MS Security Guy Wants Vista Bugs Rated Down

jcatcw writes "Gregg Keizer reports that Michael Howard, an MS senior security program manager, says that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses."

Hmmmm. . .

[bplipschitz]

Sounds a little like Michael Howard might be "baked in". . .

More like "half-baked"...

[Anonymous Coward]

"Built in defenses".

Yeah, right. He's been reading too much William Gibson...

Re:

[Raven42rac]

And I want a pony and a dodge viper.

Isn't that .....

[edwardpickman]

rate its vulnerabilities differently because of the operating system's new, baked-in defenses."

...half baked?

Re:Isn't that .....

[Anonymous Coward]

No, I believe Michael Howard is totally and utterly baked. He clearly needs to stop hitting that bong.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Isn't that .....

[numbski]

You'd have to be smoking some pretty good weed to go along with this. :P

Let's say on *nix there's a vulnerability that allows for remote ssh access. You can only get in as an unprivileged user, heck, you may even get /dev/null as your shell, but it lets you in. Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.

Just because your system is overall more secure doesn't mean that you don't blow the whistle on the flaws just as hard. It's called VIGILANCE.

Re:Isn't that .....

[ericlondaits]

Just because your system is overall more secure doesn't mean that you don't blow the whistle on the flaws just as hard. It's called VIGILANCE.

Mmmm... while it's true that the price of freedom is eternal VIGILANCE, remember that you can get Vista Ultimate for as little as $399.95.

Re:

[ozbird]

remember that you can get Vista Ultimate for as little as $399.95.

"You keep using that word. I do not think it means what you think it means."

Re:

[lanzz]

while it's true that the price of freedom is eternal VIGILANCE, remember that you can get Vista Ultimate for as little as $399.95.

perhaps they should release a new edition, Vista Vigilante?

Re:

[LifesABeach]

I can not help but think that,"Vista Ultimate", should be viewed as a "Warning Label".

"...And I should know..." - Doritos Advertisement

Re:

[greginnj]

...while it's true that the price of freedom is eternal VIGILANCE, remember that you can get Vista Ultimate for as little as $399.95.

Underscoring the point that Vista and Freedom have very little to do with each other...

Re:

[Gnavpot]

Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.

Did you intend those two scenarios to be mutally exclusive?

Rating a bug low does not necessarily mean that it is fixed slower.

Re:Isn't that .....

[tdelaney]

There's a difference between severity and priority.

A bug may be high severity (e.g. remote access) but low priority (e.g. because it's believed that other factors mitigate the remote access).

Another bug may be low severity (e.g. a user interface quirk) but high priority (e.g. because reviewers have seen it and are talking down your product because of it).

Severities should be based on how much damage may be caused to the *users* of the program. Priorities are usually determined by how much damage the bug causes to the *developers* of the program ...

Re:

[Hierarch]

Let's say on *nix there's a vulnerability that allows for remote ssh access. You can only get in as an unprivileged user, heck, you may even get /dev/null as your shell, but it lets you in. Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.

Well, actually, you do rate it down. This is basic risk assessment, and if it comes to a prioritization of resources — which bug should we fix next? — I want that priority set according to the impac

Re:Isn't that .....

[VertigoAce]

Either way, it shouldn't be driven by an outsider, although he can and should make the suggestion to them that certain criteria should be revisited.

To give some context to who Michael Howard is, he is one of the head security guys at Microsoft. One of his roles is to improve the development process across Microsoft to improve security. So the MSRC responds to actual security vulnerabilities, while Michael looks at why the development team missed the bug and how to avoid it in future products.

If you read what Michael actually said the issue becomes more apparent. A security bug that affect Vista and XP will usually be given the same rating, even if Vista has defense mechanisms that it make it extremely unlikely that it can be exploited. In the security alert they will list any defense mechanisms that make it harder to exploit the bug, but they don't change the rating.

Re:Isn't that .....

[UncleTogie]

whereas Windows users tend to gain at least a basic appreciation for proper security practices.

Don't take this personally, but:

What frickin' planet are YOU on? Most Windows users expect Windows to take care of all that FOR them....and boy, are they surprised to find that clicking that "You're infected! Click here to pretend to fix your computer whilst actually infecting it!" actually DOESN'T fix a darn thing. I'm not talking ALL Windows users, but it's a frighteningly large group.

