Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Security Guy Wants Vista Bugs Rated Down

CmdrTaco posted more than 7 years ago | from the grass-is-greener-on-his-side dept.

Security 167

jcatcw writes "Gregg Keizer reports that Michael Howard, an MS senior security program manager, says that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses."

cancel ×

167 comments

Sorry! There are no comments related to the filter you selected.

Hmmmm. . . (4, Funny)

bplipschitz (265300) | more than 7 years ago | (#18393653)

Sounds a little like Michael Howard might be "baked in". . .

I want YOU... (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18393849)

... To waste your precious mod points by modding this post OT.

More like "half-baked"... (3, Funny)

Anonymous Coward | more than 7 years ago | (#18393909)

"Built in defenses".

Yeah, right. He's been reading too much William Gibson...

Re:Hmmmm. . . (1)

Raven42rac (448205) | more than 7 years ago | (#18394259)

And I want a pony and a dodge viper.

Re:Hmmmm. . . (0, Redundant)

galenoftheshadows (828940) | more than 7 years ago | (#18394945)

How 'bout just plain baked . . .

Isn't that ..... (5, Funny)

edwardpickman (965122) | more than 7 years ago | (#18393659)

rate its vulnerabilities differently because of the operating system's new, baked-in defenses."

...half baked?

Re:Isn't that ..... (4, Funny)

Anonymous Coward | more than 7 years ago | (#18393705)

No, I believe Michael Howard is totally and utterly baked. He clearly needs to stop hitting that bong.

Re:Isn't that ..... (2, Funny)

liquidpele (663430) | more than 7 years ago | (#18394373)

or he could just pass that shit!

Re:Isn't that ..... (5, Insightful)

numbski (515011) | more than 7 years ago | (#18394067)

You'd have to be smoking some pretty good weed to go along with this. :P

Let's say on *nix there's a vulnerability that allows for remote ssh access. You can only get in as an unprivileged user, heck, you may even get /dev/null as your shell, but it lets you in. Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.

Just because your system is overall more secure doesn't mean that you don't blow the whistle on the flaws just as hard. It's called VIGILANCE.

Re:Isn't that ..... (4, Funny)

ericlondaits (32714) | more than 7 years ago | (#18394261)

Just because your system is overall more secure doesn't mean that you don't blow the whistle on the flaws just as hard. It's called VIGILANCE.


Mmmm... while it's true that the price of freedom is eternal VIGILANCE, remember that you can get Vista Ultimate for as little as $399.95.

Re:Isn't that ..... (2, Informative)

Gnavpot (708731) | more than 7 years ago | (#18394973)

Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.

Did you intend those two scenarios to be mutally exclusive?

Rating a bug low does not necessarily mean that it is fixed slower.

Re:Isn't that ..... (2, Insightful)

Hierarch (466609) | more than 7 years ago | (#18395045)

Let's say on *nix there's a vulnerability that allows for remote ssh access. You can only get in as an unprivileged user, heck, you may even get /dev/null as your shell, but it lets you in. Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.


Well, actually, you do rate it down. This is basic risk assessment, and if it comes to a prioritization of resources — which bug should we fix next? — I want that priority set according to the impact of the problem. Cold, hard, rational assessment, not “ZOMGRemoteAccessExploitWTFBBQOver”

You seem to assume that reducing the rating of a flaw means you don't fix it.

Now, more importantly, from TFA, we have

[The] rating system is clear-cut. If an Internet worm can spread without user action -- the MSRC's definition of "critical" -- on Vista, the vulnerability will be so tagged, Vista-specific security technologies notwithstanding.


This is different from the case you're outlining, and if the bloke in this article is really trying to change these criteria, I've got a real problem with that. If it's the difference between a buffer overrun that allows remote access versus a buffer overrun that allows an outsider to crash that process, I think it's the MSRC that needs to correct their own criteria. Either way, it shouldn't be driven by an outsider, although he can and should make the suggestion to them that certain criteria should be revisited.

