ZDNET - Cursor flaw gives Vista security a black eye

[Terry]

Interesting article:

http://news.zdnet.com/2100-1009_22-6173115.html?tag=nl.e539

--
Terry

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.

 

[Richard Urban]

How so?

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Terry]

On 4/4/2007 8:39 AM On a whim, Richard Urban pounded out on the keyboard

How so?

I guess you could take the time to read it before replying, then you
probably wouldn't have made such a half-cocked comment.

Because it offers information many may have not known about, or had a
false impression about the security of Vista.

Don't shoot the messenger MVP.

--
Terry

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.

 

[Dustin Harper]

I thought it was interesting to see that the vulnerability affected all
versions of Windows, and that the basic flaw that lead to this one was
discovered in 2005. I agree that people will start targetting older flaws
that were half patched to see if they work with Vista.

Vista is more secure than other operating systems, but it didn't show it
with this exploit. Hopefully, there aren't many more of these, or Microsoft
patches some holes before more bad press...

--
Dustin Harper
(e-mail address removed)
http://www.vistarip.com

--

 

[Terry]

On 4/4/2007 9:08 AM On a whim, Dustin Harper pounded out on the keyboard

I thought it was interesting to see that the vulnerability affected all
versions of Windows, and that the basic flaw that lead to this one was
discovered in 2005. I agree that people will start targetting older flaws
that were half patched to see if they work with Vista.

Vista is more secure than other operating systems, but it didn't show it
with this exploit. Hopefully, there aren't many more of these, or Microsoft
patches some holes before more bad press...

That's why I thought posters would like reading it. Not to flame, but
just be a little more knowledgeable.

--
Terry

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.

 

[Mellowed]

On 4/4/2007 8:39 AM On a whim, Richard Urban pounded out on the keyboard


I guess you could take the time to read it before replying, then you
probably wouldn't have made such a half-cocked comment.

Because it offers information many may have not known about, or had a
false impression about the security of Vista.

Don't shoot the messenger MVP.

Certainly you aren't surprised that there is a problem with ANY software.
Your comments imply that a security fix is a big deal. Get real.

 

[Richard Urban]

I never had any false impression as to how secure Vista is. I have been
saying for a few years that Microsoft should pull an Apple, dump all their
old code and start 100% fresh.

The hell with backward compatibility. And, until they do there will always
be flaws. You can't have compatibility with old, insecure applications
without compromising the current operating system.

So I do not consider this flaw as giving Vista a black eye. That is why I
said "How So".

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Terry]

On 4/4/2007 10:09 AM On a whim, Richard Urban pounded out on the keyboard

So I do not consider this flaw as giving Vista a black eye. That is why I
said "How So".

And it really doesn't matter what you "consider", regarding this
article. I didn't write it, nor did I title it. If you have a problem
with it, go complain to Ziff Davis.

--
Terry

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.

 

[Terry]

On 4/4/2007 9:33 AM On a whim, Mellowed pounded out on the keyboard

Certainly you aren't surprised that there is a problem with ANY software.
Your comments imply that a security fix is a big deal. Get real.

puff, puff...no "Mellowed", I'm not surprised...puff, puff. I am real,
trust me. And so was this security flaw that was dated back to 2005
that found its way into Vista. Any more useless comments?


--
Terry

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.

 

[Richard Urban]

You posted as if it is a big thing. Therefore YOU have an opinion. I just
rebutted this opinion. I am allowed to do so - rebut YOUR opinion. It is NOT
a big thing.

The problem will be there until the next O/S is released, maybe longer if
backward compatibility is insisted upon.

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Terry]

On 4/4/2007 10:40 AM On a whim, Richard Urban pounded out on the keyboard

You posted as if it is a big thing. Therefore YOU have an opinion. I just
rebutted this opinion. I am allowed to do so - rebut YOUR opinion. It is NOT
a big thing.

The problem will be there until the next O/S is released, maybe longer if
backward compatibility is insisted upon.

Sorry, there is no opinion in forwarding this link. If people like you
think it's bunk, that's your prerogative. The article is based on facts
so you can rebuff it all you want. If it wasn't an issue, why the rush
for the patch? It wouldn't have been anything if Vista was impervious
to the flaw. But because the "new and secure" OS was included with the
other OS's, it does raise ones interest.