What MOST Windows users want is a system that doesn't make them THINK.

Re:

[suv4x4]

What MOST Windows users want is a system that doesn't make them THINK.

You're saying that as if it's a bad thing. Do you insist on an OS that makes you think a lot?

While you're thinking on the OS you could be thinking on the next YouTube or something. Why waste so much talent? Anyway, if Microsoft survives Vista (which it'll most likely do), and has success with Vienna, we'll have exactly that: proliferation of managed, secure code and deprecation of binary code (which will run in sandbox) except for a range

Re:

[causality]

While you're thinking on the OS you could be thinking on the next YouTube or something. Why waste so much talent?

You say that as though the amount of thinking a person can do is a finite quantity, and that each time you think you decrease this quantity, so therefore the wise thing to do is conserve it as much as possible.

However, it's really more like a muscle -- the more you use it, the more able it becomes. Linux made me think very much when I first began using it, especially considering that this w

Re:

[suv4x4]

You say that as though the amount of thinking a person can do is a finite quantity, and that each time you think you decrease this quantity, so therefore the wise thing to do is conserve it as much as possible.

However, it's really more like a muscle -- the more you use it, the more able it becomes.

It's separation of concerns - the basics of team work and higher organisations. It's a very basic premise which most open source software folks miss.

You may be learning hella lot, and be great everything, train t

Re:Isn't that .....

[Miseph]

"That doesn't seem like a very vigilant attitude to me... whereas Windows users tend to gain at least a basic appreciation for proper security practices."

While the first part is true, Windows users (myself included), by definition, are ignoring one fundamental security practice... they aren't using a secure system in the first place. It's like making sure your front door is bolted shut and you've got bars over all your windows, but your house only has three walls (and it's not triangular).

Re:

[db32]

You must be new here. Can you restate that analogy in reference to a car? Thank you.

Re:

[mgiuca]

Really? Because that seems to be the rationalle used by all the anti-MS people as a reason to switch from Windows: that the non-Windows OS's are more secure because of their obscurity.

Actually, "security through obscurity" is the term for the security practise of locking up your source code, keeping encryption keys secret, hiding bugs from the public, and hoping nobody finds them.

You know, the Microsoft way?

But I do get what you're saying (that there are more viruses on Windows because it is more popular).

Re:

[Locutus]

It sure sounds like "the most secure Windows ever" has been over cooked.

LoB

Re:

[Seumas]

Nothing says security like naming your flagship product after the part of a house that is made of thin glass and can be broken with a small rock, stick or an elbow and allows everyone outside to see everything going on inside.

Hal Howard

[Anonymous Coward]

I work at Microsoft, I can get Vista for practically free but I refuse to even touch Vista with a bargepole and dont recommend it to others. They dont need it anyway even if it was "finished" and secure.

Re:

[Anonymous Coward]

I work at Microsoft, I can get Vista for practically free but I refuse to even touch Vista with a bargepole and dont recommend it to others. They dont need it anyway even if it was "finished" and secure.

You sound like a contractor that is bitter you didn't get hired on. Those of us are employees of MS want to make certain that we get the remaining bugs fixed. That isn't going to happen if we point fingers and play the blame game.

I work on embedded devices at MS and we won't have Vista support ready for a

Re:

[smash]

The new kernel is modular and agile

If this is really true, then why the hell do you need 1-2gb of ram for acceptable performance?

Sure, it will boot with 512mb, but it's like watching paint dry trying to actually do anything with it.

Re:

[techno-vampire]

Once we strip out the shell, the graphics, and most of the managed code we will have a nice version that will run on a fraction of the resources required on the desktop.

And at that point, you'll have a kernal that's almost half as fast as XP instead of the current one third as fast.

Re:

[PastaLover]

When anybody asks me whether they should run Vista I tell them to at least wait till SP1 and preferrably SP2. And that is the only sane advice you can give them. Heck, I personally find XP to be the best windows so far and even that took till SP2 to be halfway usable (and secure). Running Vista now is like running linux 2.6.21. It might be cool, but it will probably just blow up in your face and you get to keep the pieces.

