Slashdot Mirror
MS Security Guy Wants Vista Bugs Rated Down
jcatcw writes "Gregg Keizer reports that Michael Howard, an MS senior security program manager, says that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses."
Sounds a little like Michael Howard might be "baked in". . .
I work at Microsoft, I can get Vista for practically free but I refuse to even touch Vista with a bargepole and dont recommend it to others. They dont need it anyway even if it was "finished" and secure.
"Your making us look bad, cant you lie a little, we do all the time..."
This was a public service translation, for those who have trouble understanding Microspeak...
According to Michael Howard my post has been downgraded to only second post.
"Oh boy"
This guy is IMO a narrow minded fool. Sure, Vista may have extra security features which can limit the extend of damage which a certain bug can do. But does this mean that these features have any impact on the severity of those bugs? Lets "translate" this to Linux:
Say a new local SSH exploit has been found allowing attackers to gain root privileges. Does the fact that you'd need user accounts which are actually useable by people make any difference on the severity of the exploit? "Gee, cut the homeuser some slack since they won't have any real user accounts to begin with. So stop scaring them and rate the bug as it really is?" ? But... The bug really is what it says to be. In my example its a critical issue, in the case of a Vista bug its Important.
Just because you may benefit from the extra security enhancements doesn't imply everyone else does. So please; cut out the idiocy and the desperate attempts to push Vista forward by focussing on all good points and ignoring the bad points, and simply keep calling things what they are. I for one now question the professionality of this guy.
After all, I just baked it.
I do not think that the word "security" means what you think it means.
Or, you're a FUD-peddler whose job it is to convince Gartner that you don't suck... I'm not sure.
I want to delete my account but Slashdot doesn't allow it.
I can't believe someone known as microsoft security guru would make a statement like that.
An exploit is still an exploit. It doesn't matter if it's found in a brand new OS or the predecessor.
Thank god there are people who doesn't agree with him.
IT074931
Don't challenge the hackers. It's great that Windows Vista has some built in low-level security protections. It's also great to see that Michael is discounting the significance of UAC. And he should - most people will wind up turning it off. But I think that attempting to say that Vista is fire retardant is most likely going to serve as a method to encourage hackers and script kiddies to try and set fire to it. Saying "because it's Vista means the exploit isn't as bad" is a horrible argument. It's an OS, and an exploit is an exploit.
In short I don't think Michael should assume. When you assume, well, you know.
...fix the bugs.
Why is it that MS always misses this point: Secure is relative. Advocating that MS can be more lax in its procedures because Vista is more secure is like saying you don't need to train anymore because you didn't finish last in a race. Microsoft may have better security than its predecessors; however, that remains yet to be seen whether or not it is adedquately secure. Given the companies history of boasting about security and then failing to deliver, it would be best if they were conservative when it comes to security. Wasn't there a recent slashdot article on how OpenBSD had an its second security issue in a decade? Compared to that, Microsoft security is a joke.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I'm sure we've all said a few things that were externalized "thought experiment" instead of "well thought out conclusions". And I think I can see how his line of thinking was going, although I disagree with his statement. And I wouldn't be surprised that in hindsight he disagrees with his own statement.
Microsoft has inadvertently set this guy up as a fall guy by anointing him as a semi-official spokesperson. Hopefully he won't find himself on the street due to what is a failure of his management.
You are trying to cover your own ass. Cancel or Allow?
I am officially gone from
...hmmm...whats that smell?
Lets see, Microsoft has been selling crap all these years and now wants to be cut some slack? Yea, right.
all I think of when I hear 'Program Manager' is the program launcher from the Windows 3.1 days.
Was this naming deliberate??
By this logic, then, shouldn't most of the bugs for Linux and OSX have been rated as "relatively unsafe", while the Windows bugs were almost universally labeled "Über-pWnz0r3d"?
It seems like he wants this just so he can compare turds to turds, boosting the sales of Vista by saying the Windows 98 and 2000/XP bugs of yesteryear were worse because the same bug is arguably less severe under Vista. It may be true, but he should hope that if anyone takes him seriously, they don't start rating severity relative to similar bugs in competing products.
Be careful what you wish for...
True science means that when you re-evaluate the evidence, you re-evaluate your faith.
Microsoft's own bug hunters will not get the extra bonus because Vista sales suck so much, because Vista has bugs which hunters found... Hm...
"Built in defenses".
Yeah, right. He's been reading too much William Gibson...
Vista making microsoft became microsofter...
Vista includes security techniques and technologies that Windows XP lacks, the MSRC should reconsider how it ranks Vista when a vulnerability affects both Microsoft's new operating system and its predecessor, Windows XP. Don't be surprised if you see a bug that's say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place. Vista includes a number of new security features that randomize memory, check code for buffer overflows and require user permission for potentially risky operations. On Vista, the vulnerability will be so tagged, Vista-specific security technologies notwithstanding. Analysts and outside Microsoft security professionals took the MSRC's side and blasted Howard's idea. MSRC won...yes!!!
