Wednesday, February 14, 2007

The 6 Million Dollar OS: Or A New Prey in Town

I can just hear it "We can re-build it better, faster, more secure... the 6 million dollar OS"

Is it really better or just a new meal for the predators of the Internet

Microsoft Vista is a rewrite of the desktop version of Microsoft's flagship Windows OS. It is touted as the most secure, stable, advanced OS yet. What is the reality behind the hype?

Anecdotally:
  • No major company is even interested in it
  • XP is a more stable platform for multimedia
  • XP is a more stable platform for First Person Shooter (FPS) games
Factual:

  • Where the rubber hits the road for the Information Superhighway: This is the main interface to the outside world where web pages, e-mail and IM (http://en.wikipedia.org/wiki/Instant_message) flow between computers. As with all of Vista this was re-written from scratch to be more secure, but instead of learning from the past history was repeated. Flaws that had been fixed in XP appeared in the new code which doesn't bode well. In Security the old "tried and true" adage is accurate (nothing is perfect and over time flaws will surface and be, hopefully, fixed). The SecurityNow "Vista's Virgin Stack" podcast(http://grc.com/securitynow.htm) has additional information
  • Microsoft challenges the hackers: Microsoft touted the security of Vista and dared hackers at the last Defcon conference to breach their security. So security researcher Joanna Rutkowska showed a room full of attendies how to install a Vista rootkit (http://www.technewsworld.com/story/52254.html).
  • The ultimate Vista malware is... Setup.exe: Joanna Rutkowsa has found a bigger hole in the User Account Control (UAC) design (http://blogs.zdnet.com/security/?p=29&tag=nl.e589). When a setup program is detected you have two choices give it administrative rights, or don't install it. This is a complete violation of the Principle of least privilege. A game should not have rights to install a rootkit err... I mean a kernel driver. According to Microsoft's Mark Russinovich's blog (http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx) "...potential avenues of attack, regardless of ease or scope, are not security bugs." Excuse me.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)