Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Security Guy Wants Vista Bugs Rated Down

Posted by CmdrTaco on from the grass-is-greener-on-his-side dept.

jcatcw writes "Gregg Keizer reports that Michael Howard, an MS senior security program manager, says that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses."

25 of 167 comments (clear)

  1. Hmmmm. . . by bplipschitz · · Score: 4, Funny

    Sounds a little like Michael Howard might be "baked in". . .

  2. Isn't that ..... by edwardpickman · · Score: 5, Funny
    rate its vulnerabilities differently because of the operating system's new, baked-in defenses."

    ...half baked?

    1. Re:Isn't that ..... by Anonymous Coward · · Score: 4, Funny

      No, I believe Michael Howard is totally and utterly baked. He clearly needs to stop hitting that bong.

    2. Re:Isn't that ..... by numbski · · Score: 5, Insightful

      You'd have to be smoking some pretty good weed to go along with this. :P

      Let's say on *nix there's a vulnerability that allows for remote ssh access. You can only get in as an unprivileged user, heck, you may even get /dev/null as your shell, but it lets you in. Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.

      Just because your system is overall more secure doesn't mean that you don't blow the whistle on the flaws just as hard. It's called VIGILANCE.

      --

      Karma: Chameleon (mostly due to the fact that you come and go).

    3. Re:Isn't that ..... by ericlondaits · · Score: 4, Funny

      Just because your system is overall more secure doesn't mean that you don't blow the whistle on the flaws just as hard. It's called VIGILANCE.


      Mmmm... while it's true that the price of freedom is eternal VIGILANCE, remember that you can get Vista Ultimate for as little as $399.95.
      --
      As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
    4. Re:Isn't that ..... by UncleTogie · · Score: 5, Insightful

      whereas Windows users tend to gain at least a basic appreciation for proper security practices.
      Don't take this personally, but:

      What frickin' planet are YOU on? Most Windows users expect Windows to take care of all that FOR them....and boy, are they surprised to find that clicking that "You're infected! Click here to pretend to fix your computer whilst actually infecting it!" actually DOESN'T fix a darn thing. I'm not talking ALL Windows users, but it's a frighteningly large group.

      What MOST Windows users want is a system that doesn't make them THINK.
      --
      Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
    5. Re:Isn't that ..... by Miseph · · Score: 5, Funny

      "That doesn't seem like a very vigilant attitude to me... whereas Windows users tend to gain at least a basic appreciation for proper security practices."

      While the first part is true, Windows users (myself included), by definition, are ignoring one fundamental security practice... they aren't using a secure system in the first place. It's like making sure your front door is bolted shut and you've got bars over all your windows, but your house only has three walls (and it's not triangular).

      --
      Try not to take me more seriously than I take myself.
    6. Re:Isn't that ..... by tdelaney · · Score: 4, Insightful

      There's a difference between severity and priority.

      A bug may be high severity (e.g. remote access) but low priority (e.g. because it's believed that other factors mitigate the remote access).

      Another bug may be low severity (e.g. a user interface quirk) but high priority (e.g. because reviewers have seen it and are talking down your product because of it).

      Severities should be based on how much damage may be caused to the *users* of the program. Priorities are usually determined by how much damage the bug causes to the *developers* of the program ...

    7. Re:Isn't that ..... by VertigoAce · · Score: 4, Informative

      Either way, it shouldn't be driven by an outsider, although he can and should make the suggestion to them that certain criteria should be revisited.



      To give some context to who Michael Howard is, he is one of the head security guys at Microsoft. One of his roles is to improve the development process across Microsoft to improve security. So the MSRC responds to actual security vulnerabilities, while Michael looks at why the development team missed the bug and how to avoid it in future products.

      If you read what Michael actually said the issue becomes more apparent. A security bug that affect Vista and XP will usually be given the same rating, even if Vista has defense mechanisms that it make it extremely unlikely that it can be exploited. In the security alert they will list any defense mechanisms that make it harder to exploit the bug, but they don't change the rating.
  3. A rough translation to human speech... by dyfet · · Score: 5, Insightful

    "Your making us look bad, cant you lie a little, we do all the time..."

    This was a public service translation, for those who have trouble understanding Microspeak...