...that's not the Michael Howard who Paxman asked 12 times whether he threatened to overrule Derek Lewis... Thank goodness it's not the same person.
Those using pirated Tinysoft signatures(TM) are a real threat to society and should all be thrown in jail.
That Mr. Howard has yet to come to the sad realization that the rest of the Vista-using world has...
Are you sure it wasn't a PR guy?
I'm certain when he said "and rate its vulnerabilities differently because of the operating system's new, baked-in defenses." what he really meant was "and rate its vulnerabilities differently because of the operating system's new, half-baked-in defenses. "
My karma is not a Chameleon.
are condemned to reinvent it.
How's that 64-bit architecture coming in the Windows world, fanboy? Solaris has been 64-bit since when, 1995?
They're hurting your feelings, come here and rest on my man boobs. There there, that's better isn't it mr security person. What, they're not as soft and comfortable as your moms boobs? Excuse me, I'd like you to rate my boobs better than that, after all, I am a MAN!
Task Mangler
At least this will let bears retake their proper spot at #1.
For some reason, this guy reminds me of one of the "Three Stooges".
;-)
"Calling Dr Howard, Dr Fine, Dr Howard"...
Maybe it's because he needs a brain transplant.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
That's like buying a new model car and the dealer saying, "Sorry it just keeps stalling on you, but it's a newer model and were still working out all the bugs. In the mean time, here's a coupon for a free oil change, just don't complain to loudly."
Obviously any Vista security bugs should be rated less severe... I mean, nobody's running that OS, right? Minimal impact!
The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
Allow or Deny?
From a Red Hat hacker
--
Given enough personal experience, all stereotypes are shallow.
Comment removed based on user account deletion
in Linux and Unix and Mac's BSD, what's higher than root?
in Microsoft Vista, what's higher than administrator?
root
superroot
supersuperroot
that's right, there are three privilege layers above administrator in Vista.
users cannot access those, but software can.
"Oh, you're a process, here's the keys!"
"Oh you're a user? You want to access your computer, confirm or deny?"
They're using their grammar skills there.
If Microsoft were to have a flaw, it would be that they are too modest and grade their own security issues too harshly.
wake-n-bake lets all take
a look at microsoft half-baked
hit the bong and sing this song
windows got security wrong
Around we go with disclosure fud
Michael Howard please pass the bud
boycott slashdot February 10th - 17th check out: altSlashdot.org
Simple send each and every person who works for the company in anyway to a lawyer and tell the obey the first rule.
SHUT THE FUCK UP
Just stop talking, do NOT say anything, remain silent.
MS just can't do that and keeps blurting out things that make it seem extremely silly indeed.
This latest claim is like saying that a grease fire in your kitchen isn't dangerous if you live near a firestation. That getting shot through the chest isn't as much a of a hassle and shouldn't count as an attempt on your life because you happen to be in a emergency room.
A bug, is a bug, a security hole is a security hole. That they are even rated is already bad enough. They should have just one variable "fixed" wich is a boolean.
Claiming that a so called critical bug isn't as severe because the unproven untested OS it runs on has some safety measures, which by the way have been programmed by the same people who programmed the bug, is not exactly raising my opinion of MS.
Had they simply listened to the lawyer they would have kept their mouth shut and not dropped another notch in my estimation.
Perhaps it is all part of a cunning plan with them hoping that humans like computers suffer from wrap around and if they lower my opinion far enough it would wrap around to positive again.
or they are stupid.
But I liked the end, unless Vista picks up it will receive the same non-attention as OS-X, now that gotta smart.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
The Security is really baked-in
I lost my sig...
The first thing Microsoft needs to do to get ANY credibility at all where security is involved is to take immediate and rapid steps to eliminate the role of the HTML control as an element of the security system.
That means getting rid of "Security zones". All documents displayed by the HTML control must be considered "untrusted".
To do this, start by getting rid of the ability for documents viewed in the HTML control to request the use of ActiveX objects, since no documents are considered trusted, ActiveX can't be used anyway.
At the same time, provide a mechanism like IO Slaves for applications to install controls... a mechanism that can not be requested by a document.
Modify Windows Explorer and Software Update to use this application-controlled mechanism to install components into the HTML control.
Create an IE shell that installs an "ActiveX IO Slave" to restore the existing behaviour. This shell will display windows with some visual indication that they are untrustable and dangerous. Users who acually require this functionality during the transition can run the "Insecure IE" shell.
In the next major release of Windows, remove that component.
This was actually intended as a joke. I suppose I should have added a smiley face or something.
then there should be exploits reported as attacking XP but not working on Vista.
------------------
Steve Stites
BTW, this is the guy who lectures MS devs on security and likes to point out how insecure Linux is compared to W2K3. He's living in a bubble, which is fine by him as long as he gets a paycheck. To be fair, most of what I heard him say was sound advice, if overly verbose. I wish he wouldn't degrade himself to a bullshit robot when talking about Linux and Vista, though.
