don't forget liquor. A friend of mine once accidentally formatted his hard drive while drunk.


I've been drunk alot of times and never did that. Simply because it requires several steps in the proper order to simply format a hard drive.

Of course you can accidentally delete huge sum of files and no backup. Probably just as screwed as formatting a hard drive.


UAC
By Elementalism on 11/25/2008 12:32:14 PM , Rating: 2
I am curious what the UAC does with this. I suspect since they havent confirmed they can raise the privledges it will prompt you to install something. If the UAC shows up out of the blue asking for permission to install something you should be smart enough to hit no or cancel.

Secondly they talk about dhcp packets. That would require the would be attacker to get on your local network. This doesnt sound as bad as the article makes it sound.




RE: UAC
By Gzus666 on 11/25/2008 12:35:01 PM , Rating: 2
quote:
Secondly they talk about dhcp packets. That would require the would be attacker to get on your local network. This doesnt sound as bad as the article makes it sound.


Well, with the recent cracking of WPA and the rampant amount of poorly secured WAPs out there, I could see that happening though.


RE: UAC
By Elementalism on 11/25/2008 6:08:43 PM , Rating: 2
I didnt know WPA was cracked? When and how? I understand TKIP WPA is capable of being hacked given enough time. But you are making it sound like it is cracked like WEP?


RE: UAC
By Elementalism on 11/25/2008 6:13:32 PM , Rating: 2
NM I found an article on it. Interesting, I was always under the impression TKIP was crackable where AES was still secure.


RE: UAC
By Smilin on 11/25/2008 1:39:19 PM , Rating: 4
You're right. It's not as bad as the article makes it sound.

The "vulnerability" requires admin privlidges. In other words UAC would indeed have to pop a prompt. If you can trick a user into giving you admin there are far worse things you can do than a simple DOS attack.

They do mention DHCP and suggest that it might be possible to use that but then again it might be theoretically possible to hack Vista with a hunk of cheddar cheese. However, so far both lack any proof whatsoever. The researcher needs to put up or shut up.

Getting access to a local network should be a given though. Although the owners of the network may very well have made it impossible (802.11 auth, physical access etc) you have to assume that the network is insecure for purposes of OS security.

This "vulnerability" is a joke. It's just some tripe to capture headlines.


really dangerous? I don't think so.
By GoodBytes on 11/25/2008 9:36:05 AM , Rating: 2
Since Vista release this is major issue doesn't pile up to reach the number 10.
Windows XP has uncoutable issues since it's release (I have Vista pre-SP1, and installing that dam OS takes a day and half and ~2GB of bandwidth to put it to SP3 fully updated), and even then there is still major issues.

This issue doesn't really affect people with behind any basic routers, as it would require to send a specially hacked message (DHCP), and to make this work, you need to update the firmware of the router. Most router don't support custom firmware. And to top things over, the hacker needs to by-pass UAC if it's tuned on. That is the reason why Microsoft is not in a hurry to fix it.




By jak3676 on 11/25/2008 10:09:01 AM , Rating: 5
The whole point the article seems overly anti-MS. Don't get me wrong, I love to hate on the 800lb gorilla as much as anyone, but this is a pretty small issue.

As someone who does pen testing for a living I can say it much harder to crack Vista than any earlier MS product. It's not that Vista doesn't have it's issues - it does - and probably in about the same relative %'s as any other OS. But they way that MS has segmented everything and isolated every piece means that even if you do find a vulnerability, it about impossible to escalate your prilages on the individual machine or on the network. Even in cases where we vulnerable applications (the bulk of the vulnerabilities nowdays), when we find them on a Vista machine we just mark that as a low priority and move on to easier targets.

I won't comment on Apple's OS as in several years of military/corporate pen testing, I've found exactly 0 Mac's. But Vista is a huge improvement, securty wise, over XP. It's still not OpenBSD, but its not likely that corporate America is going to switch to *nix anytime soon. If anyone is looking for the most secure MS OS - Vista is still lightyears ahead on the rest.


Just to point out....
By foolsgambit11 on 11/25/2008 2:26:44 PM , Rating: 2
Not Mick.




RE: Just to point out....
By therealnickdanger on 11/25/2008 3:54:04 PM , Rating: 4
In the course of writing his 13th green-energy blog of the week, he just didn't have time.

