MS Security Guy Wants Vista Bugs Rated Down 167
jcatcw writes "Gregg Keizer reports that Michael Howard, an MS senior security program manager, says that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses."
Re:Its about the bug, not the environment (Score:5, Informative)
Note that OpenBSD is also adopting similar defense-in-depth strategies, including SSP and N^X. Adoption is much more haphazard on Linux Distros, so you may be at much more risk running an application such as SSH on Linux than on OpenBSD even when it is compiled from the same source code.
Re:Its about the bug, not the environment (Score:4, Informative)
http://gcc.gnu.org/gcc-4.1/changes.html [gnu.org]
Re:Isn't that ..... (Score:3, Informative)
Did you intend those two scenarios to be mutally exclusive?
Rating a bug low does not necessarily mean that it is fixed slower.
Re:Its about the bug, not the environment (Score:5, Informative)
I'm glad open-source is adopting some of these measures. But let's be realistic - all any of these technologies do is make a sieve less leaky by putting a second sieve underneath. Something is nice, but we would be fools to treat any of these security "features" as more than a speed bump.
They want to do something about security? (Score:3, Informative)
That means getting rid of "Security zones". All documents displayed by the HTML control must be considered "untrusted".
To do this, start by getting rid of the ability for documents viewed in the HTML control to request the use of ActiveX objects, since no documents are considered trusted, ActiveX can't be used anyway.
At the same time, provide a mechanism like IO Slaves for applications to install controls... a mechanism that can not be requested by a document.
Modify Windows Explorer and Software Update to use this application-controlled mechanism to install components into the HTML control.
Create an IE shell that installs an "ActiveX IO Slave" to restore the existing behaviour. This shell will display windows with some visual indication that they are untrustable and dangerous. Users who acually require this functionality during the transition can run the "Insecure IE" shell.
In the next major release of Windows, remove that component.
Re:stop whinning and just.... (Score:3, Informative)
P.S.: Note that OpenSource programs with few developers interested in the code run into this same problem. Good peer review takes lots of eyes in multiple environments over an extended period of time. A structured code walkthrough just isn't the same thing. It helps, but it's not the same.
Re:Isn't that ..... (Score:5, Informative)
To give some context to who Michael Howard is, he is one of the head security guys at Microsoft. One of his roles is to improve the development process across Microsoft to improve security. So the MSRC responds to actual security vulnerabilities, while Michael looks at why the development team missed the bug and how to avoid it in future products.
If you read what Michael actually said the issue becomes more apparent. A security bug that affect Vista and XP will usually be given the same rating, even if Vista has defense mechanisms that it make it extremely unlikely that it can be exploited. In the security alert they will list any defense mechanisms that make it harder to exploit the bug, but they don't change the rating.