Forgot your password?
typodupeerror

Windows Vista still Rife with Insecure Code 330

Posted by Zonk
from the rife-i-say dept.
osxpetition writes "As noted in a News.com article, Symantec researchers have been testing the latest Microsoft Windows Vista build (Beta 2), and have found that the code is 'complete with new corner cases and defects' in the networking component. Symantec describes how Microsoft scrapped the old networking stack code from Windows XP in favour of newer, rewritten code. 'Microsoft has removed a large body of tried and tested code and replaced it with freshly written code.' Since January 2002, Microsoft has put a stronger emphasis on protecting PCs by attempting to implement stable, secure code into Windows XP and their new operating system. This latest report from Symantec brings attention to Microsoft's trustworthy computing campaign, and shows how it will be a long way before it is ready for the mainstream."
This discussion has been archived. No new comments can be posted.

Windows Vista still Rife with Insecure Code

Comments Filter:
  • beta (Score:3, Insightful)

    by baldass_newbie (136609) on Tuesday July 18, 2006 @01:26PM (#15737912) Homepage Journal
    It is still beta, right?
    • Re:beta (Score:4, Funny)

      by creimer (824291) on Tuesday July 18, 2006 @01:35PM (#15738007) Homepage
      No, it's the super-alpha-beta-gold-release-candidate build.
    • Re:beta (Score:2, Insightful)

      by Alkrun (960306)
      I wonder... if the same report was written about a 2.[Odd] version of the Linux Kernel that was 6 months away from release would the title of the /. article be quite so harsh? Of course not. But this is /. where penguins rule the skies.
    • Re:beta (Score:3, Funny)

      by jocknerd (29758)
      Yes, but once its released, then the buggy code from the beta miraculously fixes itself because Microsoft would never let buggy code get shipped.
      • Re:beta (Score:5, Informative)

        by CaymanIslandCarpedie (868408) on Tuesday July 18, 2006 @03:59PM (#15739155) Journal
        FTA:Symantec researchers put the networking technology in Vista under a magnifying glass to determine its exposure to external attacks. The team said it found several flaws in build 5270 of Vista and even more in earlier test versions. However, these were all fixed by Microsoft in build 5384, the version of the operating system that was publicly released in May as Beta 2.

        For those too lazy to read the article all it really says is. We found a few issues in early releases of Vista. They've already all been fixed by Beta 2, but we are guessing there are probably more.
  • Too secure! (Score:5, Funny)

    by eth00 (612841) on Tuesday July 18, 2006 @01:27PM (#15737927) Homepage
    They figured out that the old network stack was starting to get too secure and not something they could live with! Not wanting to break the trend of security problems they went ahead and rewrote the code from scratch
    • Fun-factor (Score:3, Funny)

      by Valacosa (863657)
      I'll bet the code got re-written from scratch because it's more fun and sexy to write new code than to fix problems in old code - and this time, dammit, it'll get written right!

      (I can't take credit for the thought. JWZ says it somewhere on his site, though I don't have the time to find it.)
      • Re:Fun-factor (Score:5, Insightful)

        by cnettel (836611) on Tuesday July 18, 2006 @03:00PM (#15738728)
        To be fair, the original design of NT networking was focused on IPX and NetBEUI. The bandwidth was 10 Mbit. If you routed in several steps, you didn't expect minimal latencies. You were also supposed to kind of trust the traffic on the network (no SYN attacks or stuff like that.) IPv6 on current Windows versions still has "it will kind of work" status. You don't start with MS-DOS and end up with XP. You end up with Me. Rewriting something because the old version is broken is highly unwise. Rewriting something because the old version is unappropriate for what you currently use it for might make sense. I remember the JWZ article and he talks about all the hidden assumptions you've found through hard work and how those are an essential value in the current codebase. If enough of those assumptions are not true anymore, it can make sense to rewrite something.
        • Re:Fun-factor (Score:4, Interesting)

          by Foolhardy (664051) <csmith32NO@SPAMgmail.com> on Tuesday July 18, 2006 @04:15PM (#15739275)
          Just to be clear, NT has always supported TCP/IP. In fact, KB article Q12823 [microsoft.com] compares available protocols circa NT 3.1 and 3.51.

