Forum latest

Cursor points to Vista flaw
Written by Daniel   
Wednesday, 04 April 2007 06:33

Cursor flaw gives Vista security a black eye
By Joris Evers
Staff Writer, CNET
Published: April 4, 2007, 4:00 AM PDT

Microsoft's release of a "critical" patch on Tuesday poked holes in Vista's security promises, but security experts advise against discounting the new operating system.
The software giant broke with its monthly patch cycle Tuesday to fix a bug that cybercrooks had been using since last week to attack Windows PCs, including those running Vista.

Microsoft breaks its patch cycle to release a fix for a "critical" flaw that has been used to attack Windows PCs, including those running Vista.
Bottom line:

The release casts a shadow over the software giant's promises that Vista would be the most secure version of Windows yet.

"As far as software vulnerabilities go, Vista's cover is blown," said Nand Mulchandani, a vice president at Determina, the company that discovered the latest security bug. "It is not Superman; it is just a human being. It is just software. Vista is going to be very similar to the other operating systems Microsoft has delivered in terms of bugs."

Microsoft officially launched Vista for consumers in January, promoting the operating system as the most secure version of Windows yet. It is the first client version of Windows built with security in mind, meaning that it should have fewer coding errors that might be exploited in attacks, Microsoft has said.

Yet the "critical" hole that affected much older Windows versions also hit Vista. The vulnerability lies in the way Windows handles animated cursors and could let an attacker commandeer a PC when the user views a malicious Web site or e-mail message.

It is a flaw that should have been caught by Microsoft's code-vetting processes for Vista, called the Security Development Lifecycle, some experts said. The flaw is also evidence that faulty code from previous Windows versions has been copied into Vista, they said.

"It is a little premature to attack the whole effort altogether, but this is something that the Security Development Lifecycle should have caught," said Amol Sarwate, a research manager at vulnerability management company Qualys.

The buffer overflow vulnerability in the cursor function in particular should have already been fixed because a bug in the same Windows component was patched two years ago, said Rohit Dhamankar, manager of security research at TippingPoint, a seller of intrusion prevention products. That should have prompted re-examination of the code, Dhamankar said.

Microsoft disputes that it should have caught the cursor bug before. People who say so don't understand security vulnerabilities because not all bugs are created equal, said Stephen Toulouse, senior product manager in Microsoft's Security Technology Unit.

"In the case of the cursor vulnerability, even though something may look similar to the outside, that doesn't mean the code is anything alike to the previous vulnerability," Toulouse said. "The SDL was never meant to catch every single vulnerability, period."

But Dhamankar argues that Microsoft forgot to recheck all the possibilities that could lead to a buffer overflow after the original bug was found and patched in 2005.... More

Comments in the Forums 

Don't Click Here Don't Click Here Either