Re:

[smash]

How about this: I *don't* work for microsoft. I have a copy of Vista's Ultimate Edition ISO and a timer-stop crack. I have a PC that will run it quite happily (2gig, p4-d 3.0, nvidia 7600, ~ 0.7tb of disk with about 300gb free).

I haven't installed it, and don't plan on it any time soon, because there is no incentive for me to do so.

Re:

[hotdiggitydawg]

3) Profit
4) CowboyNeal

Oops, wrong thread...

Re:

[rts008]

You are living in the present....shame on you!

A bargepole is anochronistic...get with the Winblows pogram!

A rough translation to human speech...

[dyfet]

"Your making us look bad, cant you lie a little, we do all the time..."

This was a public service translation, for those who have trouble understanding Microspeak...

Its about the bug, not the environment

[Anonymous Coward]

This guy is IMO a narrow minded fool. Sure, Vista may have extra security features which can limit the extend of damage which a certain bug can do. But does this mean that these features have any impact on the severity of those bugs? Lets "translate" this to Linux:

Say a new local SSH exploit has been found allowing attackers to gain root privileges. Does the fact that you'd need user accounts which are actually useable by people make any difference on the severity of the exploit? "Gee, cut the homeuser some slack since they won't have any real user accounts to begin with. So stop scaring them and rate the bug as it really is?" ? But... The bug really is what it says to be. In my example its a critical issue, in the case of a Vista bug its Important.

Just because you may benefit from the extra security enhancements doesn't imply everyone else does. So please; cut out the idiocy and the desperate attempts to push Vista forward by focussing on all good points and ignoring the bad points, and simply keep calling things what they are. I for one now question the professionality of this guy.

Re:Its about the bug, not the environment

[NearlyHeadless]

If you've read Michael Howard's writings, he's certainly not a "narrow minded fool". On his blog, he talked about security features in the compiler and linker such as /GS and /SafeSEH. With these in place--and OS-based onese, such as Address Space Layout Randomization and Data Execution Prevention-- buffer overflows still exist, but are much harder to effectively exploit. Yes, the process will abort, so you could still have a denial of service attack, but you've greatly reduced the chance of a more serious remote code execution.

Note that OpenBSD is also adopting similar defense-in-depth strategies, including SSP and N^X. Adoption is much more haphazard on Linux Distros, so you may be at much more risk running an application such as SSH on Linux than on OpenBSD even when it is compiled from the same source code.

Re:Its about the bug, not the environment

[OmegaBlac]

Adoption is much more haphazard on Linux Distros, so you may be at much more risk running an application such as SSH on Linux than on OpenBSD even when it is compiled from the same source code.

SSP is included with recent versions of GCC 4.1 and above. If your specific distro is using GCC 4.1 or newer, then they are compiling with SSP already.

http://gcc.gnu.org/gcc-4.1/changes.html [gnu.org]

Re:

[strider44]

Add to this that the memory randomisation and data NX support has been in the linux kernel for years...

Yes the point still remains. The bug severity must be in some way comparable to other operating systems and Vista's security features are no better than Linux's

Re:Its about the bug, not the environment

[hxnwix]

Right, and that's why OpenBSD pretends that remote exploits are warm & fuzzy happy ponies. Because of their "baked in defenses." ...
Errr, NO , this guy promulgating deceptive doublespeek. But perhaps he knows better - perhaps he's just a dishonest jackass and not a retarded jackass. What was your point again?

Re:Its about the bug, not the environment

[driftwolf]

If Vista is so much more "secure", then any flaw should be much MORE serious, not less. After all, aren't they supposed to have worked so long and hard to reduce the flaws in this one? If one advertises a secure system, then any breach is, by definition, important. MS Vista is being pushed as a highly secure system to many businesses. Hence, security issues are that much more important, as they were used to sell the system in the first place.

As we've heard that much (some?) of their vaunted security is actually just optional smoke and mirrors (several of the user security features for instance), I don't think MS Vista should be given any easier ride than any other operating system. Let it be judged independently, on its own merits, and not through re-definition of what is critical or not for political (and of course publicity and monetary) purposes.

Any system that defines itself as "secure", but isn't, deserves to be ranked accordingly. Microsoft (and it isn't alone by a long shot) has a very long history of selling one thing and delivering another. Changing the criteria based on what they are selling isn't warranted until what they deliver matches that in every respect. So far, they aren't doing that with MS Vista either.

