Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Windows Vista Security Update Released

Posted by Zonk on from the pre-release-security-vulnerabilities-are-inspiring dept.

Bard Of Vim writes "Microsoft has issued critical security patches for beta testers running the Windows Vista December CTP (Community Technology Preview) and Windows Vista Beta 1, and warned that the new operating system was vulnerable to a remote code execution flaw in the Graphics Rendering Engine. The Vista patches address the same vulnerability that led to the WMF (Windows Metafile) malware attacks earlier this month. The recent out-of-cycle security update for the WMF vulnerability (see slashdot coverage) makes no mention of Windows Vista being vulnerable, but with the release of this weekend's patches it is clear that the poorly designed 'SetAbortProc,' the function that allows printing jobs to be canceled, was ported over to Vista."

38 of 317 comments (clear)

  1. Cant wait... by XanthusMaximus · · Score: 2, Insightful

    Wonder what exploits there will be when its actually out?

    1. Re:Cant wait... by In+Fraudem+Legis · · Score: 2, Insightful

      Probably the same ones XP and 2k have.

      --
      Per Aspera Ad Astra.
    2. Re:Cant wait... by Anonymous Coward · · Score: 3, Insightful
      Wonder what exploits there will be when its actually out?

      Fixing bugs in a pre-beta OS under development is indicative of this? Then a changelog of Linux or OS/X beta will scare you good.

    3. Re:Cant wait... by ozmanjusri · · Score: 2, Insightful

      Fixing bugs in a pre-beta OS under development is indicative of this?

      This is a bug that was found by a third party. Microsoft, with all the effort it is putting into the Vista release, did not find this major vulnerability. The implication is that it is likely more vulnerabilities will be found by third parties, some of them malicious.

      --
      "I've got more toys than Teruhisa Kitahara."
    4. Re:Cant wait... by Anonymous Coward · · Score: 1, Insightful

      I am wondering what else they are going to import from the old technology. I was a Windows fan up until this WMF dealio. I work in an Information Security office and all of our staff are going to Mac. Ordered them Friday!

      Who ordered them? You did? You make it sound like you personally ordered a whole bunch of computers because of one security hole. How could a single exploit cause you to stop being a Windows fan, considering the hundreds and hundreds that came before this? Stick to Windows, newb.

  2. At least... by ajdlinux · · Score: 5, Insightful

    ...they're fixing bugs before they release. M$ is doing something right and actually attempting to release a more secure Windoze than XP.

  3. Frist patch by sexyrexy · · Score: 5, Insightful

    They ported some functional code to their newest project. I hope they don't get unfairly bashed for this, just because a few bits of said code were discovered to be vulnerable. Every halfway intelligent programmer reuses code - it would be far more stupid not to. This is semi-interesting as a landmark ("frist patch!") but not exactly news because of what it contains.

    --

    Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    1. Re:Frist patch by Libor+Vanek · · Score: 2, Insightful

      You don't get it. Nobody is expecting that MS will not re-use the old code. For that MS is doing the "Singularity OS" project.

      What's wrong with this bug is that clearly Microsoft "software quality control" is failed (we know it for a long time - this is just another prove). All code going to Vista should be checked line by line and not cut-n-pasted function by function.

    2. Re:Frist patch by peragrin · · Score: 3, Insightful

      No MSTF ported flawed buggy code that was rewritten specifically for XP. With earlier 98/me/2k all immune MSFT rewrote buggy code just for XP and then carried that to Visyta.

      Vista by the way should of been a complete ground up rewrite. i would expect no less for taking over 6 years to build. Just look at were KDE, Linux kernel, X where 6 years ago. Hell look at what Apple did with OS X in far less time than MSFT. Every other major OS has under gone massive revisions and upgrades. Hell Apple is working on it's second major change in 6 years. (Mac OS 9 to OS X , PPC to Intel)

      Why can't MSFT with it's billions do that? Oh right because it's not about money spent but about productivity.

      --
      i thought once I was found, but it was only a dream.
    3. Re:Frist patch by IntlHarvester · · Score: 5, Insightful

      > Hell look at what Apple did with OS X in far less time than MSFT

      Apple bought an abandoned OS from the 1980s, that uses kernel with code originally written in the late 1970s. On top of that, they bolted a bunch of Toolbox compatibility code dating from the 80s and 90s, and a bunch of *nix stuff which is also 10-20 years old.