Re:Isn't that ..... (0)

Anonymous Coward | more than 7 years ago | (#18395063)

Just because your system is overall more secure doesn't mean that you don't blow the whistle on the flaws just as hard. It's called VIGILANCE


Really? Because that seems to be the rationalle used by all the anti-MS people as a reason to switch from Windows: that the non-Windows OS's are more secure because of their obscurity.

If I had a dollar for every time I heard some OS X or Linux tool trying to convince someone to "switch" because, and they spew almost the exact same FUD every time, supposedly "Spyware and Virus writers only write them for Windows".

That doesn't seem like a very vigilant attitude to me... whereas Windows users tend to gain at least a basic appreciation for proper security practices.

Re:Isn't that ..... (1)

turing_m (1030530) | more than 7 years ago | (#18394085)

Yes, it looks like those new security defenses could do with another session in the oven.

Re:Isn't that ..... (1)

Locutus (9039) | more than 7 years ago | (#18394175)

It sure sounds like "the most secure Windows ever" has been over cooked.

LoB

Re:Isn't that ..... (2, Funny)

Seumas (6865) | more than 7 years ago | (#18395869)

Nothing says security like naming your flagship product after the part of a house that is made of thin glass and can be broken with a small rock, stick or an elbow and allows everyone outside to see everything going on inside.

Hal Howard (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18393663)

I work at Microsoft, I can get Vista for practically free but I refuse to even touch Vista with a bargepole and dont recommend it to others. They dont need it anyway even if it was "finished" and secure.

sniff sniff.... (0)

Anonymous Coward | more than 7 years ago | (#18393821)

...hmmm...whats that smell?

Re:sniff sniff.... (0)

Anonymous Coward | more than 7 years ago | (#18394283)

1) weed
2) bullshit

Re:Hal Howard (0)

Anonymous Coward | more than 7 years ago | (#18394555)

Same here, except for me its the lack of mission critical third party support thats killing me.

Re:Hal Howard (0)

Anonymous Coward | more than 7 years ago | (#18395019)

Man, you aren't even *good* at trying to sound like an insider. Regardless of how you view Microsoft's products, their employees are smart people (several friends of mine from college, whom I respect quite a bit, are up there as we speak). You sound like a twelve year old haxor.

Re:Hal Howard (1)

seaturnip (1068078) | more than 7 years ago | (#18395119)

You sound like a twelve year old haxor.

Uhh, he didn't even make any spelling mistakes? I don't see any particular reason to doubt his claim.

(I combed through your post to point out spelling mistakes of your own, but you even managed to use "whom" properly, so this usually reliable form of Slashdot comeback fails for once. Nicely done, sir!)

Re:Hal Howard (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18395571)

I work at Microsoft, I can get Vista for practically free but I refuse to even touch Vista with a bargepole and dont recommend it to others. They dont need it anyway even if it was "finished" and secure.

You sound like a contractor that is bitter you didn't get hired on. Those of us are employees of MS want to make certain that we get the remaining bugs fixed. That isn't going to happen if we point fingers and play the blame game.

I work on embedded devices at MS and we won't have Vista support ready for a couple more months. Once the Visual Studio GDR is released in Apr/May Windows Embedded 6 will release SP1 and it will then be possible to develop/debug embedded devices from Vista and I will update all of my machines. Until then I have machines running Vista and XP. If you did work at MS you would have been interested enough to take a look at it. You would have grabbed the source code for both Vista and XP so that you could compare them, but since you are obviously just a contractor you don't have that ability. If you could do it you would find that the Vista code base is much cleaner. The 70% rewrite that was done was worth it. The new kernel is modular and agile. There is still room left for some performance tweaks, but from an engineering standpoint it is beautiful. Over the next few years this will become very important. It took years to get the embedded version of XP ready, but thanks to the changes to the Vista kernel we should have Vista Embedded ready in less than a year. Once we strip out the shell, the graphics, and most of the managed code we will have a nice version that will run on a fraction of the resources required on the desktop.