  4. Its about the bug, not the environment by Anonymous Coward · · Score: 5, Insightful

    This guy is IMO a narrow minded fool. Sure, Vista may have extra security features which can limit the extend of damage which a certain bug can do. But does this mean that these features have any impact on the severity of those bugs? Lets "translate" this to Linux:

    Say a new local SSH exploit has been found allowing attackers to gain root privileges. Does the fact that you'd need user accounts which are actually useable by people make any difference on the severity of the exploit? "Gee, cut the homeuser some slack since they won't have any real user accounts to begin with. So stop scaring them and rate the bug as it really is?" ? But... The bug really is what it says to be. In my example its a critical issue, in the case of a Vista bug its Important.

    Just because you may benefit from the extra security enhancements doesn't imply everyone else does. So please; cut out the idiocy and the desperate attempts to push Vista forward by focussing on all good points and ignoring the bad points, and simply keep calling things what they are. I for one now question the professionality of this guy.

    1. Re:Its about the bug, not the environment by NearlyHeadless · · Score: 5, Informative
      If you've read Michael Howard's writings, he's certainly not a "narrow minded fool". On his blog, he talked about security features in the compiler and linker such as /GS and /SafeSEH. With these in place--and OS-based onese, such as Address Space Layout Randomization and Data Execution Prevention-- buffer overflows still exist, but are much harder to effectively exploit. Yes, the process will abort, so you could still have a denial of service attack, but you've greatly reduced the chance of a more serious remote code execution.

      Note that OpenBSD is also adopting similar defense-in-depth strategies, including SSP and N^X. Adoption is much more haphazard on Linux Distros, so you may be at much more risk running an application such as SSH on Linux than on OpenBSD even when it is compiled from the same source code.

    2. Re:Its about the bug, not the environment by OmegaBlac · · Score: 4, Informative

      Adoption is much more haphazard on Linux Distros, so you may be at much more risk running an application such as SSH on Linux than on OpenBSD even when it is compiled from the same source code.
      SSP is included with recent versions of GCC 4.1 and above. If your specific distro is using GCC 4.1 or newer, then they are compiling with SSP already.

      http://gcc.gnu.org/gcc-4.1/changes.html
    3. Re:Its about the bug, not the environment by hxnwix · · Score: 5, Insightful

      Right, and that's why OpenBSD pretends that remote exploits are warm & fuzzy happy ponies. Because of their "baked in defenses." ...
      Errr, NO , this guy promulgating deceptive doublespeek. But perhaps he knows better - perhaps he's just a dishonest jackass and not a retarded jackass. What was your point again?

    4. Re:Its about the bug, not the environment by driftwolf · · Score: 5, Insightful

      If Vista is so much more "secure", then any flaw should be much MORE serious, not less. After all, aren't they supposed to have worked so long and hard to reduce the flaws in this one? If one advertises a secure system, then any breach is, by definition, important. MS Vista is being pushed as a highly secure system to many businesses. Hence, security issues are that much more important, as they were used to sell the system in the first place.

      As we've heard that much (some?) of their vaunted security is actually just optional smoke and mirrors (several of the user security features for instance), I don't think MS Vista should be given any easier ride than any other operating system. Let it be judged independently, on its own merits, and not through re-definition of what is critical or not for political (and of course publicity and monetary) purposes.

      Any system that defines itself as "secure", but isn't, deserves to be ranked accordingly. Microsoft (and it isn't alone by a long shot) has a very long history of selling one thing and delivering another. Changing the criteria based on what they are selling isn't warranted until what they deliver matches that in every respect. So far, they aren't doing that with MS Vista either.

      --
      -- Motto: If it doesn't make sense, always follow the money.
    5. Re:Its about the bug, not the environment by kscguru · · Score: 4, Informative
      His security features are /GS, /SafeSEH, layout randomization and an execute bit? Okay, he really is full of it.