          From the October 2000 MSDN magazine, "Windows Sockets 2.0: Write Scalable Winsock Apps Using Completion Ports" [microsoft.com]
          Unlike some other operating systems, the Windows NT and Windows 2000 transport protocols do not have a sockets-style interface which applications can use to talk to them directly. Instead, they implement a much more general API called the Transport Driver Interface (TDI). The generality of this API keeps the subsystems of Windows NT from being tied to a particular flavor-of-the-decade network programming interface. The Winsock kernel mode driver provides the sockets emulation (currently implemented in AFD.SYS). This driver is responsible for the connection and buffer management needed to provide a sockets-style interface to an application. AFD.SYS, in turn, uses TDI to talk to the transport protocol driver.
          Ironically, it's TDI that's being replaced for something more sockets-like.

          I think this is yet another example of Microsoft not understanding code that was previously written by someone no longer available, causing the new developers to misunderstand the original design, who then feel the only option is a rewrite. I've yet to hear any technical comparisons between TDI and "Next Generation TCP/IP", showing how the TDI architecture could never do those things. I bet TDI can support these new features with some new code, but it just wouldn't be as glamorus that way.

          To adapt an old saying about LISP and UNIX, "Those who fail to understand NT are doomed to reimplement it. Poorly"
  • And we... (Score:4, Insightful)

    by vwjeff (709903) on Tuesday July 18, 2006 @01:27PM (#15737930)
    have a solution that will "protect" you.
    • I understand, that is the way 3rd party business creation works.

      Ms will fix its worm problems and as a compensation the antivir guys get a new insecure IP stack.
  • by giorgiofr (887762)
    I would like to know If the so-called shatter attack still works in Vista. If it does, no amount of privilege limitation can help you.
    • by kevin_conaway (585204) on Tuesday July 18, 2006 @01:34PM (#15738002) Homepage
      I would like to know If the so-called shatter attack still works in Vista. If it does, no amount of privilege limitation can help you.

      Since you didn't provide any useful context to your question, allow me. From here [biznix.org]:

      Chris Paget says there is an irreparable hole in Win32. Any application can send a message to any window on the same desktop regardless of whether or not the window is owned by the application, and there is no authentication mechanism to prevent this from happening. Paget has published a white paper describing a "shatter attack" which allows an attacker to gain control of a system by elevating his or her privileges. Microsoft says this does not fit their criteria/definition of a security vulnerability.
      • by A beautiful mind (821714) on Tuesday July 18, 2006 @01:42PM (#15738071)
        Microsoft says this does not fit their criteria/definition of a security vulnerability.
        Technically, it is true, since it is a grave design error. The impact is much worse though, as it is not something that can be easily fixed. They missed the boat again with Vista.
        • Actually, it is not a "grave design error". A properly designed service should have no window handlers in the privileged process, and should communicate with any other process through a shared memory interface. The desktop is the security boundary on Windows for window messages, not the window.
          • Even if running as an unprivileged user, doesn't windows offer a bunch of system notification stuff in the taskbar?
            Are any of those running as privileged, or communicating with the system services in an unsafe manner?
          • Actually, it is not a "grave design error".
            Yes it is [wikipedia.org]. Quoth:
            A shatter attack takes advantage of a design flaw in Windows's message-passing system whereby arbitrary code could be injected into any other running application or service in the same session, that makes use of a message loop.
            • Ah, so a wikipedia article proves that it's a design flaw in Windows?

              In that case, I'm going to post a wikipedia article stating that your a midget. It's gonna be tough living out the rest of your life as a little person.

              "Design flaw" suggests that they didn't consider this scenario. This is false. They absolutely did consider this scenario and decided it was still a good decision due to the performance implications. The developer documentation clearly warns against displaying high-priv GUI on a low-priv de
              • Ah, so a wikipedia article proves that it's a design flaw in Windows?