      So, it somewhat silly that you would argue that MS performs a "complete ground up rewrite", all while advocating MacOS X, which is a complete slut for legacy code.

      --
      Business. Numbers. Money. People. Computer World.
    4. Re:Frist patch by MikTheUser · · Score: 3, Insightful

      So, it somewhat silly that you would argue that MS performs a "complete ground up rewrite", all while advocating MacOS X, which is a complete slut for legacy code.

      Maybe his argumentation was wrong, but the simple fact is: BSD/Darwin/OS X never needed a rewrite - they work really well to this day, as you can see on Apples all over the globe. Windows' code, however, should have been dumped, printed on toilet paper and nailed to the church door as a bad example at the time Windows ME was released at the very latest.

    5. Re:Frist patch by Tony · · Score: 3, Insightful

      Apple bought an abandoned OS from the 1980s . . .

      Funny you should mention NeXT. It was easy-to-use, powerful, developer-friendly, and by far the best OS for desktop use.

      I use the NeXT to illustrate how Microsoft has set the computer industry back. To this day, MS-Windows still doesn't have the power or ease-of-use of the NeXT. It wasn't until Apple picked up the pieces with OS X that an operating system approached the desktop usability of NeXTStep.

      Microsoft set the computer industry back over a decade. So when you talk about how Apple just stole a bunch of old code to make OS X, at least they had the smarts to steal the good code. Microsoft doesn't have access to good code, so they just steal from themselves.

      Microsoft: it's like corporate masturbation!

      --
      Microsoft is to software what Budweiser is to beer.
    6. Re:Frist patch by drsmithy · · Score: 2, Insightful
      Vista by the way should of been a complete ground up rewrite.

      Completely unnecessary. The guts of NT are (and always have been ) quite solid.

      i would expect no less for taking over 6 years to build.

      It's only been 3 years since the last Windows NT release.

      Just look at were KDE, Linux kernel, X where 6 years ago.

      It's a lot easier to make large gains when large gains actually need to be made.

      Hell look at what Apple did with OS X in far less time than MSFT.

      Apple slapped a new display system and virtual machine compatibility layer onto an OS they bought. Then it took them 3 subsequent major releases to get a good product out of it.

      Every other major OS has under gone massive revisions and upgrades.

      Every other major OS has had a lot more to do.

      Hell Apple is working on it's second major change in 6 years. (Mac OS 9 to OS X , PPC to Intel)

      PPC to intel is not a major change (well, not from the perspective of the OS). OS X is portable, it hardly needs to be changed at all to move from PPC to x86.

  4. Does anyone else get the feeling... by ZackSchil · · Score: 3, Insightful

    that Windows Vista isn't going to be all the fresh, hot goodness that we've been promised? For their own sake, Microsoft should step away from their stale and horribly insecure old code bases. They've had enough time now to rewrite the OS a few times over but it seems they chose instead to shoehorn in their old crap. Now is as good a time as any to cut the Win 9x support cord.

    1. Re:Does anyone else get the feeling... by thefogger · · Score: 5, Insightful

      It is reasonable to carry over old code to a new platform if you want to keep compatibility. Why in the world do you think a rewrite would improve security? It would only cause MORE bugs for years and years to come. Right now, Win32/GDI is quite bug-free, or at least undocumented bug-free. The WMF bug was a design flaw, not a coding error. Also, this has nothing to do with Win9x, for which they HAVE cut the support cord regarding the WMF vulnerability.

      Cheers, Fogger

      --


      Um... I didn't do it!
    2. Re:Does anyone else get the feeling... by IntlHarvester · · Score: 5, Insightful

      Not true! Windows Vista was promised to be nearly completely backward-compatibile with previous Windows!

      And that is exactly what IT customers want. They only way they can keep all those millions of custom programs developed for Windows over the last decades working is by pulling forward legacy code.

      Hey look at Apple -- they just introduced machines that do not run any software from as little as 5 years ago. Apple also has nearly zero corporate desktops. Connect the dots. Maybe consumer users running Firefox and iTunes and MSN Messenger want a "all new Windows", but nobody else does.