Re:Its about the bug, not the environment

[kscguru]

His security features are /GS, /SafeSEH, layout randomization and an execute bit? Okay, he really is full of it.

• /GS. In theory works fine. In practice, you MUST (1) get the software publisher to compile with the switch, (2) cannot use inline assembly (/GS bails out on such code), and (3) must be willing to sacrifice a small bit of performance. In other words, a fair amount of real-world code can't use this. And oh by the way, this doesn't protect against all buffer overflows - it only protects against the easiest category. It's still quite possible to corrupt data with a buffer overflow, and maybe use that data to gain control.
• /SafeSEH. Right ... how many common languages don't have good exception handling? You said C only, right? And how often do you use Windows exceptions in C? Not much, you say? When I've seen SEH code, it's almost always very narrowly scoped and thus easy to get right - in real code, Windows SEH is just a trampoline to get into another exception mechanism. Making it "safer" adds no value.
• ASLR. This one makes generating a sucessful exploit a little more difficult - moves it from medium-easy to medium, because it's harder to hit a "target buffer". Of course, for compatibility reasons, a fair number of apps turn this off (they have assumptions about where code lives, and/or need the wasted address space). It helps - statistically. But a lucky guess is still going to succeed, and I don't trust luck for security.
• DEP. A two-pronged technology, which (1) uses the NX bit and (2) disallows syscalls from data segments. Oh but wait, (1) requires having a fairly recent processor and (2) is fine for some apps, but breaks for anything that does dynamic code (e.g. a Java runtime), so it's also disallowed for many, if not most, apps.

So what do we find out from this list? You get defense-in-depth - IF you are running the latest hardware, IF you use only software built with MSFT's favorite options (some of which are opt-in), and IF you only run apps that embrace all these strategies. How many Joe Consumers fit into those ifs? Datacenters might be closer, but I'll bet even they can't generally say all these hold true.

I'm glad open-source is adopting some of these measures. But let's be realistic - all any of these technologies do is make a sieve less leaky by putting a second sieve underneath. Something is nice, but we would be fools to treat any of these security "features" as more than a speed bump.

Re:

[LO0G]

Has he EVER refered to those as "security features"? I'd be surprised, Michael Howard doesn't usually make those kinds of mistakes.

Usually those are described as mitigations, since there are no security guarantees associated with them (since they can be bypassed, they're not security features.

Re:

[kripkenstein]

Err, what? It's pretty easy to get in Linux and has been for years, but not everyone uses it because it is only found in packages for more recent versions (however, SSP has been available for about eight years, n^x for about seven).

I have heard some Linux distros have been using SSP for a while now, but am not sure of details; Ubuntu, in any case, uses SSP as of Edgy Eft [launchpad.net], that is, since late 2006.

Re:N^X a big deal? Those that don't understand Uni

[Kalriath]

Actually, Windows XP x64, and it's Vista successor, are quite good. They put the 32-bit versions of themselves to shame in terms of performance (with native mode applications, i.e. 64-bit compiled) and security (don't ask how, I don't know. But Windows does leverage the processor's built in anti-buffer overrun protection).

You, clearly, are an idiot.

Obligatory mention: Linux, BSD and Unix have all been 64-bit for some time as well, and I believe most would pick Linux or BSD over Solaris.

Re:

[Hewligan]

You do realise that in 1995 most of that sort of stuff was done on 64-bit computers like SGIs or Suns, right? Well, either that or a Mac.

Still, I'm sure both of Corel Draw's users thank you for announcing they're the only ones living in the real world.

Re:

[donaldm]

I can got back to 1982 and SUN, SGI and Apollo Domain (it's OS was sort of Unix like) were using high res graphics in the order of better than 1024x1024. They did cost though but when you consider MS-DOS was still tty with just floppy disks and had very few applications these Graphincal Workstations did have their uses especially in areas such as CAD/CAM and visualization.

Re:

[penix1]

Because the Microsoft security people are totally conservative when it comes to measuring risk, they assume that every one of these mitigations has been bypassed (or disabled), and measure vulnerabilities accordingly.

And that is a correct assumption to make. If a security "feature" can be bypassed or disabled, you can't make any other assumption. I firmly believe the biggest threat to Microsoft security is Microsoft itself. Policy from one section of Microsoft is fighting policy from another section. The se

You keep using that word

[Gothmolly]

I do not think that the word "security" means what you think it means.