                Clever dodge, but can you refute the quoted statement?

                That's OK, we'll wait.

                -jcr
                • It has been fixed (Score:5, Informative)

                  by CalTrumpet (98553) on Tuesday July 18, 2006 @02:39PM (#15738566)
                  Microsoft has put a signifigant amount of work into creating USER/GDI messaging passing barriers between the new Vista integrity levels. This feature is called UIPI and mostly works in the betas.

                  BTW, almost no Microsoft written applications are still vulnerable to shatter attacks on XP. This is mostly an issue that still hits ISVs because they don't understand the problem.
                  • Re:It has been fixed (Score:3, Interesting)

                    by Compholio (770966)
                    BTW, almost no Microsoft written applications are still vulnerable to shatter attacks on XP.

                    You can exploit a buffer overflow by changing the name of the stupid "Start" button! There are PLENTY of MS applications on XP that are vulnerable to this attack.
              • by kimvette (919543)

                Ah, so a wikipedia article proves that it's a design flaw in Windows?

                The fact that it's on Wikipedia does not automatically mean it is false or quackery. Don't be so quick to write off Wikipedia on every subject - if in doubt, check the sources. Much, if not most, of Wikipedia's content is actually quite good. Just be willing to check the cited works in the footnotes, or verify against other, more authoritative sources. For a free up-to-the-minute encyclopedia, one cannot get anything much better than Wiki

            • by Keeper (56691)
              The reason why it isn't considered a security flaw is that you can only send messages to windows that are in your current desktop session -- ie: you can't gain privleges that that user doesn't already have. Or put another way, whatever you sent via window messages could have been done in the calling process.

        • I dont necessarily agree with you. I have a commercial app out there that relies on this funtionality - for good reason.

          The application I do this to does provide an API for remote control, but they left out some obvious things. They are not going to add them in, so I take control of their window. Works a treat.

          Point is, its not a design flaw. Its damn useful.

          However it should be secured in some way - so as a suggestion, have the OS pop up a window: "app A is trying to send messages to or control app B, is t
      • Hush! Don't wake them, this is my hope against treacherous computing!
    • by NutscrapeSucks (446616) on Tuesday July 18, 2006 @01:38PM (#15738049)
      Shatter attack are a configuration error, not a OS issue. They are roughly similar to running xterm as root on Unix and then complaining that users can execute root commands.

      But apparently Vista has entirely removed the idea of an "interactive service", so they won't work. Info here: http://blogs.msdn.com/larryosterman/archive/2005/0 9/14/466175.aspx [msdn.com]
      • How is a shatter attack a configuration error? Any application can send a windowing message to any other. Period. No configuration or security setting can prevent it. The windowing system is most certainly a core component of Windows, making it an OS design flaw.
        • I think what he means is that secure processes shouldn't be accepting windowing messages (i.e., shouldn't be running privilaged code in their event handlers).
        • by NutscrapeSucks (446616) on Tuesday July 18, 2006 @02:00PM (#15738225)
          How is a shatter attack a configuration error? Any application can send a windowing message to any other.

          The security model is built on "window stations" -- If you put a privileged window into an unprivileged window station, then you have made a configuration error. Period.

          The author of the paper stated that *nix/X11 is just as vulnerable to these types of attacks, BTW, so *nix is just as irrevocably mis-designed as Windows. The only difference is that *nix programmers are smart enough not to write interactive software that runs as root.
    • Shatter attack (Score:5, Informative)

      by Kadin2048 (468275) <slashdot@kadin.xoxy@net> on Tuesday July 18, 2006 @01:44PM (#15738092) Homepage Journal
      I had never heard of such a thing before (actually, initially I thought you were just punning on Windows + 'shattering', har har).

      It would seem that Vista allegedly fixes the design flaw that allows for the attack, by not running system services in the same session as the user. At least, that seems to be what the Wikipedia article on the topic [wikipedia.org] is suggesting.