;-)


buffer overflow management template (free of charge)
By menace on 11/25/2008 5:52:10 PM , Rating: 2
CDataClass data; // defined elsewhere
const long imax=BUFFER_SIZE;
long buf[imax];
while (i<imax || data.endofdata)
{
cin >> data;
buf(i)=data.word;
++i;
}
if {data.endofdata)
{
<< do normal stuff here >>
}
else
{
<< do something here to handle full buffer without crashing OS >>
}




By Smilin on 11/26/2008 12:02:32 PM , Rating: 2
That's soooo cute! You tried to write your very own user mode buffer manager thingy to prevent an overrun in kernel mode!

You also wrote a DOS attack into your code. You must be a l33t h4x0r!

It's so genius that I almost missed it. When your code gets indirectly called by an IRQ to handle some data in an IRP it will be running at an IRQL 2. When it pages to grab that 'cin' code it will pop a Stop 0x00000050 . Who knows the page may or may not already be in memory and since you didn't forsee that you might go seconds or even days between bugchecks!

That was downright evil genius making it intermittent like that. App developers writing kernel/driver code is clearly the way to go. PS: I like the way you handled that private data buffer size with an unrelated constant...that's going to work out great over the life of the code. :/


Well that's not good.
By JackBurton on 11/25/2008 8:57:58 AM , Rating: 1
I hope MS plans on releasing SP2 for Vista by the end of the week. :| I can already see the new Mac commercial...




By Master Kenobi (blog) on 11/25/2008 9:19:31 AM , Rating: 1
Typical. I'm under the firm belief that these so called security experts intentionally announce attack vectors like this and then offer a product from their company that will "protect them". The smart thing to do would be to report it and then shut up about it. You don't tell the world you have a hole the size of the titanic on your left flank. You tell em its bulletproof to discourage them from trying.

Perhaps bringing these so called "experts" up on charges for assisting virus makers everywhere.


The only real problem with Vista...
By nah on 11/25/2008 9:44:08 AM , Rating: 2
is that it follows up on something which is basically OK for everyday work and play--the same was not the case with XP--which replaced ME (consumer) and 2000 (Pro) Oses--hence the much higher rate of adoption of XP within a year of its release compared to Vista




WinNuke
By tjr508 on 11/25/2008 11:09:40 AM , Rating: 2
Does this mean we finally get a new version? It's been 10 long years since a push of a button could crash most systems.




By AnijoAnan on 11/25/2008 3:35:36 PM , Rating: 2
It's really not that interesting if you can BSOD a computer when you're running as Administrator. You don't need to add an invalid Route to DOS the computer at that point, you could just as easily call Shutdown now or format c: or something else equally destructive.

Also... this article is full of lies. I could've sworn Vista has had fewer security flaws than any OS before it by a pretty significant factor.




MS's days as a monopoly are numbered
By wordsworm on 11/25/08, Rating: -1
By MonkeyPaw on 11/25/2008 10:24:22 AM , Rating: 2
Congratulations for posting a comment longer than the original article.


By afkrotch on 11/25/2008 10:32:02 AM , Rating: 1
quote:
One of the biggest reasons I can think of that has made MS so popular is the ease in which it could be pirated.


WTF kind of arguement is that? So explain why Linux isn't the most popular when it's free?

quote:
Apple's beloved logo would be there, and people would buy it in droves and line up for blocks to buy it. Despite all that, they are gobbling up market share at an exponential rate, and are becoming serious competitors to that $1,200+ PC market.


They went from 8% (2007) to 10% (2008). Now comes the problem. With the recession, will they be able to maintain their marketshare.

quote:
It's the dark horse that's coming up that I see as the one that has the potential to dethrone the king: Linux, under the Ubuntu flag. While American readers will scoff at the case I'm about to put forth (ie, what does the rest of the world really matter anyways?) That is to say that many schools throughout third world countries are beginning to adopt the technology. I'm not talking about African nations, though they may be in the fray as well, I'm talking about highly intellectual countries such as China and India, and Russia. There is also Argentina, Brazil, France, and a number of other countries whose entire governments and educational systems seem to be on the move to Linux based computers. To me, that spells the greatest threat to MS dominance.


lol, that's why some of those countries have the highest piracy rate for Windows. As soon as Microsoft force black desktop backgrounds, how many in China started complaining?

quote:
However, I am extremely dissatisfied with their customer service. It's bloody expensive, and probably not worth it.


