Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Security Guy Wants Vista Bugs Rated Down

Posted by CmdrTaco on from the grass-is-greener-on-his-side dept.

jcatcw writes "Gregg Keizer reports that Michael Howard, an MS senior security program manager, says that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses."

6 of 167 comments (clear)

  1. A rough translation to human speech... by dyfet · · Score: 5, Insightful

    "Your making us look bad, cant you lie a little, we do all the time..."

    This was a public service translation, for those who have trouble understanding Microspeak...

  2. Its about the bug, not the environment by Anonymous Coward · · Score: 5, Insightful

    This guy is IMO a narrow minded fool. Sure, Vista may have extra security features which can limit the extend of damage which a certain bug can do. But does this mean that these features have any impact on the severity of those bugs? Lets "translate" this to Linux:

    Say a new local SSH exploit has been found allowing attackers to gain root privileges. Does the fact that you'd need user accounts which are actually useable by people make any difference on the severity of the exploit? "Gee, cut the homeuser some slack since they won't have any real user accounts to begin with. So stop scaring them and rate the bug as it really is?" ? But... The bug really is what it says to be. In my example its a critical issue, in the case of a Vista bug its Important.

    Just because you may benefit from the extra security enhancements doesn't imply everyone else does. So please; cut out the idiocy and the desperate attempts to push Vista forward by focussing on all good points and ignoring the bad points, and simply keep calling things what they are. I for one now question the professionality of this guy.

    1. Re:Its about the bug, not the environment by hxnwix · · Score: 5, Insightful

      Right, and that's why OpenBSD pretends that remote exploits are warm & fuzzy happy ponies. Because of their "baked in defenses." ...
      Errr, NO , this guy promulgating deceptive doublespeek. But perhaps he knows better - perhaps he's just a dishonest jackass and not a retarded jackass. What was your point again?

    2. Re:Its about the bug, not the environment by driftwolf · · Score: 5, Insightful

      If Vista is so much more "secure", then any flaw should be much MORE serious, not less. After all, aren't they supposed to have worked so long and hard to reduce the flaws in this one? If one advertises a secure system, then any breach is, by definition, important. MS Vista is being pushed as a highly secure system to many businesses. Hence, security issues are that much more important, as they were used to sell the system in the first place.

      As we've heard that much (some?) of their vaunted security is actually just optional smoke and mirrors (several of the user security features for instance), I don't think MS Vista should be given any easier ride than any other operating system. Let it be judged independently, on its own merits, and not through re-definition of what is critical or not for political (and of course publicity and monetary) purposes.

      Any system that defines itself as "secure", but isn't, deserves to be ranked accordingly. Microsoft (and it isn't alone by a long shot) has a very long history of selling one thing and delivering another. Changing the criteria based on what they are selling isn't warranted until what they deliver matches that in every respect. So far, they aren't doing that with MS Vista either.

      --
      -- Motto: If it doesn't make sense, always follow the money.
  3. Re:Isn't that ..... by numbski · · Score: 5, Insightful

    You'd have to be smoking some pretty good weed to go along with this. :P

    Let's say on *nix there's a vulnerability that allows for remote ssh access. You can only get in as an unprivileged user, heck, you may even get /dev/null as your shell, but it lets you in. Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.

    Just because your system is overall more secure doesn't mean that you don't blow the whistle on the flaws just as hard. It's called VIGILANCE.

    --

    Karma: Chameleon (mostly due to the fact that you come and go).

  4. Re:Isn't that ..... by UncleTogie · · Score: 5, Insightful

    whereas Windows users tend to gain at least a basic appreciation for proper security practices.
    Don't take this personally, but:

    What frickin' planet are YOU on? Most Windows users expect Windows to take care of all that FOR them....and boy, are they surprised to find that clicking that "You're infected! Click here to pretend to fix your computer whilst actually infecting it!" actually DOESN'T fix a darn thing. I'm not talking ALL Windows users, but it's a frighteningly large group.

    What MOST Windows users want is a system that doesn't make them THINK.
    --
    Don't tell me to get a life. I'm a gamer; I have LOTS of lives!