Or, you're a FUD-peddler whose job it is to convince Gartner that you don't suck... I'm not sure.

New rating for new system?

[Jimbitz]

I can't believe someone known as microsoft security guru would make a statement like that.
An exploit is still an exploit. It doesn't matter if it's found in a brand new OS or the predecessor.

Thank god there are people who doesn't agree with him.

Re:

[GIL_Dude]

Well, I think the point would be something more like this:

A buffer overflow is found in lsasrv.exe. It's remotely exploitable on Win2k3 server and Windows XP and can run arbitrary code and doesn't require an account on the system (remote wormable). It's only locally exploitable on Vista, requires a local (even if low privileged) account to be logged on an run the code (possibly via social engineering - click here for SomeStarNaked.exe).

He's talking about the rating - a rating should be in relation to so

Re:

[shutdown -p now]

As I understand, what he's really talking about are all the new memory protection features Vista boasts which do indeed reduce the possibility of successfully exploiting something like a buffer overflow. So. in theory, a buffer overflow in IIS on Vista is potentially less dangerous than a buffer overflow in Apache on Linux.

Re:

[julesh]

Well, I think the point would be something more like this:

A buffer overflow is found in lsasrv.exe. It's remotely exploitable on Win2k3 server and Windows XP and can run arbitrary code and doesn't require an account on the system (remote wormable). It's only locally exploitable on Vista, requires a local (even if low privileged) account to be logged on an run the code (possibly via social engineering - click here for SomeStarNaked.exe).

To be fair, that's not the point. That would currently be rated Critica

Re:

[cnettel]

As quite a lot of organizations decide what patches to install, and when, depending on the ratings, it's not like they are pointless. By giving proper ratings, MS might get less of a crying wolf mentality for patch Tuesdays, and hopefully get the "right" patches widely deployed quickly.

Re:New rating for new system?

[rbochan]

Yeah, threat rating: "waaah... security is hard!"

Re:

[rbochan]

So is it safe if we relate him to a politician then?

No, because someone who does marketing is incapable of telling the truth, a politician can at least try.

This is not wise

[EXMSFT]

Don't challenge the hackers. It's great that Windows Vista has some built in low-level security protections. It's also great to see that Michael is discounting the significance of UAC. And he should - most people will wind up turning it off. But I think that attempting to say that Vista is fire retardant is most likely going to serve as a method to encourage hackers and script kiddies to try and set fire to it. Saying "because it's Vista means the exploit isn't as bad" is a horrible argument. It's an OS, and an exploit is an exploit.

In short I don't think Michael should assume. When you assume, well, you know.

Re:

[cerberusss]

In short I don't think Michael should assume. When you assume, well, you know.

Yes, we know. Assumption is the mother of all fuck-ups.

Re:

[earthbound kid]

Don't challenge the hackers.

Yeah, like how Apple made those "Get a Mac" ads about how OS X has less malware in the wild than Windows, but then when hackers heard about it...

*Crickets chirping*

Well, now the crickets are loud as hell. I assume we can blame this on the hackers somehow.

Re:

[nuzak]

Most viruses are exploited by organized crime nowadays, but someone has to discover the exploits in the first place. The motivations still remain for the various eccentric lone hacker genius types -- who are often well-paid by the organized crime types.

Who it really motivates are the white/grey-hat crowd who love to publicize a new exploit, and despite all the grumbling about disclosure, this sort of thing helps security in the long run.

I still have to remind people that the term "rootkit" didn't originate

Re:

[nuzak]

You've got a point. AV researchers have a lot of methodological research techniques, so I guess I shouldn't be surprised that the same amount of rigor goes into the opposition force. My thinking comes from an era where rigorous technical analysis is still something of a novelty in programming, so it's the leaps of insight or just single insanely-productive people that tend to come up with the best solutions (and attacks). I still think it's like that to a big degree, but you're right, malware creators ce

Re:

[Jesus_666]

Successful attacks on poorly secured systems are easy and thus cheap. Attacks on brand-new, supposed-to-be-secure systems are harder (= less common) and more actual, thus you can sell them for more, thus there is a higher incentive. Also, when users hear about how their system is so secure that its mere existence causes bugs to be rated down, they might become less vigilant in securing and patching their systems.