Buy Linux customer support. It's also bloody expensive.

quote:
Now here's Vista - and with Vista it's been a struggle to get things right. When I was in Korea, it wasn't much of a hassle to download 1+ GB of updates in order to get it working right. But now, here in Indonesia, getting 1GB in updates is nearly impossible due to the slowness and unreliability of the service here. Without those updates, it's a broken OS from the get-go. Unlike ME, the updates fix the issue, but getting the updates is just so much of a hassle that I've finally decided to forgo the Windows nightmare. Though, the two laptops that my wife and I have are both on XP, I will no longer waste my time with Vista, and I will just pray to the powers that be that Adobe will one day make a Creative Suite for Linux. Until that blessed day arrives, I'll have to make due with using a pirated version of XP on the machine that I paid for Vista Premium (twice, because of the wrecked board/CPU that I replaced). But, for everything else, I'm going with Ubuntu.


Enterprise updates. Download once, store on DVD-RW. Why waste more than once downloading the update. But, download Linux updates. Guess what? They can also stack up 1+ gigs. So exactly why are you complaining about one, but not the other?

quote:
The comment was made that Linux had a vulnerability that was pointed out recently, but that it didn't make headlines like MS's did. What it failed to point out is that it was the only major flaw to come out of the OS that I can think of in the history of the OS. MS certainly cannot come out and say that this is the first time that its product has had a significant security issue. It is the company that is famous for coming out with one every 6 months or so.


Nice BS there. If this so called OS only had this one major flaw, exactly why aren't you telling us what OS this was/is? Why? There has been zero. I repeat, ZERO OSs that have only had one major flaw.

quote:
With the growing Linux community - a community that will soon become a vast number of adept Indians, Russians, Chinese, French, and even American (some American schools are trying to save money by going Linux - and finding that they're not just saving money on the OS but also on support since Linux is such a rock solid OS). How many billions of tax payer dollars could be saved should governments all around the world choose to switch to Linux? How many billions of dollars out of MS's pocket will this mean?


Not billions I can tell you that much. Linux might be free to download, but it's the hidden costs of swapping to it and also support. Implementing Linux into a Windows environment is a tough chore. Usually most companies end up with a flawed Windows/Linux network. They can't fully swap to Linux right away, unless they can deal with a few days of total downtime.

Then there's the $$ for Linux support or have a qualified Unix/Linux admin, which aren't quite as common as a Windows admin.

Link 1 - More netbooks are showing up with Windows XP, as Linux blows and the customers are wanting Windows. Actually, think all of them have Windows now.

Link 2 - the exact same crap as Link 1, but diff site.

Link 3 - French military swapping to Linux. Uh huh. 70,000 computers. Not exactly a whole lot.


By sweetsauce on 11/25/2008 10:39:45 AM , Rating: 5
Nice rant, but you forgot several important points.

- Linux users are not your typical everyday computer illiterate consumer, they are way more computer savvy.

- Exploits take advantage of people's stupidity. What is the point of wasting time creating exploits that will reach a small audience. More importantly, whats the point of creating exploits that will reach a computer savvy audience.

- No computer OS will ever be free of exploits. In ms's case, no OS they ever make will be free of idiots dedicating their free time to creating exploits. If you think becoming "free" of ms's monopoly will end all hackers trying to get in to people's computers, then you aren't just delusional, you're stupid.

Please open your eyes and see beyond your hatred for ms.


Why the publiciity
By crystal clear on 11/25/08, Rating: -1
RE: Why the publiciity
By arazok on 11/25/2008 9:30:23 AM , Rating: 5
quote:
The very fact he & the press publicize this flaw is itself dangerous,as it invites the attention of people who would exploit this flaw to their advantage or misuse it.


I think making these things public is better in the long term. It forces Microsoft to pay attention, and work to get a fix out faster. If these things were always kept quiet, there would be less pressure on MS to get fixed out quickly, or even at all.


RE: Why the publiciity
By Gzus666 on 11/25/2008 9:32:07 AM , Rating: 2
Was about to say the same thing. Granted I would prefer they tell the vendor first for any software bug, then if they don't do anything within a reasonable time, move it to the press to speed things up.


RE: Why the publiciity
By foolsgambit11 on 11/25/2008 2:15:47 PM , Rating: 2
And this guy told MS in October, so they've had up to a month and a half to do something about it. Instead, they said they'd wait until the next SP. Which probably means it wasn't an easy thing to fix, and requires some work to get done. That, or everybody's so busy with 7, they don't have people to keep Vista up to date.