When people ask me whether they should switch to Vista I generally tell them to stick with what their computer came with. If they are ordering a new computer then I ask them what they are ordering and recommend Vista if they are ordering a powerful machine. There are currently a few issues left with some applications, and there are many drivers that are not yet available for Vista. However, that situation is changing rapidly, and when Vista SP1 is released many of those problems will be fixed. A large part of the problem is that in order to make security better there were massive changes to the interfaces between user and kernel space, and the entire driver subsytem was rearchitected so that all drivers run in user space. We painstakingly went through and added as much backwards compatibility as we could into the system. However, there are literally millions of Windows programs that have been written, and we do not have copies of all of them. When a user finds a new program that doesn't work we do add it to a list of programs that are known to not work. Developers are constantly working to add back-compatibility support for the applications that don't work based on the popularity of the application.

Re:Hal Howard (0, Flamebait)

pallmall1 (882819) | more than 7 years ago | (#18395793)

Wow, you really do work for Microsoft! With typical Microsoft doublespeak, you just said Vista is really great, a major improvement in every area. It's beautiful, (as long as you don't actually try to use it.)

A rough translation to human speech... (5, Insightful)

dyfet (154716) | more than 7 years ago | (#18393669)

"Your making us look bad, cant you lie a little, we do all the time..."

This was a public service translation, for those who have trouble understanding Microspeak...

Michael howard (1, Offtopic)

Ramble (940291) | more than 7 years ago | (#18393671)

According to Michael Howard my post has been downgraded to only second post.

Its about the bug, not the environment (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18393691)

This guy is IMO a narrow minded fool. Sure, Vista may have extra security features which can limit the extend of damage which a certain bug can do. But does this mean that these features have any impact on the severity of those bugs? Lets "translate" this to Linux:

Say a new local SSH exploit has been found allowing attackers to gain root privileges. Does the fact that you'd need user accounts which are actually useable by people make any difference on the severity of the exploit? "Gee, cut the homeuser some slack since they won't have any real user accounts to begin with. So stop scaring them and rate the bug as it really is?" ? But... The bug really is what it says to be. In my example its a critical issue, in the case of a Vista bug its Important.

Just because you may benefit from the extra security enhancements doesn't imply everyone else does. So please; cut out the idiocy and the desperate attempts to push Vista forward by focussing on all good points and ignoring the bad points, and simply keep calling things what they are. I for one now question the professionality of this guy.

Re:Its about the bug, not the environment (5, Informative)

NearlyHeadless (110901) | more than 7 years ago | (#18393929)

If you've read Michael Howard's writings, he's certainly not a "narrow minded fool". On his blog, he talked about security features in the compiler and linker such as /GS and /SafeSEH. With these in place--and OS-based onese, such as Address Space Layout Randomization and Data Execution Prevention-- buffer overflows still exist, but are much harder to effectively exploit. Yes, the process will abort, so you could still have a denial of service attack, but you've greatly reduced the chance of a more serious remote code execution.

Note that OpenBSD is also adopting similar defense-in-depth strategies, including SSP and N^X. Adoption is much more haphazard on Linux Distros, so you may be at much more risk running an application such as SSH on Linux than on OpenBSD even when it is compiled from the same source code.

N^X a big deal? Those that don't understand Unix.. (0)

Anonymous Coward | more than 7 years ago | (#18394047)

are condemned to reinvent it.

How's that 64-bit architecture coming in the Windows world, fanboy? Solaris has been 64-bit since when, 1995?

Re:N^X a big deal? Those that don't understand Uni (0, Troll)

Achromatic1978 (916097) | more than 7 years ago | (#18395791)

How's that 64-bit architecture coming in the Windows world, fanboy? Solaris has been 64-bit since when, 1995?

Spoken like an AC dickhead. When it was `95 I was all content with my 486 DX2 66. I'd love for you to point me to the x86 CPU that was around then.