      • /GS. In theory works fine. In practice, you MUST (1) get the software publisher to compile with the switch, (2) cannot use inline assembly (/GS bails out on such code), and (3) must be willing to sacrifice a small bit of performance. In other words, a fair amount of real-world code can't use this. And oh by the way, this doesn't protect against all buffer overflows - it only protects against the easiest category. It's still quite possible to corrupt data with a buffer overflow, and maybe use that data to gain control.
      • /SafeSEH. Right ... how many common languages don't have good exception handling? You said C only, right? And how often do you use Windows exceptions in C? Not much, you say? When I've seen SEH code, it's almost always very narrowly scoped and thus easy to get right - in real code, Windows SEH is just a trampoline to get into another exception mechanism. Making it "safer" adds no value.
      • ASLR. This one makes generating a sucessful exploit a little more difficult - moves it from medium-easy to medium, because it's harder to hit a "target buffer". Of course, for compatibility reasons, a fair number of apps turn this off (they have assumptions about where code lives, and/or need the wasted address space). It helps - statistically. But a lucky guess is still going to succeed, and I don't trust luck for security.
      • DEP. A two-pronged technology, which (1) uses the NX bit and (2) disallows syscalls from data segments. Oh but wait, (1) requires having a fairly recent processor and (2) is fine for some apps, but breaks for anything that does dynamic code (e.g. a Java runtime), so it's also disallowed for many, if not most, apps.
      So what do we find out from this list? You get defense-in-depth - IF you are running the latest hardware, IF you use only software built with MSFT's favorite options (some of which are opt-in), and IF you only run apps that embrace all these strategies. How many Joe Consumers fit into those ifs? Datacenters might be closer, but I'll bet even they can't generally say all these hold true.

      I'm glad open-source is adopting some of these measures. But let's be realistic - all any of these technologies do is make a sieve less leaky by putting a second sieve underneath. Something is nice, but we would be fools to treat any of these security "features" as more than a speed bump.

      --

      A witty [sig] proves nothing. --Voltaire

  5. New rating for new system? by Jimbitz · · Score: 4, Insightful

    I can't believe someone known as microsoft security guru would make a statement like that.
    An exploit is still an exploit. It doesn't matter if it's found in a brand new OS or the predecessor.

    Thank god there are people who doesn't agree with him.

    --
    IT074931
    1. Re:New rating for new system? by rbochan · · Score: 4, Funny

      Yeah, threat rating: "waaah... security is hard!"

      --
      ...Rob
      The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
  6. This is not wise by EXMSFT · · Score: 4, Insightful

    Don't challenge the hackers. It's great that Windows Vista has some built in low-level security protections. It's also great to see that Michael is discounting the significance of UAC. And he should - most people will wind up turning it off. But I think that attempting to say that Vista is fire retardant is most likely going to serve as a method to encourage hackers and script kiddies to try and set fire to it. Saying "because it's Vista means the exploit isn't as bad" is a horrible argument. It's an OS, and an exploit is an exploit.

    In short I don't think Michael should assume. When you assume, well, you know.

  7. Re:stop whinning and just.... by rucs_hack · · Score: 4, Insightful

    They can't

    Not because of anything so simple as crap coders or Microsoft being shit (lame reasons when there are so many others that can be justified with examples) . They can't because it's too complex, subject to too many attack vectors, and closed from peer review of code.

    Time was this refusal to allow external entities to search for and fix bugs in their code was acceptable as normal business practice. Since Linux got more popular, people have started to see that peer review of code is superior when it comes to finding and fixing errors.

    I'd be willing to bet that if Linux was closed source it would be as defective as Windows is. That it isn't testifies to the usefulness of open source/bsd style approaches.

  8. Obligatory by dkleinsc · · Score: 5, Funny

    You are trying to cover your own ass. Cancel or Allow?

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  9. A little late for that... by Jasin+Natael · · Score: 4, Insightful

    By this logic, then, shouldn't most of the bugs for Linux and OSX have been rated as "relatively unsafe", while the Windows bugs were almost universally labeled "Über-pWnz0r3d"?

    It seems like he wants this just so he can compare turds to turds, boosting the sales of Vista by saying the Windows 98 and 2000/XP bugs of yesteryear were worse because the same bug is arguably less severe under Vista. It may be true, but he should hope that if anyone takes him seriously, they don't start rating severity relative to similar bugs in competing products.

    Be careful what you wish for...

    --
    True science means that when you re-evaluate the evidence, you re-evaluate your faith.
  10. Of course! by RMingin · · Score: 4, Funny

    Obviously any Vista security bugs should be rated less severe... I mean, nobody's running that OS, right? Minimal impact!

    --
    The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
  11. An interesting response by Trelane · · Score: 4, Interesting

    From a Red Hat hacker

    --

    --
    Given enough personal experience, all stereotypes are shallow.
  12. baked in? by DragonTHC · · Score: 5, Interesting

    in Linux and Unix and Mac's BSD, what's higher than root?

    in Microsoft Vista, what's higher than administrator?
        root
              superroot
                    supersuperroot

    that's right, there are three privilege layers above administrator in Vista.

    users cannot access those, but software can.
    "Oh, you're a process, here's the keys!"
    "Oh you're a user? You want to access your computer, confirm or deny?"

    --
    They're using their grammar skills there.