RE: Why the publiciity
By Master Kenobi (blog) on 11/25/2008 9:47:03 AM , Rating: 1
Thats an open source argument. In the closed source world, security relies as much on unknowns as it does real security measures.


RE: Why the publiciity
By rmlarsen on 11/25/2008 7:56:48 PM , Rating: 2
That doesn't invalidate the argument, though. I agree that security through obscurity is often a Good Thing. But once a third party discovers and reports the flaw, I would also prefer to see Microsoft get of their behind and patch it ASAP, whether they were aware of the problem to begin with or not.


RE: Why the publiciity
By crystal clear on 11/25/08, Rating: -1
RE: Why the publiciity
By Gzus666 on 11/25/2008 10:06:09 AM , Rating: 5
Right, but they didn't really have heavy news articles about the flaw back then. Pointing out flaws in news heavily and blogs is a somewhat new phenomenon.


RE: Why the publiciity
By crystal clear on 11/25/2008 10:32:30 AM , Rating: 2
Right but a little bit of restraint/self censorship/ethics/
responsible behaviour by people in the profession is generally expected.

Just a thought...could it be bias against Vista - a possible motivating factor ?

One more item added to the list....to descredit Vista ?


RE: Why the publiciity
By Gzus666 on 11/25/2008 10:35:53 AM , Rating: 2
I doubt it, the OpenSSL vulnerability saw plenty of news, I saw it all over, including here as you can see by the link in the article. Mac vulnerabilities have been hit pretty heavy as well, including heavy coverage of that hack competition and did you easily forget the whole DNS fiasco they didn't patch for months?

You sound like someone who thinks everyone is conspiring against Vista.


RE: Why the publiciity
By mindless1 on 11/25/2008 2:09:00 PM , Rating: 2
The key thing to remember is people seeking exploits are wanting to find out before everyone else, they're not waiting to read about it on Yahoo rather than their preferred channels of info (or just buying ready-made tools from those who did so). If you wanted to find security flaws, wouldn't you google for security related topics at the very least or would you come to a general computer/tech news site?


RE: Why the publiciity
By Gzus666 on 11/25/2008 2:32:47 PM , Rating: 2
What does this have to do with my post? He was complaining about them focusing on Vista in the news to undermine them and "get" them. I said that is not what is happening, they are just covering what they call news.


RE: Why the publiciity
By Yames on 11/25/2008 3:20:19 PM , Rating: 2
DNS is still vulnerable. It has only been patched to the extent which make the vulnerability less likely to achieve.


RE: Why the publiciity
By Gzus666 on 11/25/2008 4:37:17 PM , Rating: 2
That can be said about anything of that nature. Anything with keys or timers, etc. etc. The problem was it was overwhelmingly likely to get it right with that exploit without much effort.


RE: Why the publiciity
By BikeDude on 11/25/2008 12:49:52 PM , Rating: 3
quote:
I gave an example-


But a bad example, with very selective quoting.

MS' reason was that a fix would have broken many third-party network appliances at the time. Further more, the hole was not all that useful to black hat hackers.

When it comes to maintaining compatibility with third-party application and devices, MS have an impressive track record.

I think you have MS confused with Apple. Apple can sit on open security holes for months. Holes that do not affect third-party applications or devices. _That_ I agree would be bad, had MS chosen to do the same thing. (http://www.theregister.co.uk/2008/08/01/apple_dns_...


RE: Why the publiciity
By MrBlastman on 11/25/2008 10:54:54 AM , Rating: 2
All I have to say is... Winnuke is back! (at least it sounds like it)

Perhaps this will open the doors to the next generation of Jolt and Teardrop of the 21st century.

It is understood that as you increase the complexity of a program, you equally increase the number of bugs (actually it is almost an exponential relationship) and potential bugs. So, in reality, as much effort as they spend to secure and OS and make it less vulnerable to exploitation, they open the doors to increased bugs and flaws. What ever happened to KISS (keep it simple stupid)?

Exploits will always exist - at least with our current computing model. It is only a matter of time before someone finds a flaw and figures out how they can use it against the operating system. This doesn't mean developers should give up, it means they should wise up and get smarter. It also means that PR and the company creating the piece of software needs to eat some humble pie and not tout it as the greatest, most secure piece of software on the planet.

No operating system, no matter what it is - Unix, Linux, BSD, AIX, Posix, DOS, Windows, Mac OS etc. - is free of exploitation, no matter the version.