What is not a big thing to you may be enlightening to others.

--
Terry

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.

 

[Dustin Harper]

Backward compatibility?! Listen to all the complaints that their software
doesn't work as it is. If you drop that, they might as well go to Apple or
Linux. The major reason people stay with Windows is because it's a familiar
& compatible OS.

Best way for them to do backward compatibility is to take a cue from the
XBox 360 & PS3: emulation (or VM). I think that would solve a lot of
problems, as the basic OS is needed without a lot of fluff to run the
application. Problem solved on that front.

No backwards compatibility needed for the core OS. Total rewrite would take
10+ years, though, I'm guessing. Unless they put all their resources
together and bang it out in 5-7. But, I doubt that it would be feasable at
this time.

I don't disagree with you, Richard, just saying that it would be a long
stretch to get it working. But you are very correct in that Windows
vulerabilities will be common among different versions of Windows due to the
backward compatibility. A total rewrite would get rid of most, if not all,
of them. But, it would introduce new ones, as well.

--
Dustin Harper
(e-mail address removed)
http://www.vistarip.com

--

 

[Richard Urban]

If it was posted through a Windows machine I may have given more credence to
it. As it were, you are trolling.

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Terry]

On 4/4/2007 11:08 AM On a whim, Richard Urban pounded out on the keyboard

If it was posted through a Windows machine I may have given more credence to
it. As it were, you are trolling.

So, as a last resort, you're name calling now. Are you saying I'm not
using Windows? Why don't you check the "User Agent"?

"Better to stay quiet..."

--
Terry

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.

 

[Kerry Brown]

Actually the article says nothing about the security of Vista. It says that
Vista suffers from a buffer overflow bug related to animated cursors. It
doesn't have any facts about how or even if this bug could be used to
compromise a Vista computer. To date I've seen no articles that offer any
proof that this bug can compromise the system on a computer running Vista
with the default security enabled.

If anyone can show me an article where Vista has been compromised by this
bug I'd like to see it. I've actually tried by surfing to some sites known
to be using exploits based on this bug and didn't get infected. An unpatched
XP system was infected almost immediately.

 

[norm]

Actually the article says nothing about the security of Vista. It says
that Vista suffers from a buffer overflow bug related to animated
cursors. It doesn't have any facts about how or even if this bug could
be used to compromise a Vista computer. To date I've seen no articles
that offer any proof that this bug can compromise the system on a
computer running Vista with the default security enabled.

If anyone can show me an article where Vista has been compromised by
this bug I'd like to see it. I've actually tried by surfing to some
sites known to be using exploits based on this bug and didn't get
infected. An unpatched XP system was infected almost immediately.

I cannot show you an article, and I understand that your vista system
was uninfected in your test. But why, then, did ms even bother to
release a fix for vista? The language on the security update site seems
to indicate that compromise is possible, if not probable.
http://www.microsoft.com/downloads/...5C-5B41-46EB-92DF-0B062CFCDEEC&displaylang=en
Security Update for Windows Vista (KB925902)
Brief Description
A security issue has been identified that could allow an attacker to
compromise your Windows-based system and gain control over it.
Overview
A security issue has been identified that could allow an attacker to
compromise your Windows-based system and gain control over it. You can
help protect your computer by installing this update from Microsoft.
After you install this item, you may have to restart your computer.

 

[Kerry Brown]

I cannot show you an article, and I understand that your vista system was
uninfected in your test. But why, then, did ms even bother to release a
fix for vista? The language on the security update site seems to indicate
that compromise is possible, if not probable.
http://www.microsoft.com/downloads/...5C-5B41-46EB-92DF-0B062CFCDEEC&displaylang=en
Security Update for Windows Vista (KB925902)
Brief Description
A security issue has been identified that could allow an attacker to
compromise your Windows-based system and gain control over it.
Overview
A security issue has been identified that could allow an attacker to
compromise your Windows-based system and gain control over it. You can
help protect your computer by installing this update from Microsoft. After
you install this item, you may have to restart your computer.