In any case, saying "Vista is so secure that we should care less about those bugs" sends all t

Re:

[Jesus_666]

s/actual/relevant/

A good sign of being tired is when you do click Preview but still only spot obvious errors after posting.

stop whinning and just....

[3seas]

...fix the bugs.

Re:stop whinning and just....

[rucs_hack]

They can't

Not because of anything so simple as crap coders or Microsoft being shit (lame reasons when there are so many others that can be justified with examples) . They can't because it's too complex, subject to too many attack vectors, and closed from peer review of code.

Time was this refusal to allow external entities to search for and fix bugs in their code was acceptable as normal business practice. Since Linux got more popular, people have started to see that peer review of code is superior when it comes to finding and fixing errors.

I'd be willing to bet that if Linux was closed source it would be as defective as Windows is. That it isn't testifies to the usefulness of open source/bsd style approaches.

Re:

[tuzzer]

I'd be willing to bet that if Linux was closed source it would be as defective as Windows is. That it isn't testifies to the usefulness of open source/bsd style approaches.

Something being closed source doesn't mean it can't be peer reviewed. We use peer reviews at my job all the time. The rule is you don't check your own code, others do. It helps. A lot.

Re:

[HiThere]

It does, however, meean that those who review it will be few in number, and will have a similar perspective. These are both strong indications that the peer-review is weak.

P.S.: Note that OpenSource programs with few developers interested in the code run into this same problem. Good peer review takes lots of eyes in multiple environments over an extended period of time. A structured code walkthrough just isn't the same thing. It helps, but it's not the same.

Re:

[rucs_hack]

Oh I agree. However I mean Microsoft don't put the code out there for others outside of Microsoft to review. Well they can't, it's 'proprietary', so this is kind of obvious.
That's their business model, it can't be helped.

Re:

[chef_raekwon]

We use peer reviews at my job all the time

yes, typically all development shops do. the difference, i believe, is 20 eyes vs 20,000 eyes. which would you prefer to make sure your code is bug free?

Re:

[Kalriath]

What are you talking about? Other companies than Microsoft DO have access to Windows source code. Most governments, as an example. Just because YOU can't get at the code, you can't claim that it can't be peer reviewed. With that attitude, the Windows users should feel fortunate that you don't have access to their source code.

Re:

[rucs_hack]

Other people who pay lots and lots of money or are required by law get access, but it is not for peer review and assistance with bug hunting, it's for customising aspects to work with their own applications, or tailoring applications to work with the existing code base.

Availability of code under these conditions is not comparable to an open peer review process.

Re:

[rucs_hack]

I'm not an OSS zealot (although I know the type of person you mean), I have four open and one closed source project (a game), and that isn't what I meant by open. I mean an open process where there is a free flow of information, not open source.

I dispute that what you describe amounts to a proper peer review process. In windows a bug may only become apparent when a piece of apparently bug free code accesses code from another portion of the windows tree. Vendors and so on mainly wouldn't have the entire tree

Re:

[Kalriath]

Indeed. But then, can we even say that such a process does not occur? There may well be something like what you describe, after all "Peer Review" does not necessarily entail outside peer review - nor even by your definition does "open peer review" entail outside organisation - but we just don't know what they do internally.

Re:

[Orion Blastar]

What? Do you know how much money it costs to fix the bugs? Wait until next year when they release the Vista SP1 update. The bugs are a low priority because they still have Vista Server to bring out.

Missing the point

[UnknowingFool]

Why is it that MS always misses this point: Secure is relative. Advocating that MS can be more lax in its procedures because Vista is more secure is like saying you don't need to train anymore because you didn't finish last in a race. Microsoft may have better security than its predecessors; however, that remains yet to be seen whether or not it is adedquately secure. Given the companies history of boasting about security and then failing to deliver, it would be best if they were conservative when it comes to security. Wasn't there a recent slashdot article on how OpenBSD had an its second security issue in a decade? Compared to that, Microsoft security is a joke.

Tired article on a stupid statement.

[lancejjj]

Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses, according to [Michael Howard, a senior security program manager in Microsoft's security engineering group] who is often the public persona of the company's Security Development Lifecycle (SDL) process.