      The key to shatter attacks is that Windows allows processes running in the same session to pass messages between each other, the result of which is that via code injection, any process can escalate up to the level of the highest process also running in its session. MS is quoted in the article as saying "[This is not] a flaw in Windows. In reality, the flaw lies in the specific, highly privileged service. By design, all services within the interactive desktop are peers, and can levy requests upon each other. As a result, all services in the interactive desktop effectively have privileges commensurate with the most highly privileged service there." (Which is amusingly doublespeak-ish; they're saying "this isn't a design flaw, we designed it that way!")

      This blog post by a member of the IE7 team [msdn.com] would confirm that they've at least tried to address this in Vista (but of course that's what you'd expect them to say). It says: "User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages."

      Yet another nice legacy "feature" from the single-user-OS days.
    • by ThinkFr33ly (902481) on Tuesday July 18, 2006 @02:16PM (#15738363)
      This "shatter attack" has been known about and acknolwedge for MANY YEARS. (Long before the 2002 paper cited in this thread.) Every once in a while people will bring it up as proof that Windows has design flaws.

      This was a design decision with known trade-offs. Attaching security tokens to window messages would result in MAJOR overhead that would, even on today's beefy hardware, kill performance. Having to do a permissions check every time the mouse is moved is not feasible.

      So Microsoft decided that they would rely on "best practices" information as apposed to enforced security in the OS to prevent "shatter attacks". The best practices are pretty simple: If your service/application is running with elevated permissions (such as SYSTEM), do not display a GUI on a desktop owned by a lower privledged user.

      There have been examples of applications, in particular some poorly written anti-virus applications, that liked to display GUIs to the user despite the fact they were running as SYSTEM. For the most part, however, very few major applications exist today that have this issue.

      Applications that run with high privs that need to display a GUI typically launch their GUI with the privs of the user, or display the GUI on a secure desktop. (Like Winlogon.exe.)

      This is really a non-issue and hasn't been for a very long time. Please, ignore the FUD.
      • Please, learn about the Network DDE service. Thanks.
  • Windows still buggy? What's next, "Sun has risen again this morning"?
  • by Anonymous Coward
    Symantec products wil lsecure it right up! How convenient!
  • Is this news? (Score:3, Insightful)

    by brennz (715237) on Tuesday July 18, 2006 @01:28PM (#15737941)
    Marketing deadlines always trumps everything else, except for OpenBSD and maybe Linux kernels. Curiously, both have dominant but benevolent personalities in charge......
  • However (Score:5, Insightful)

    by also-rr (980579) on Tuesday July 18, 2006 @01:30PM (#15737958) Homepage
    This may not be a bad thing.

    I am much happier with well laid out, structured and simple code that has X rate of defects than well polished over the years, old, cruddy and complex with X rate of defects because with the former:

    Fixes will be faster.
    Fixes will be easier/cheaper.
    Fixes will be possible!
    Bug fixes will have less chance of introducing new bugs.

    Given time we can then be sure that we will end up with... err well polished over the years, old, cruddy and complex. But it probably won't be as bad as if the process never happened in the first place.
    • Re:However (Score:4, Informative)

      by Goalie_Ca (584234) on Tuesday July 18, 2006 @01:33PM (#15737993)
      Because IT's much easier to fix a square wheel than a round one!
    • Re:However (Score:5, Insightful)

      by Yohimbe (17439) on Tuesday July 18, 2006 @01:43PM (#15738085) Homepage
      Actually the old code might be better. And I don't defend blindly.

      It has been my repeated experience that "Cruddy and complex" code is that way because the problem space is cruddy and complex and thats what bugfixes do to code.

      You throw out that complexity and you throw out accumulated knowledge. I have yet to see a second system or third or fourth that managed to keep the bugfixes of the previous system. These issues return and they are accompanied by new ones.

      In this case there might be a reason to thow out this particular baby with this particular bathwater: the only thing that new code gives you is resident experts on the new code. If you have staff turnover (Which MS always does), they may have already lost the resident experts on the previous design.