Re:Its about the bug, not the environment (0)

Anonymous Coward | more than 7 years ago | (#18394157)

I agree with the sentiment, but please don't make it sound as if OpenBSD is just now adopting those security strategies with that last paragraph of yours.

Re:Its about the bug, not the environment (0)

Anonymous Coward | more than 7 years ago | (#18394161)

Note that OpenBSD is also adopting similar defense-in-depth strategies, including SSP and N^X. Adoption is much more haphazard on Linux Distros

Err, what? It's pretty easy to get in Linux and has been for years, but not everyone uses it because it is only found in packages for more recent versions (however, SSP has been available for about eight years, n^x for about seven).

Similarly, nobody in their right mind runs Vista in production, so uptake is slow in Linux and Vista for the same reasons. In OpenBSD, measures like these really are the standard, and have been for a while, and they are used in production, so I don't know what the fuck you are smoking on that one.

Re:Its about the bug, not the environment (1)

kripkenstein (913150) | more than 7 years ago | (#18394197)

Err, what? It's pretty easy to get in Linux and has been for years, but not everyone uses it because it is only found in packages for more recent versions (however, SSP has been available for about eight years, n^x for about seven).
I have heard some Linux distros have been using SSP for a while now, but am not sure of details; Ubuntu, in any case, uses SSP as of Edgy Eft [launchpad.net] , that is, since late 2006.

Re:Its about the bug, not the environment (4, Informative)

OmegaBlac (752432) | more than 7 years ago | (#18394349)

Adoption is much more haphazard on Linux Distros, so you may be at much more risk running an application such as SSH on Linux than on OpenBSD even when it is compiled from the same source code.
SSP is included with recent versions of GCC 4.1 and above. If your specific distro is using GCC 4.1 or newer, then they are compiling with SSP already.

http://gcc.gnu.org/gcc-4.1/changes.html [gnu.org]

Re:Its about the bug, not the environment (5, Insightful)

hxnwix (652290) | more than 7 years ago | (#18394673)

Right, and that's why OpenBSD pretends that remote exploits are warm & fuzzy happy ponies. Because of their "baked in defenses." ...
Errr, NO , this guy promulgating deceptive doublespeek. But perhaps he knows better - perhaps he's just a dishonest jackass and not a retarded jackass. What was your point again?

Re:Its about the bug, not the environment (5, Insightful)

driftwolf (843548) | more than 7 years ago | (#18394849)

If Vista is so much more "secure", then any flaw should be much MORE serious, not less. After all, aren't they supposed to have worked so long and hard to reduce the flaws in this one? If one advertises a secure system, then any breach is, by definition, important. MS Vista is being pushed as a highly secure system to many businesses. Hence, security issues are that much more important, as they were used to sell the system in the first place.

As we've heard that much (some?) of their vaunted security is actually just optional smoke and mirrors (several of the user security features for instance), I don't think MS Vista should be given any easier ride than any other operating system. Let it be judged independently, on its own merits, and not through re-definition of what is critical or not for political (and of course publicity and monetary) purposes.

Any system that defines itself as "secure", but isn't, deserves to be ranked accordingly. Microsoft (and it isn't alone by a long shot) has a very long history of selling one thing and delivering another. Changing the criteria based on what they are selling isn't warranted until what they deliver matches that in every respect. So far, they aren't doing that with MS Vista either.

Re:Its about the bug, not the environment (0)

Anonymous Coward | more than 7 years ago | (#18394993)

"Address Space Layout Randomization and Data Execution Prevention"
Uh... randomized mmap() and non executable stack?
By his logic, quite a few unix bugs, especially on OpenBSD, should be downgraded as well....

Re:Its about the bug, not the environment (4, Informative)

kscguru (551278) | more than 7 years ago | (#18395105)

His security features are /GS, /SafeSEH, layout randomization and an execute bit? Okay, he really is full of it.