Microsoft shouldn't have this guy as the "public persona" of security if he isn't 100% within both the security & public communications loops at Microsoft. "Vista" is supposed to be all about security. Why are they having this guy "chat" about it when he isn't a communications expert and when he isn't representing Microsoft's corporate opinion?

I'm sure we've all said a few things that were externalized "thought experiment" instead of "well thought out conclusions". And I think I can see how his line of thinking was going, although I disagree with his statement. And I wouldn't be surprised that in hindsight he disagrees with his own statement.

Microsoft has inadvertently set this guy up as a fall guy by anointing him as a semi-official spokesperson. Hopefully he won't find himself on the street due to what is a failure of his management.

Obligatory

[dkleinsc]

You are trying to cover your own ass. Cancel or Allow?

That's a hard one.

[pilsner.urquell]

Lets see, Microsoft has been selling crap all these years and now wants to be cut some slack? Yea, right.

A little late for that...

[Jasin Natael]

By this logic, then, shouldn't most of the bugs for Linux and OSX have been rated as "relatively unsafe", while the Windows bugs were almost universally labeled "Über-pWnz0r3d"?

It seems like he wants this just so he can compare turds to turds, boosting the sales of Vista by saying the Windows 98 and 2000/XP bugs of yesteryear were worse because the same bug is arguably less severe under Vista. It may be true, but he should hope that if anyone takes him seriously, they don't start rating severity relative to similar bugs in competing products.

Be careful what you wish for...

softer...

[beando]

Vista making microsoft became microsofter...

It would seem..

[ChePibe]

That Mr. Howard has yet to come to the sad realization [apple.com] that the rest of the Vista-using world has...

In my defense...

[ChePibe]

This was actually intended as a joke. I suppose I should have added a smiley face or something.

Re:

[account_deleted]

Comment removed based on user account deletion

Awww

[Centurix]

They're hurting your feelings, come here and rest on my man boobs. There there, that's better isn't it mr security person. What, they're not as soft and comfortable as your moms boobs? Excuse me, I'd like you to rate my boobs better than that, after all, I am a MAN!

Threat Down: Vista?

[voice_of_all_reason]

At least this will let bears retake their proper spot at #1.

Calling Dr. Howard

[Locutus]

For some reason, this guy reminds me of one of the "Three Stooges".

"Calling Dr Howard, Dr Fine, Dr Howard"...

Maybe it's because he needs a brain transplant. ;-)

LoB

A new car

[Ec|ipse]

That's like buying a new model car and the dealer saying, "Sorry it just keeps stalling on you, but it's a newer model and were still working out all the bugs. In the mean time, here's a coupon for a free oil change, just don't complain to loudly."

Of course!

[RMingin]

Obviously any Vista security bugs should be rated less severe... I mean, nobody's running that OS, right? Minimal impact!

An interesting response

[Trelane]

From a Red Hat hacker [awe.com]

baked in?

[DragonTHC]

in Linux and Unix and Mac's BSD, what's higher than root?

in Microsoft Vista, what's higher than administrator?
    root
          superroot
                supersuperroot

that's right, there are three privilege layers above administrator in Vista.

users cannot access those, but software can.
"Oh, you're a process, here's the keys!"
"Oh you're a user? You want to access your computer, confirm or deny?"

Re:baked in?

[pallmall1]

that's right, there are three privilege layers above administrator in Vista.

Do they have to press a button to get to ludicrous root?

OS bakers poem

[bl8n8r]

wake-n-bake lets all take
a look at microsoft half-baked
hit the bong and sing this song
windows got security wrong
Around we go with disclosure fud
Michael Howard please pass the bud

I think MS needs to talk to a lawyer

[SmallFurryCreature]

Simple send each and every person who works for the company in anyway to a lawyer and tell the obey the first rule.

SHUT THE FUCK UP

Just stop talking, do NOT say anything, remain silent.

MS just can't do that and keeps blurting out things that make it seem extremely silly indeed.

This latest claim is like saying that a grease fire in your kitchen isn't dangerous if you live near a firestation. That getting shot through the chest isn't as much a of a hassle and shouldn't count as an attempt on your life because you happen to be in a emergency room.