It is a bug that has possible security implications and needs to be patched.
That wasn't my point. Every OS has bugs that could possibly be used to
compromise the system. The more secure OS' limit the damage that can be done
when a bug is exploited. As far as I have been able to determine the default
security in Vista stops the current exploits designed to use this bug. That
doesn't mean that an exploit couldn't be found for Vista. It means it's much
harder and probably wouldn't do as much damage or be able to affect system
wide settings. If you turn UAC off and change the default NTFS permissions
for the Program Files or Windows folders as many advocate these same
exploits would compromise Vista. ZDNet is in the business of selling
magazines and getting traffic for the ads on their web site. The article had
a headline designed to generate traffic "Cursor flaw gives Vista security a
black eye". The actual article never once mentioned how or if this bug could
or had been used to compromise Vista. They are saying that because a
security update was released it's a black eye for Vista. If that's the case
then every current OS has been pummeled black and blue.

 

[norm]

It is a bug that has possible security implications and needs to be
patched. That wasn't my point. Every OS has bugs that could possibly be
used to compromise the system. The more secure OS' limit the damage that
can be done when a bug is exploited. As far as I have been able to
determine the default security in Vista stops the current exploits
designed to use this bug. That doesn't mean that an exploit couldn't be
found for Vista. It means it's much harder and probably wouldn't do as
much damage or be able to affect system wide settings. If you turn UAC
off and change the default NTFS permissions for the Program Files or
Windows folders as many advocate these same exploits would compromise
Vista. ZDNet is in the business of selling magazines and getting traffic
for the ads on their web site. The article had a headline designed to
generate traffic "Cursor flaw gives Vista security a black eye". The
actual article never once mentioned how or if this bug could or had been
used to compromise Vista. They are saying that because a security update
was released it's a black eye for Vista. If that's the case then every
current OS has been pummeled black and blue.

The real issue then could lie in the fact that this particular "bug" has
been around a while, known about from xp, and still found its way into
vista. Just maybe (and hindsight is always 20/20) ms didn't give the bug
its due attention back then. I don't disagree that zdnet wants eyeballs,
but by the same token, ms should not want eyeballs in the manner it
continually attracts. Ms, in the manner it has touted vista security,
has raised expectations. When those expectations are not met, one should
not find it unusual that someone will take them to task, regardless of
the motivations they might have for doing so.

 

[Nina DiBoy]

I never had any false impression as to how secure Vista is. I have been
saying for a few years that Microsoft should pull an Apple, dump all
their old code and start 100% fresh.

The hell with backward compatibility. And, until they do there will
always be flaws. You can't have compatibility with old, insecure
applications without compromising the current operating system.

So I do not consider this flaw as giving Vista a black eye. That is why
I said "How So".

Well said, Dick. This flaw doesn't give Vista a black eye, because
Vista already had one. Vista has been the physically abused red headed
stepchild of OSes since it's been out.

--
Priceless quotes in m.p.w.vista.general group:
http://protectfreedom.tripod.com/kick.html

Most recent idiotic quote added to KICK (Klassic Idiotic Caption Kooks):
"You can get dog shi* for free also!"

"Good poets borrow; great poets steal."
- T. S. Eliot

 

[Kerry Brown]

The real issue then could lie in the fact that this particular "bug" has
been around a while, known about from xp, and still found its way into
vista. Just maybe (and hindsight is always 20/20) ms didn't give the bug
its due attention back then. I don't disagree that zdnet wants eyeballs,
but by the same token, ms should not want eyeballs in the manner it
continually attracts. Ms, in the manner it has touted vista security, has
raised expectations. When those expectations are not met, one should not
find it unusual that someone will take them to task, regardless of the
motivations they might have for doing so.

I agree that the bug never should have made it into Vista. I have no problem
with people pointing out bugs and taking Microsoft to task for them. In this
case though the fact that a bug was found and it didn't compromise Vista is
actually a point in favour of Vista's security. I may be barking up the
wrong tree anyway. I heard this morning from a reputable security consultant
that there is an exploit for Vista using this bug. So far it's hearsay but
the people doing the saying usually know what they're talking about. What
isn't clear is the extent of the exploit and if it compromises the system or
just the user. If it's just the user then Vista security is working as
designed. If it's the system itself then this is the first exploit for Vista
that can bypass the security with no user input. That would surprise me a
little bit but not too much