      --
      Business. Numbers. Money. People. Computer World.
  5. Re:And it wasn't audited while porting?! by Timesprout · · Score: 2, Insightful

    What a hell is happening on Microsoft? They have a major Windows version upgrade and they don't even audit their portable old code for such things?!

    Eh, they fix a bug in an early beta version and you have a problem with this because?

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  6. more like.. by ltwally · · Score: 3, Insightful
    "...it is clear that the poorly designed 'SetAbortProc,' the function that allows printing jobs to be canceled, was ported over to Vista."
    It's more like SetAbortProc was never removed from the common code-base that Vista inherited from XP. Saying it was "ported" would lead one to believe that MS actually re-writes the entire OS with every major release. They do not. They simply tack on some new stuff.
    --



    /dev/random
  7. Re:Vista is Yesterday's News by ajdlinux · · Score: 4, Insightful

    > Unpriveleged access will be the default, and it'll be damn near impossible to breach Yes, because of the hardware-level DRM chips it will be impossible. The next few Windoze OSes will be much more secure, not only from the outside, but from the user.

  8. Let's be fair by inkswamp · · Score: 2, Insightful
    I despise Microsoft and think their products are generally crappy, but what is it about patching or refining beta software that makes this newsworthy? Because it's MS?

    --
    --Rick "If it isn't broken, take it apart and find out why."
    1. Re:Let's be fair by DECS · · Score: 2, Insightful

      I'd say it's newsworthy because Vista is being sold to the public as being a whole new OS with an improved security model.

      The fact that they've imported decades of legacy Windows code, written for a period of time when security was designed for LAN environments rather than open access to public networks, seems a bit shocking even to people like me who already KNEW THIS.

      Sometimes things you already know are newsworthy/shocking after you see them in print or hear them out loud.

  9. Bad code, bad port, bad system by jeremiahbell · · Score: 2, Insightful

    All operating system updates must of necessity borrow from their predecessors. My question is: Are the security problems in Windows so bad that Microsoft should dump it; are the problems bad enough not even microsoft can go through and patch it all?

    I believe it is very likely so. It is time to dump this code and go to a new platform. Whether this is done my microsoft itself or by the many alternatives out there to the Windows operating system.

    --
    "Where have all the good people gone?" - Jack Johnson
  10. does it really count if it's still in beta? by artifex2004 · · Score: 2, Insightful

    doesn't this type of thing happen in a lot of betas?

  11. There's an old saying... by RoffleTheWaffle · · Score: 2, Insightful

    ... in the computing world that applies not only to many aspects of the evolution of technology, especially software.

    "Garbage in, garbage out."

    I wonder how much of Vista is actually based on new code. Is Vista going to be Windows XP in Mac OSX's clothing? And is it going to inherit the same piss-poor security it's predecessor had? I certainly hope not.

  12. Re:I find such lack of security... by undeadly · · Score: 3, Insightful
    I agree. I've yet to remember a critical fedora patch for a not yet released Redhat FC distribution.

    This says more about Redhat FC than Microsoft, in this case. Just about weekly there is discovered a new local root vulnerability in the Linux kernel, and having dozens of those in the last year or so does not speak well of Linux security.

  13. Re:And it wasn't audited while porting?! by Pecisk · · Score: 2, Insightful

    I have problem that they fixed this problem only because someone discovered this ugly hack and they should do that. They didn't discovered by themselves, as some of other posters pointed out, in two major version upgrades - Windows 2000 and Windows XP. And they claimed that Vista will be secure. Can you say Vista will be secure if they don't check out and don't catch such obious old design bugs like this one?

    It is not how the biggest and "greatest" software company in the world should do their homework.

    --
    user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
  14. Out of perportion by Bizzeh · · Score: 1, Insightful

    hmmn, vista uses the same core as xp, and is expected to NOT have the bugs that no one knew about... some people have all the brains

    --
    portfolio
  15. I find such a lack of consistency . . . by EraserMouseMan · · Score: 5, Insightful

    entertaining. Google "beta" products that are used by millions have huge security bugs that let malicious persons read anyone's email and nobody says much and it is swept under the rug. Microsoft's "beta" products that are only in use by testers/developers have a security issue and everybody's shaking their head and talking about how horrible MS is. It's just amusing to me.

    1. Re:I find such a lack of consistency . . . by marcello_dl · · Score: 3, Insightful

      hehe come on, wasn't Vista marketed as the next gen secure OS coming from a company who claim they are more secure and offer better ROI of the competition? Then it comes up they are porting code with bugs (if not backdoors) and they release a security update before the official release.

      Sure, linux sometimes has the same kind of updates. But bug disclosement in linux isn't a terrorist activity, kernel versions are named 2.2, 2.4, 2.6 and earns it reputation on the field, not with marketing fluff.

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  16. Re:About Windows Vista by springbox · · Score: 2, Insightful

    Don't be mean. If they can pull that off it would be a huge step forward for them in terms of security. This is exactly the same issue with Windows that most people here continually complain about.

  17. You mean the BETA is not production ready?!?! by drsmack1 · · Score: 2, Insightful

    Isn't this just a little too much? Do the people who accept these sort of stories have ANY introspection at all?

    --

    Humor from a Genetically Molested Mind

  18. Re:And it wasn't audited while porting?! by westlake · · Score: 2, Insightful
    Vista does look like it's going to be a helluva flop, because of a very simple reason: users don't need it!

    Vista will appear in the consumer market as the successor to Win MCE, at a time when HDTV, the HTPC and on-line media services are becoming mass-market.

    To me, this looks like money in the bank.

  19. Re:Didn't Microsoft say... by sethadam1 · · Score: 4, Insightful

    You remember right. That was the deal about 4-5 years ago or so. Gates called it a "bet the company" initiative, and they decided to rewrite from scratch.

    Then, a few years later, pretty much nothing worked, so they tossed out all the 4000-era builds, took a clean copy of Windows 2003 SP1, and built on top of that.

    That is Vista. It's built on Server 2003 SP1.

  20. Re:.NET 2 = already available. by giorgiofr · · Score: 3, Insightful

    Well I kinda summed it up a bit too much but my point is that *users* won't care about such technologies. I, as a developer, think they might be nice (but as I'm switching over to Linux I don't care too much); users won't. I was not saying Vista is stupid or limited; I was saying users will not perceive it as worth much more than XP. Then of course if developers force them to use Vista, that's another story...

    --
    Global warming is a cube.
  21. Re:And it wasn't audited while porting?! by imipak · · Score: 2, Insightful
    Well, Vista does look like it's seriously going to be a helluva flop, but because of a very simple reason: users don't need it!

    Son, I've been hearing people say that every time Microsoft finally crimps off another length of code into a shrinkwrapped box and calls it an OS since 1995. It was true then (cos Windows NT 3.51 was out...) and it's been true for every turd they've shipped since. And people still keep buying new PCs, which keep on arriving with the current shipping Microsoft OS for that market. They don't have to sellthe thing to anyone, they just have to 'roll it out'. Even corporates work on the same basis with a 12-24 month lag behind the consumer market.

  22. Re:And it wasn't audited while porting?! by man_of_mr_e · · Score: 1, Insightful

    Dude. Do you HONESTLY think that virtually *ANY* non-trivial piece of software will ever be completely defect free? Ever? Even Donald Knuth paid a good chunk of money in "bounties" on his supposed bug free software, though there hasn't been one found in a while now. And TeX is orders of magnitude less complex than a typical OS distribution, such as Windows, Mac OSX, or any version of Linux.

    It's utterly brain dead to "complain" that flaws are found and fixed, regardless of how seriously security is being taken.

    --
    If you need web hosting, you could do worse than here
  23. Re:And it wasn't audited while porting?! by frankthechicken · · Score: 2, Insightful

    and after letting a bug go through a whole product line unoticed for 10 years is ironic ...

    I think you misspelled iconic.

  24. Re:I find such lack of security... by fimbulvetr · · Score: 2, Insightful

    Now, any good sysadmin knows that he shouldn't be running 2.6 yet, which renders most of the 2.6 vulnerabilities moot for gauging the security of a linux box. When 2.4 was riddled with holes, we used 2.2, and so on.

    Another thing good sysadmins should do to minimize threats is to chroot all of his daemons as well as not provide them with logon shells and huge 100+ character pwgen'd passwords - effectively negating the vulnerability from a server standpoint.

    Those are just two of the things Linux offers us that M$ software does not. To say that local exploits on the newest kernel should be humbling to the linux community because it's no better than Microsoft's latest "stable" OS is ignorance in just about every way.