      So that brings up the next point: MS may now be jumping its proverbial code shark: They've not increased in price in 3 years: stock options are worthless, they're losing people, and the hardware vendors are saying "When are you going to get us a decent 64 bit system?". They can't seem to ship secure code and now they throw out working subsystems, possibly because they've got a brain drain. MS owns the office market, but they're starting to really fall behind in shipping modern security at the OS level.
      • Re:However (Score:4, Informative)

        by aneurysm36 (459092) on Tuesday July 18, 2006 @02:43PM (#15738611)
        another supporting opinion on this subject
        http://www.joelonsoftware.com/articles/fog00000000 69.html [joelonsoftware.com]
      • Re:However (Score:3, Interesting)

        by Tim (686)
        It has been my repeated experience that "Cruddy and complex" code is that way because the problem space is cruddy and complex and thats what bugfixes do to code.

        Yes, yes. Cruddy and Complex code is cruddy and complex because it needs to be cruddy and complex (not because it was hacked together on an impossibly short schedule, or written by a novice developer using a fundamentally bad design. Or both.) And you should never rewrite code. Ever (except when you should).

        There are no absolute rules in software
  • So (Score:3, Insightful)

    by kevin_conaway (585204) on Tuesday July 18, 2006 @01:31PM (#15737966) Homepage

    So they're saying that beta software still has bugs in it?

    I don't think its particuarly fair to be making these public accusations at this time. I'm sure the developers appreciate the testing, but an article to CNET seems a little too much

  • "Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects," the researchers wrote in the report, scheduled for publication Tuesday. "This may provide for a more stable networking stack in the long term, but stability will suffer in the short term."

    On the one hand, you can see thier point. The XP code has become more mature and has all the latest fixes and is more or less stable, as Windows goes. On the other hand, t

    • Re:Mistake? (Score:3, Interesting)

      by aymanh (892834)
      I was going to moderate but after reading your comment, I decided to reply. Why are you assuming that it's not possible to write secure code from the start? The networking stack is a vital part of an OS's security, can't MS fork enough resources to create a relatively secure networking stack for Vista?

      Crackers will become familiar with Vista's net stack soon or later, either by reverse-engineering the new not-so-secure stack, or by utilizing their familiarity with the XP stack (in case MS didn't replace it)
      • Why are you assuming that it's not possible to write secure code from the start? The networking stack is a vital part of an OS's security, can't MS fork enough resources to create a relatively secure networking stack for Vista?

        That's not my assumption at all; given Microsoft's track record however, you have to wonder if that will be the case. Symantec is saying it isn't based only on their review of the beta software, but you can't take that as gospel, anymore than you can accept MS's assurances that Vi

  • Outrage! (Score:5, Funny)

    by Kesch (943326) on Tuesday July 18, 2006 @01:31PM (#15737970)
    'Microsoft has removed a large body of tried and tested code and replaced it with freshly written code.'

    How dare they! Just when I know all the exploits in the old code, they make me go and have to discover all new bugs in their new code. Being a hacker is hard some days...
  • by Ryan C. (159039) on Tuesday July 18, 2006 @01:37PM (#15738031)
    OK, so Symantec makes money selling products that patch up problems with Windows OSes. Microsoft trying to put them out of a job. I'm not saying Vista is really achieving this goal, but what sort of report did you expect from Symantec? "Wow, this Vista really makes our products unnecssary"!

    FUD. At least they learned Microsoft's greatest marketing strategy.

  • and shows how it will be a long way before it is ready for the mainstream
    In other words, wait until at least SP2 is released before even thinking about upgrading. That's how I read it anyway.
    • Another way of saying it
      (Score:0, Troll)
      by Aqua_boy17 (962670) on 07-18-06 10:37 (#15738032)

      and shows how it will be a long way before it is ready for the mainstream

      In other words, wait until at least SP2 is released before even thinking about upgrading. That's how I read it anyway.

      Hey, you're not supposed to mod people "troll" when you don't agree with what they say. It means they don't agree with what they say. And anyone who actually has experience maintaining windows knows that it's not wort

  • by Bill_the_Engineer (772575) on Tuesday July 18, 2006 @01:38PM (#15738046)

    Isn't it to Semantecs best interest to generate demand for their product by creating uncertainty when it comes to OS security. They did this to linux too...