  • /GS. In theory works fine. In practice, you MUST (1) get the software publisher to compile with the switch, (2) cannot use inline assembly (/GS bails out on such code), and (3) must be willing to sacrifice a small bit of performance. In other words, a fair amount of real-world code can't use this. And oh by the way, this doesn't protect against all buffer overflows - it only protects against the easiest category. It's still quite possible to corrupt data with a buffer overflow, and maybe use that data to gain control.
  • /SafeSEH. Right ... how many common languages don't have good exception handling? You said C only, right? And how often do you use Windows exceptions in C? Not much, you say? When I've seen SEH code, it's almost always very narrowly scoped and thus easy to get right - in real code, Windows SEH is just a trampoline to get into another exception mechanism. Making it "safer" adds no value.
  • ASLR. This one makes generating a sucessful exploit a little more difficult - moves it from medium-easy to medium, because it's harder to hit a "target buffer". Of course, for compatibility reasons, a fair number of apps turn this off (they have assumptions about where code lives, and/or need the wasted address space). It helps - statistically. But a lucky guess is still going to succeed, and I don't trust luck for security.
  • DEP. A two-pronged technology, which (1) uses the NX bit and (2) disallows syscalls from data segments. Oh but wait, (1) requires having a fairly recent processor and (2) is fine for some apps, but breaks for anything that does dynamic code (e.g. a Java runtime), so it's also disallowed for many, if not most, apps.
So what do we find out from this list? You get defense-in-depth - IF you are running the latest hardware, IF you use only software built with MSFT's favorite options (some of which are opt-in), and IF you only run apps that embrace all these strategies. How many Joe Consumers fit into those ifs? Datacenters might be closer, but I'll bet even they can't generally say all these hold true.

I'm glad open-source is adopting some of these measures. But let's be realistic - all any of these technologies do is make a sieve less leaky by putting a second sieve underneath. Something is nice, but we would be fools to treat any of these security "features" as more than a speed bump.

Re:Its about the bug, not the environment (2, Interesting)

LO0G (606364) | more than 7 years ago | (#18395559)

Has he EVER refered to those as "security features"? I'd be surprised, Michael Howard doesn't usually make those kinds of mistakes.

Usually those are described as mitigations, since there are no security guarantees associated with them (since they can be bypassed, they're not security features.

Re:Its about the bug, not the environment (0)

Anonymous Coward | more than 7 years ago | (#18394043)

Actually, a slightly more accurate Linux version:

An vulnerability has been found that is exploitable only when the vulnerable application is running under sudo.

Since Linux doesn't guarantee that an application run as sudo is isolated from other apps running in the same window manager, and because Linux doesn't guarantee that there's no way that an application might be launched via sudo without the users permission, there is no security boundary around that application (Linux might have one - I don't know what Linux's security guarantees are).

This vulnerability is a critical vulnerability by Microsoft's measurements, but if there was a security boundary between sudo applications, the vulnerability would only be rated "important". Now to the vast majority of Linux users, it's only "Important", but because the sudo mitigation MIGHT be bypassed, it gets upgraded to "Critical"

Vista has a number of features that are intended to mitigate attacks - for instance there's ASLR (address space layout randomization (system code is loaded in a different place in each process)), NX (No-Execute (data pages can't be executed)), and most importantly LUA (Limited User Access (applications don't run as administrators)). But while these mitigations are almost certainly enough to stop most attacks, they aren't considered security boundaries - the OS doesn't guarantee that they're effective - a malware author MIGHT be able to bypass them.

So even though it will be extraordinarily difficult to exploit a vulnerability that is mitigated by any of these features, it still MIGHT be possible to mitigate the vulnerability. Because the Microsoft security people are totally conservative when it comes to measuring risk, they assume that every one of these mitigations has been bypassed (or disabled), and measure vulnerabilities accordingly.

Re:Its about the bug, not the environment (2, Interesting)

penix1 (722987) | more than 7 years ago | (#18394721)

Because the Microsoft security people are totally conservative when it comes to measuring risk, they assume that every one of these mitigations has been bypassed (or disabled), and measure vulnerabilities accordingly.


