Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Vista still Rife with Insecure Code

Posted by ryuzaki0 on from the rife-i-say dept.

osxpetition writes "As noted in a News.com article, Symantec researchers have been testing the latest Microsoft Windows Vista build (Beta 2), and have found that the code is 'complete with new corner cases and defects' in the networking component. Symantec describes how Microsoft scrapped the old networking stack code from Windows XP in favour of newer, rewritten code. 'Microsoft has removed a large body of tried and tested code and replaced it with freshly written code.' Since January 2002, Microsoft has put a stronger emphasis on protecting PCs by attempting to implement stable, secure code into Windows XP and their new operating system. This latest report from Symantec brings attention to Microsoft's trustworthy computing campaign, and shows how it will be a long way before it is ready for the mainstream."

7 of 330 comments (clear)

  1. And we... by vwjeff · · Score: 4, Insightful

    have a solution that will "protect" you.

  2. However by also-rr · · Score: 4, Insightful

    This may not be a bad thing.

    I am much happier with well laid out, structured and simple code that has X rate of defects than well polished over the years, old, cruddy and complex with X rate of defects because with the former:

    Fixes will be faster.
    Fixes will be easier/cheaper.
    Fixes will be possible!
    Bug fixes will have less chance of introducing new bugs.

    Given time we can then be sure that we will end up with... err well polished over the years, old, cruddy and complex. But it probably won't be as bad as if the process never happened in the first place.

    --
    Think of the Children; Sleep with your Sister
    1. Re:However by Yohimbe · · Score: 5, Insightful

      Actually the old code might be better. And I don't defend blindly.

      It has been my repeated experience that "Cruddy and complex" code is that way because the problem space is cruddy and complex and thats what bugfixes do to code.

      You throw out that complexity and you throw out accumulated knowledge. I have yet to see a second system or third or fourth that managed to keep the bugfixes of the previous system. These issues return and they are accompanied by new ones.

      In this case there might be a reason to thow out this particular baby with this particular bathwater: the only thing that new code gives you is resident experts on the new code. If you have staff turnover (Which MS always does), they may have already lost the resident experts on the previous design.

      So that brings up the next point: MS may now be jumping its proverbial code shark: They've not increased in price in 3 years: stock options are worthless, they're losing people, and the hardware vendors are saying "When are you going to get us a decent 64 bit system?". They can't seem to ship secure code and now they throw out working subsystems, possibly because they've got a brain drain. MS owns the office market, but they're starting to really fall behind in shipping modern security at the OS level.

      --
      -- Perl Hack, Web Hack, SQL Hack, Guitar Hack
  3. Conflict of Interest by Ryan+C. · · Score: 5, Insightful

    OK, so Symantec makes money selling products that patch up problems with Windows OSes. Microsoft trying to put them out of a job. I'm not saying Vista is really achieving this goal, but what sort of report did you expect from Symantec? "Wow, this Vista really makes our products unnecssary"!

    FUD. At least they learned Microsoft's greatest marketing strategy.

    --
    -Ryan C.
  4. Semantec's attempt to reassure stockholders by Bill_the_Engineer · · Score: 5, Insightful

    Isn't it to Semantecs best interest to generate demand for their product by creating uncertainty when it comes to OS security. They did this to linux too...

    Granted Microsoft may be using new code, but that doesn't necessarily mean it's more insecure than the current network stack.

    Let's see what the non-beta software looks like, and see what a independent lab reports.

    Bill

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  5. Re:Fun-factor by cnettel · · Score: 4, Insightful

    To be fair, the original design of NT networking was focused on IPX and NetBEUI. The bandwidth was 10 Mbit. If you routed in several steps, you didn't expect minimal latencies. You were also supposed to kind of trust the traffic on the network (no SYN attacks or stuff like that.) IPv6 on current Windows versions still has "it will kind of work" status. You don't start with MS-DOS and end up with XP. You end up with Me. Rewriting something because the old version is broken is highly unwise. Rewriting something because the old version is unappropriate for what you currently use it for might make sense. I remember the JWZ article and he talks about all the hidden assumptions you've found through hard work and how those are an essential value in the current codebase. If enough of those assumptions are not true anymore, it can make sense to rewrite something.

  6. Re:beta by kimvette · · Score: 4, Insightful
    Linux users need to stop comparing their OS' state to that of a five-year-old version of Windows.


    Okay, compare it to the current release of Windows.

    Oh, what's that? The newest release is Windows XP OEM SR2? Essentially a five-year-old OS with a few patches?

    I guess it IS a fair comparison then, after all. Come make that same argument this same time next year if both:

    a) Vista has shipped
    AND
    b) Folks are comparing Linux to XP rather than Vista

    at that point. Until then, XP is the only valid comparison, unless you want to talk servers in which case Windows 2003 would be the logical comparison point.
    --
    The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50