    Granted Microsoft may be using new code, but that doesn't necessarily mean it's more insecure than the current network stack.

    Let's see what the non-beta software looks like, and see what a independent lab reports.

    Bill

  • So, Symantec, let's see the vulnerabilities you claim to have found.

    Oh, you have none? It was just fearmongering to scare people into buying your products? I'm shocked, I tell you. Shocked!

    This would be half as funny if Symantec products didn't open more holes than they close.
  • I'm thinking Symantec is feeling the heat from Windows defender. Once people have that, a large number of people will probably be too unconcerned or too lazy to bother installing a different virus program. Symantec cannot be trusted for a neutral veiw (NPOV comes to mind).
  • "Friedrichs noted that in the Linux networking stack, vulnerabilities and stability issues continue to surface well over five years after it was first released."

    And about vista's new stack "This may provide for a more stable networking stack in the long term, but stability will suffer in the short term."

    I think the report overall is positive for Vista. ANYONE who expects a new OS to come out bug free is a fool. Unfortunately, on CNET as on Slashdot, a positive microsoft article isn't news, thus the SPIN.
  • We all know that from Windows NT up, they used the BSD TCP/IP stack. And it's usually not the TCP stack that is vulnerable, it's the next layer up that doesn't/can't handle what TCP brings in. So why did they throw it out and re-write it? It was one of the only pieces that made Windows semi-stable on a network and made it server-worthy. It was also pointed out that the MS implementation of the TCP/IP stack was the slowest stack around in the late 90's (I don't know about now). OS/2, Linux and even DOS had a
  • I program professionaly and I've looked over some BSD & Linux code and quite frankly it is lot more involved than what I do. So I guess I shouldn't complain but jumping Jesus H. Christ if the BSD guys can do it with the resources they have, how is it that a company the size of Microsoft can't make this work?
    • As I mentioned elsewhere, if I had a few billion dollars and five years I think I could come up with a decent OS. I would probably go find an orphaned closed-source UNIX os (IRIX?) and graft a windows UI on top and then use virtualization to maintain backwards compatibility. Security problems, memory problems, clustering problems: gone overnight. Then spend the rest of the money getting exchange and active directory running and writing drivers.
    • DARPA paid for the BSD TCP/IP stack waaaay back in the day.
    • Well, no it isn't. (Score:3, Interesting)

      by jd (1658)
      The network stacks that exist for, say, BSD and Linux are rather more convoluted than I would have thought necessary. I believe they could be made a lot simpler and faster, without sacrificing one iota of capability, flexibility or configurability. In fact, there may well be areas where reducing complexity will increase flexibility. That happens.

      It should be very easy to build a networking stack for Windows (or any other OS) that is bullet-proof, compact and fast, because it's not a particularly complex pie

  • Well, the funny part is that, with TCPA and DRM built core-deep into Vista, we can only hope for insecure code...
  • by PurifyYourMind (776223) on Tuesday July 18, 2006 @01:59PM (#15738216) Homepage
    I work as a tester at a large, well-known tech company. I started using Vista back in February of this year, and I've used one of the latest versions, 5474, recently. Here are the changes I've seen:
    • Improved graphics (more complete icon set, fancier installation and login graphics, nicer titlebar look on non-3D capable systems)
    • More stability in general (some blue screen bugs I've reported have gone away with later versions)
    • More gadgets in the sidebar
    • A bit faster for file copies, file searches work a lot better -- file searching wasn't working at all at one point
    So... I'm still skeptical of their early 2007 predicted time frame, but it's definitely been getting more polished over the months.
    • I work as a tester at a large, well-known tech company. I started using Vista back in February of this year, and I've used one of the latest versions, 5474, recently. Here are the changes I've seen:
      [better graphics, crashes a bit less, more widgets, file copying is a bit faster]

      Sounds like it was really worth spending more money than the Apollo programme on then!

      Rich.