And that is a correct assumption to make. If a security "feature" can be bypassed or disabled, you can't make any other assumption. I firmly believe the biggest threat to Microsoft security is Microsoft itself. Policy from one section of Microsoft is fighting policy from another section. The security folk are fighting the "ease of use" folk. The piracy folk are using the critical updates as a means of checking legitimacy. WGA thinks you're not legit? You stay vulnerable making Microsoft a menace to networking. All these are policy fights that make being a Microsoft user less and less attractive.

B.

Re:Its about the bug, not the environment (0)

Anonymous Coward | more than 7 years ago | (#18395417)

This guy is IMO a narrow minded fool.
Just because he said this doesn't make him a fool of any kind.

First of all, I'm not a Microsoft customer, and I do not use their products. Secondly, I completely disagree with his statement. I use a more secure OS (that could get a virus). I do not live in the state of Washington, and I don't have friends, relatives, or investments at Microsoft.

But why shit on the guy because he said something that makes no sense? Maybe even regretably and in error? He is a faux spokesman, not a spokesman. And therefore he only deserves a minor public beating, not a crazy unfounded thrashing.

Now the poor guy has to go to work and go home with everyone calling him a "narrow-minded fool". Even Anonymous Cowards are shitting on him. Does he deserve it? Not for this statement.

There are much better applications of the "narrow minded fool" label. Use it thoughtfully.

Cut my Moose-Turd pie a little slack, won't ya? (0, Offtopic)

sizzzzlerz (714878) | more than 7 years ago | (#18393699)

After all, I just baked it.

You keep using that word (2, Insightful)

Gothmolly (148874) | more than 7 years ago | (#18393721)

I do not think that the word "security" means what you think it means.

Or, you're a FUD-peddler whose job it is to convince Gartner that you don't suck... I'm not sure.

New rating for new system? (4, Insightful)

Jimbitz (1060548) | more than 7 years ago | (#18393725)

I can't believe someone known as microsoft security guru would make a statement like that.
An exploit is still an exploit. It doesn't matter if it's found in a brand new OS or the predecessor.

Thank god there are people who doesn't agree with him.

Re:New rating for new system? (2, Insightful)

GIL_Dude (850471) | more than 7 years ago | (#18394145)

Well, I think the point would be something more like this:

A buffer overflow is found in lsasrv.exe. It's remotely exploitable on Win2k3 server and Windows XP and can run arbitrary code and doesn't require an account on the system (remote wormable). It's only locally exploitable on Vista, requires a local (even if low privileged) account to be logged on an run the code (possibly via social engineering - click here for SomeStarNaked.exe).

He's talking about the rating - a rating should be in relation to something. Otherwise - what does "5 star movie" mean? Is 5 stars the best? Is it 10 stars for the best? So, you need a rating that puts them in relative perspective. In this case, the same overflow should get an "extremely critical" for XP and Win2k3 server. It MAY not deserve as high a rating on Vista though depending on its ability to be exploited and spread. Possibly on Vista it could get just critical or maybe even just important.
I think it is key when rating the vulnerability to take into account how it can be utilized and what is required to exploit it.

Re:New rating for new system? (1)

Jimbitz (1060548) | more than 7 years ago | (#18394419)

I get what you mean.. It MAY not deserve as high a rating on Vista though..
but it still MAY deserve it..
Nevertheless.. instead of worrying about the rating..
shouldn't they focus their resources on fixing the damn bug? :)

Re:New rating for new system? (1)

cnettel (836611) | more than 7 years ago | (#18394501)

As quite a lot of organizations decide what patches to install, and when, depending on the ratings, it's not like they are pointless. By giving proper ratings, MS might get less of a crying wolf mentality for patch Tuesdays, and hopefully get the "right" patches widely deployed quickly.