Spoken like an AC dickhead. When it was `95 I was all content with my 486 DX2 66. I'd love for you to point me to the x86 CPU that was around then.
"The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity"
n /MS06-013.mspx - particularly the DHTML bug)?
Err, right. So if they're so conservative, how come they'll rate a remote code execution bug as "moderate" if the code is run in a restricted context (see, e.g. http://www.microsoft.com/technet/security/Bulleti
When it was `95 I was all content with my 486 DX2 66. I'd love for you to point me to the x86 CPU that was around then.
1. You seem very easy to make "all content". Get out of the toy-computer, x86 kiddie playground some time.
2. By your own words, your own 486 DX2 66 was an x86 CPU around in 1995.
Then you wouldn't need to spam it here. Must be low on ad revenue for that site of yours, you fucking spammer.
Actually, Windows XP x64, and it's Vista successor, are quite good. They put the 32-bit versions of themselves to shame in terms of performance (with native mode applications, i.e. 64-bit compiled) and security (don't ask how, I don't know. But Windows does leverage the processor's built in anti-buffer overrun protection).
You, clearly, are an idiot.
Obligatory mention: Linux, BSD and Unix have all been 64-bit for some time as well, and I believe most would pick Linux or BSD over Solaris.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
you no longer get a good grade for trying.
RESULTS are all that matters in the real world. I don't care how hard you're trying to make my fries, if you stil burn them, you SUCK.
I work for the Department of Redundancy Department.
Vista is going nowhere, so now they trot out some bozo to say that Vista security problems won't be as bad as XP's.
Then they also had some Microsoft bozo post on his blog that he was going to compare vulnerabilities - actually, not even vulnerabilities but FIXES - between OS's - using the same discredited methodologies they've been using since forever. Naturally Windows came out ahead. He even tried to head off criticism by admitting he was a Microsoft bozo. Naturally, that didn't work.
In other words, Microsoft is trying to spin Vista's failure to be a "Windows security cureall" - especially since OneCare has been a PR nightmare by failing antivirus checks and then deleting users Outlook email files.
It's just another pathetic Microsoft pack of lies.
Remember, folks: ANYBODY authorized by Microsoft to talk to the public is a LIAR.
Microsoft does NOT sell software. It sells LIES.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Did anyone bother to read the guys blog that this article is sourced from? I'll quote the relevant section: We will also see some bugs that are unique to Windows Vista. But I believe this number will be reasonably small. There is one thing you will see that I'm not too thrilled about, but it is what it is. The MSRC rarely reduces the severity of a buffer-related security bug because a defense with no security guarantees such as /GS or /SafeSEH is in place. UAC will be a speed bump, but I doubt we would reduce the severity of many bulletins if UAC is the sole mitigation. The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don't be surprised if you see a bug that's, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place. As I understand it, the MSRC will call out defenses that come into play.
He's splitting hairs over SECURITY UPDATE CLASSIFICATIONS that arn't(at time of patching) exploitable on vista but are on xp, being rated with the same level of severity. Imho, thats pretty fair. Look at the BSD guys recently, it wasn't a escalated from a bug to a vunerability until it was proven it was exploitable.
This bothers him because it is going to make vista look bad when it comes time to compare vistas first couple of years to xp's first couple of years, if all you go on is the patches vunerability ratings...
Ok, so theres a buffer overrun in MS_arbitary.exe that causes a crash in vista, but can result
"No, you don't need to count that remotely-exploitable vulnerability that can take over your computer. Our Trusted Advanced Security (TAS) will Stop It Cold (patent pending on phrase)!"
That's one reason why I use GNU/Linux.
lker@cmosnetworks.com
"The limited pickup of Vista installs [means that] until Vista is more popular, it will enjoy the same limited attention from hackers as OS X"
He should know by now that its not the install base of OS X, its that the hacker bullies only pick on those that cry.
I think you underestimate just how much I just dont care.
On one level, this makes sense. A vulnerability should be judged by the risk it poses to the system, and security tools and settings can, in some cases, mitigate the risk and should be factored in. So on the surface, rating cross-Microsoft-platform vulnerabilities differently for Vista than XP makes sense, if Vista's security measures in their default or most common configuration are a truly effective mitigation for the vulnerability.
The crux of the matter is determining if the security measure is effective. Who decides? At work, I use MS's ratings as the barest of indicators as to the vulnerability's severity. I look elsewhere, like here on Slashdot, on the Internet Storm Center, Vulnwatch mailing list, to get a better idea of how much attention is being paid to the vulnerability. I look to see if any exploits are in the wild. And I look at our environment, and determine our own risk exposure. A home user might not havve the time/ability/resources to do this sort of checking for themselves, and in that case, they should probably follow MS's advice. But for a business, knee-jerk reactions are rarely the best course.
"UberWormz0r.exe has been terminated due to the system being too stoned to understand what an 'msvcrt.dll' is or where to find one. Sorry, dude."
Hey, at least you can't say it's not innovative.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
- Michael Howard