    • I think the early 2007 one is going to be some sort of "Vista ME" to business customers they're now saying Q4 2007, which is I guess when the non-beta will be sold to the public.

      Never buy a 1.0 product from Microsoft.
    • Eyecandy. (Score:3, Insightful)

      by jotaeleemeese (303437)
      The discussion is about security kid, we all know that MSV is going to be shinny, have new colorful icons and have a nice wallpaper.
  • by SloppyElvis (450156) on Tuesday July 18, 2006 @02:01PM (#15738235)

    people should understand the ramifications of a virgin network stack

    Oh man! I can't even begin to think of a joke worthy of that setup...
    • people should understand the ramifications of a virgin network stack

      By the time the average person gets a shot at this network stack it will about as "virgin" as Madonna!

      BTW, saw her in concert live in Chicago... kick some major ass she does!
  • "Symantec describes how Microsoft scrapped the old networking stack code from Windows XP in favour of newer, rewritten code."

    Yeah, I imagine it really irked them, having to include that mention of BSD in their credits. Networking code written in-house by Microsoft Software Engineers should be WAY more secure.

    Hmm... I wonder if anyone over there, even for a moment, talked about "extending" TCP/IP? Or maybe IPv6-MS?

    I kid, I kid...

  • by nbannerman (974715) on Tuesday July 18, 2006 @02:03PM (#15738250)
    Ok, I run a network in education, but I can imagine Network Mangers banging their heads into walls already. I think I've got my network locked down enough to cover most of the bases, but seriously, can anyone really say they are looking forward to rolling out Vista across an entire network? I understand network / computer security companies have a vested interest in showing there is a need for their product, but they are not the only ones suggesting Vista is going to be a nightmare.
  • Windows Vista still Rife with Insecure Code

    See what happens when you constantly tease it? Now it's got an inferiority complex. You people should be ashamed.
  • Has anyone else noticed that Vista is stripping away some of the old keyboard shortcuts? Maybe it's just a beta thing, but I've noticed, for example... you used to be able to hit CTRL-ALT-DEL and then "T" for Task Manager. Now it seems you have to add at least an extra ALT (ALT-T) to get it. Also tabbing within Explorer windows is bringing up the menus for me instead of tabbing through panes. Especially for people that suffer from RSI--i.e. the mouse is best avoided--this is a real pain.
  • The old stuff had so many holes we stopped counting. Based on BSD stuff that had been around since the early '90s, Microsoft had to change the stacks.

    The new provider modules are a step ahead of what they'd been using. This is what Symantec is mad about: being left out of the anti-virus and spyware game. Look to see that Microsoft also purchased Win/Sysinternals today to see what else motivates Symantec. Their cash cow, a flea-bitten operating system-- might just work for a change.

    But I doubt it.
  • Emphasis (Score:2, Insightful)

    by tonyr1988 (962108)
    Since January 2002, Microsoft has put a stronger emphasis on protecting PCs by attempting to implement stable, secure code into Windows XP and their new operating system.
    Why haven't they been ALWAYS using stable, secure code?

    They've been too busy with cool stuff [softpedia.com].
  • FUD? (Score:3, Insightful)

    by Jugalator (259273) on Tuesday July 18, 2006 @06:11PM (#15739971) Journal
    Windows Vista still Rife with Insecure Code

    So, point me to the place in the article which says something is still rife with insecure code?

    Well, of course, there'll be securite holes in Vista too, like most other OS's, but I'm not sure that's what the article means? It seems someone somewhere have come to the conclusion that there are still major problems with it and I just, darned as much as I try, can't find the place in the article.

    It seems to me Symantec only speculates, as Vista will have a new network stack?

    But then, Symantec themselves say:
    "We're not saying that Vista's network stack is going to be inherently insecure when it is released," Oliver Friedrichs, director of emerging technologies at Symantec Security Response, said in an interview Monday.

    So, which is it, and is the article just spun like this on Slashdot because it's Slashdot?

At the source of every error which is blamed on the computer you will find at least two human errors, including the error of blaming it on the computer.

Working...