RE: Why the publiciity
By Smilin on 11/25/2008 12:00:21 PM , Rating: 5
You need admin access for this to work Tard.

If you weren't the kind of script kiddie that used "winnuke" and instead actually understanding what it did you would maybe understand this.

BTW, KISS still exists...you just can't do anything useful with it. I guarantee the Commodore VIC-20 sitting in my attic is far more secure than Windows. Who gives a crap though?


RE: Why the publiciity
By MrBlastman on 11/25/2008 2:04:11 PM , Rating: 2
You are quite the colorful reply master. May I access your descriptor vocabulary for an upgrade?

The article never mentioned anything about admin access being required. If it is, well, then this exploit is another in the line of - well, gee, it could work, but... Not so much of a big deal.

But, since I am a script kiddie, I better stick to what I know best and provide you a canned response: "lolz!111 ur mom!"

:-\

Look, weather or not winnuke was a script kiddie tool - and back in the day it was, from reading the text of the article one could easily assume this is being implied. I don't follow, nor care about Windows Vista. Perhaps the Author should stop the sensationalism and give us more facts.


RE: Why the publiciity
By Gzus666 on 11/25/2008 2:37:26 PM , Rating: 1
http://dictionary.reference.com/browse/whether
http://dictionary.reference.com/browse/weather

Please learn the difference, it amazes me how many people don't know.


RE: Why the publiciity
By MrBlastman on 11/25/2008 3:26:18 PM , Rating: 2
Thanks. I feel less like the name Smilin gave me every day. :P


RE: Why the publiciity
By Smilin on 11/25/2008 5:37:12 PM , Rating: 2
quote:
The article never mentioned anything about admin access being required.


lolz n00b!!!11one!!1

You're exactly right, the article doesn't say anything about that. But, look man here is how the intarwebs works. See this line from the article? ..

"Friday Unterleitner announced that he had warned Microsoft about the flaw in October , but a fix would not be offered until the next Vista service pack was launched."

.. See how it has that underline in it? If you move your mouse pointer thingy over that and then click the button it takes you to a new place that says this:

"Asked about the severity of the flaw, Unterleitner pointed out that administrative rights were needed to execute a program calling the function that would cause the buffer overflow."

In all seriousness though, you're right. It really is a "Not so much of a big deal."

Here's that link http://news.cnet.com/8301-1009_3-10106173-83.html

If you want to see some seething, pathetic, uneducated Microsoft hatred scroll to the bottom and look at the comment section. It makes you appreciate the dailytech commenters.


RE: Why the publiciity
By Darkk on 11/25/2008 11:52:57 PM , Rating: 2
Actually any computer and operating system can be secure long as it doesn't connect to the internet!

It's one of the reasons I didn't bother installing anti-virus software or updates on my Windows 2003 Server running my DVR applications because it never surfs the internet other than tv guide updates connected to a secure website (it doesn't use IE to get the guide data).

I will have to agree no operating system is 100% secure if it have to surf the net.


RE: Why the publiciity
By croc on 11/25/2008 3:24:52 PM , Rating: 2
So you are an advocate of 'security through obscurity'? If a flaw in your bank's SSL implementation is found, then how would you feel if the bank just never admitted it, didn't patch it, and all of your account's details were compromised?

Think...


RE: Why the publiciity
By Darkk on 11/25/2008 11:55:45 PM , Rating: 2
Then I'd use the mattress to hide money. No patches required unless it got holes in it.


RE: Why the publiciity
By illuvatar81 on 11/25/2008 6:01:01 PM , Rating: 2
Has anyone ever seen the sticker on the box of MS's OS's that says
"We promise you an Operating System Invulnerable to Threats, If you find a threat we'll fix it"

Cause I have been using MS products for quite a few years and i have never seen that advertised. Why does microsoft get so much flak about this? Designing software to be perfect on every single machine it could possibly be loaded on is impossible.

I truly am stunned at why people think if they buy a product they deserve it to be supported for the rest of its life.

Vista and every other MS OS works. Period. They do exactly what they promise. Why so much grief?


RE: Why the publiciity
By Darkk on 11/25/2008 11:57:45 PM , Rating: 1
quote:
Vista and every other MS OS works. Period. They do exactly what they promise. Why so much grief?


You will have some grief if your OS compromised and your bank account is empty from direct result of not properly patched with security updates.


"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer











botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki