First Windows Vista Security Update Released

Bard Of Vim writes "Microsoft has issued critical security patches for beta testers running the Windows Vista December CTP (Community Technology Preview) and Windows Vista Beta 1, and warned that the new operating system was vulnerable to a remote code execution flaw in the Graphics Rendering Engine. The Vista patches address the same vulnerability that led to the WMF (Windows Metafile) malware attacks earlier this month. The recent out-of-cycle security update for the WMF vulnerability (see slashdot coverage) makes no mention of Windows Vista being vulnerable, but with the release of this weekend's patches it is clear that the poorly designed 'SetAbortProc,' the function that allows printing jobs to be canceled, was ported over to Vista."

And it wasn't audited while porting?!

[Pecisk]

What a hell is happening on Microsoft? They have a major Windows version upgrade and they don't even audit their portable old code for such things?! I would get a someone responsible about security in Windows Vista fired ASAP.

How they think will be migration from old versions of Windows if such things will countinue to happen? Yeah, I know, OEM will have Vista and that's all. But with Web applications my pick is that lot of enterprises will stick with their Windows 2000/XP.

No doubt that Microsoft will have hard time to make Vista as smash hit as they would like it to be.

Re:And it wasn't audited while porting?!

[giorgiofr]

Well, Vista does look like it's seriously going to be a helluva flop, but because of a very simple reason: users don't need it! No, they don't care about security, they don't want to know about WinFS (which isn't there anyway), they certainly don't care about .NET 2.
What matters is that they don't want to buy a new Dell in order to use... what exactly? Actually, were it not for some games and a slicker GUI, I'd probably stick with 2k, which is still the best Windows made to date. Yeah, holes in RPC and whatnot, but still better than all the other Windowses.

Gibson is such an Alarmist! Now patch your code!

[kupci]

Get ready for all the Slashdotters and Microsoft fanboys to rip on Gibson being such an alarmist, as they quietly get ready to patch their boxes.

The issue here is I think, that Microsoft continues to this day, to be rather sloppy and secretive about fixing their stuff. So if Gibson makes a big flap, so be it. Better that than a back door that MSFT doesn't bother to fix, because they don't consider it a "critical vulnerability" or some other excuse. As Gibson points out, no question this is highlighting one of the main benefits of open source - the source is there for all to see, no dickering about whether it was intentional or not, it gets fixed. Period.

About Windows Vista

[mshiltonj]

From: http://msdn.microsoft.com/windowsvista/about/

Security Advances

Windows Vista introduces an improved security model that reduces a system's vulnerability to attack while still empowering applications. In particular, it makes the new User Account Protection (UAP) the default user account, and provides an easy-to-use temporary-privilege elevation model. As a result, malware installations are reduced and more OS functionality is made safely available to non-administrators. Security is further strengthened with a trust-based validation system through Mandatory Integrity Control, and Windows Resource Protection (the follow-on to Windows File Protection) guarantees a stable, read-only view of a running operating system.

Uh-huh.

Re:About Windows Vista

[jimicus]

In particular, it makes the new User Account Protection (UAP) the default user account, and provides an easy-to-use temporary-privilege elevation model.

If a user can temporarily escalate privileges, so can a program.

As a result, malware installations are reduced and more OS functionality is made safely available to non-administrators.

Translation: The reason so many of your programs must run as administrator right now is a large chunk of the functionality we currently provide demands this.

Security is further strengthened with a trust-based validation system through Mandatory Integrity Control,

Translation: Here's Trusted Computing, you don't have any choice in the matter, take it or leave it.

Windows Resource Protection (the follow-on to Windows File Protection) guarantees a stable, read-only view of a running operating system.

Translation: A lot of your existing applications won't run. You either turn off the security we provide (thus negating any point in upgrading) or you ditch those applications. Sure hope none of them were vital to your business.

I find it amusing...

[ConceptJunkie]

I find it completely amusing not that this is a security bug that lets someone compromise your computer, but that it's the "Graphics Rendering Engine". I wonder how good it is for doing things like, you know, rendering graphics.

Like I said once years ago, if edlin were written today, it would have direct access to kernel-level functions through scripting and be a vector for both viruses and remote exploits.

Re:Gibson is such an Alarmist! Now patch your code

[scdeimos]

Yes, and Gibson is well known for *not* being an open source advocate, quite the opposite. So for him to start swinging towards open source is really a big thing.

Re:Cant wait...

[Overly+Critical+Guy]

With regards to Vista, it's a valid question. Remember that Microsoft is introducing all sorts of brand new version 1.0 APIs. They had to cancel Vista Beta 2 in favor of CTPs due to their rushed schedule, and they missed their Feature Complete deadline of December and are now aiming for the end of the month. Vista will suffer from reduced testing unless it is delayed to early 2007 (something I believe is likely to happen later this year).

Contrary to popular belief, Vista isn't some big rewrite. It's the same Windows as before with some architectural changes and new API layers. But the old Win32 stuff is still in there.

Wait 'til you guys see the fun way Vista gets older apps to run that expect admin privileges--it emulates a virtual filesystem and all sorts of other crazy things. My impression of Vista is that instead of a clean redesign, it's more layers of updates and APIs on the creaky building. As for WinFX, none of the major apps are going to rewrite their big applications just to go to the slow .NET framework. Photoshop, Dreamweaver, Maya, etc. will be Win32 forever.

I believe there are plenty of reasons to be concerned about Vista. OS X had the advantage of totally starting over and just porting over the old toolbox APIs and calling it Carbon to get older apps to come along. Vista is a weird blend of old cruft and new less-tested code, complete with suspiciously high system requirements. But hey, at least they got shadows on their windows now--I've only been seeing that for five years from Apple.

Re:Frist patch

[j3rryh]

There will still be pearpc & basiliskII or vmac. Legacy schmegacy, any modern processor emulates any 7 yr old processor just fine. -j3rry

Re:Cant wait...

[blast3r]

Yes, I did order Macs for all of our staff (except for one that already has a Mac) so that means we will have 4 Macs in the office.

I have used Microsoft since Dos 4.0 as well as other operating systems. This is the first time I got nervous just surfing the web. There have always been some kind of workaround. In this case there wasn't a good workaround for the zero day exploits that were all over the place. The crappy workaround M$ recommended wasn't a good workaround at all. If you disabled the crappy dll they suggested it is still possible for you to get compromised. There has been talk that some other programs would re-registere the crappy dll and any images you had stored in memory would be executed. Microsoft downplayed this just a bit too much for me. We have over 35,000 computers and we had students coming back the Friday before patch-tuesday. So, this was pretty bad. They did end up releasing the patch that Friday. Okay, I can live with that. *whew*

Now, the fact that this same vulnerability was found in the new and secure Windows Vista just did it for me. That was the point I stopped being a Microsoft advocate.

Yours truly,

blast3r the newb