A bug, is a bug, a security hole is a security hole. That they are even rated is already bad enough. They should have just one variable "fixed" wich is a boolean.

Claiming that a so called critical bug isn't as severe because the unproven untested OS it runs on has some safety measures, which by the way have been programmed by the same people who programmed the bug, is not exactly raising my opinion of MS.

Had they simply listened to the lawyer they would have kept their mouth shut and not dropped another notch in my estimation.

Perhaps it is all part of a cunning plan with them hoping that humans like computers suffer from wrap around and if they lower my opinion far enough it would wrap around to positive again.

or they are stupid.

But I liked the end, unless Vista picks up it will receive the same non-attention as OS-X, now that gotta smart.

They want to do something about security?

[argent]

The first thing Microsoft needs to do to get ANY credibility at all where security is involved is to take immediate and rapid steps to eliminate the role of the HTML control as an element of the security system.

That means getting rid of "Security zones". All documents displayed by the HTML control must be considered "untrusted".

To do this, start by getting rid of the ability for documents viewed in the HTML control to request the use of ActiveX objects, since no documents are considered trusted, ActiveX can't be used anyway.

At the same time, provide a mechanism like IO Slaves for applications to install controls... a mechanism that can not be requested by a document.

Modify Windows Explorer and Software Update to use this application-controlled mechanism to install components into the HTML control.

Create an IE shell that installs an "ActiveX IO Slave" to restore the existing behaviour. This shell will display windows with some visual indication that they are untrustable and dangerous. Users who acually require this functionality during the transition can run the "Insecure IE" shell.

In the next major release of Windows, remove that component.

BTW, this is the guy who lectures MS devs on secur

[melted]

BTW, this is the guy who lectures MS devs on security and likes to point out how insecure Linux is compared to W2K3. He's living in a bubble, which is fine by him as long as he gets a paycheck. To be fair, most of what I heard him say was sound advice, if overly verbose. I wish he wouldn't degrade himself to a bullshit robot when talking about Linux and Vista, though.

Conservative?

[julesh]

"The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity"

Err, right. So if they're so conservative, how come they'll rate a remote code execution bug as "moderate" if the code is run in a restricted context (see, e.g. http://www.microsoft.com/technet/security/Bulletin /MS06-013.mspx [microsoft.com] - particularly the DHTML bug)?

we're not in seond grade anymore

[v1]

you no longer get a good grade for trying.

RESULTS are all that matters in the real world. I don't care how hard you're trying to make my fries, if you stil burn them, you SUCK.

It's Simple - This is the "new" Microsoft spin

[Master of Transhuman]

Vista is going nowhere, so now they trot out some bozo to say that Vista security problems won't be as bad as XP's.

Then they also had some Microsoft bozo post on his blog that he was going to compare vulnerabilities - actually, not even vulnerabilities but FIXES - between OS's - using the same discredited methodologies they've been using since forever. Naturally Windows came out ahead. He even tried to head off criticism by admitting he was a Microsoft bozo. Naturally, that didn't work.

In other words, Microsoft is trying to spin Vista's failure to be a "Windows security cureall" - especially since OneCare has been a PR nightmare by failing antivirus checks and then deleting users Outlook email files.

It's just another pathetic Microsoft pack of lies.

Remember, folks: ANYBODY authorized by Microsoft to talk to the public is a LIAR.

Microsoft does NOT sell software. It sells LIES.

Vista as secure is OS X?

[dilvish_the_damned]

"The limited pickup of Vista installs [means that] until Vista is more popular, it will enjoy the same limited attention from hackers as OS X"

He should know by now that its not the install base of OS X, its that the hacker bullies only pick on those that cry.

Agree, kinda

[bobdehnhardt]

On one level, this makes sense. A vulnerability should be judged by the risk it poses to the system, and security tools and settings can, in some cases, mitigate the risk and should be factored in. So on the surface, rating cross-Microsoft-platform vulnerabilities differently for Vista than XP makes sense, if Vista's security measures in their default or most common configuration are a truly effective mitigation for the vulnerability.

The crux of the matter is determining if the security measure is effective

Half-baked defenses

[Jesus_666]

"UberWormz0r.exe has been terminated due to the system being too stoned to understand what an 'msvcrt.dll' is or where to find one. Sorry, dude."

Hey, at least you can't say it's not innovative.