Re:New rating for new system? (1)

shutdown -p now (807394) | more than 7 years ago | (#18395139)

As I understand, what he's really talking about are all the new memory protection features Vista boasts which do indeed reduce the possibility of successfully exploiting something like a buffer overflow. So. in theory, a buffer overflow in IIS on Vista is potentially less dangerous than a buffer overflow in Apache on Linux.

Re:New rating for new system? (0)

Anonymous Coward | more than 7 years ago | (#18395737)

So. in theory, a buffer overflow in IIS on Vista
Who in their right mind would run IIS on Vista or any desktop-oriented Windows system? Other than a developer? Even in that case it should be firewalled off from the internet.

dangerous than a buffer overflow in Apache on Linux.
Depends on what "Linux" you're talking about. If it's Adamantix, you have SSP+PaX+RSBAC limiting what an exploit can do. If it's RedHat/CentOS, you have SSP+ExecSheild+SELinux. If it's SUSE you have SSP+AppArmour. Etc.

Re:New rating for new system? (4, Funny)

rbochan (827946) | more than 7 years ago | (#18394151)

Yeah, threat rating: "waaah... security is hard!"

Re:New rating for new system? (1)

JasonTik (872158) | more than 7 years ago | (#18394357)

The key word there is microsoft security guru.

Re:New rating for new system? (1)

Jimbitz (1060548) | more than 7 years ago | (#18394393)

thanks for pointing that out. I thought the keyword microsoft security guru would be more meaningful. ;)

Re:New rating for new system? (1)

Anonymous Cowhead (95009) | more than 7 years ago | (#18394787)

"Security guru" is just Computerworld headline hype. His title is "program manager", meaning he really works for Marketing telling Engineering what to build. The "program" he's managing is the one to make the security of Microsoft operating systems not look so bad. As is obvious from his comments, his interests are more in perception than facts and metrics. He's trying to use "relativist" arguments to convince us that Vista is better than the facts would indicate. He's trying to get some press that says: "It's better than XP!"

Re:New rating for new system? (1)

Jimbitz (1060548) | more than 7 years ago | (#18394943)

So is it safe if we relate him to a politician then? :)
There's some similarities there..

Re:New rating for new system? (1)

rbochan (827946) | more than 7 years ago | (#18395489)

So is it safe if we relate him to a politician then?

No, because someone who does marketing is incapable of telling the truth, a politician can at least try.

This is not wise (4, Insightful)

EXMSFT (935404) | more than 7 years ago | (#18393743)

Don't challenge the hackers. It's great that Windows Vista has some built in low-level security protections. It's also great to see that Michael is discounting the significance of UAC. And he should - most people will wind up turning it off. But I think that attempting to say that Vista is fire retardant is most likely going to serve as a method to encourage hackers and script kiddies to try and set fire to it. Saying "because it's Vista means the exploit isn't as bad" is a horrible argument. It's an OS, and an exploit is an exploit.

In short I don't think Michael should assume. When you assume, well, you know.

Re:This is not wise (1)

seaturnip (1068078) | more than 7 years ago | (#18395171)

I don't think you are up to date with the motivations of attackers nowadays. Sure ten years ago writing viruses and such was mainly an ego thing for petty vandals -- who might well have been influenced to attack more by bluster on the part of operating system makers -- but nowadays most attacks are done by organized crime for real money (spyware, spam, blackmail, information theft). Whatever claims Microsoft does or does not make will not make much difference to the incentives of attackers.

Re:This is not wise (1)

cerberusss (660701) | more than 7 years ago | (#18395497)

In short I don't think Michael should assume. When you assume, well, you know.
Yes, we know. Assumption is the mother of all fuck-ups.

stop whinning and just.... (3, Insightful)

3seas (184403) | more than 7 years ago | (#18393747)

...fix the bugs.

Re:stop whinning and just.... (4, Insightful)

rucs_hack (784150) | more than 7 years ago | (#18393805)

They can't

Not because of anything so simple as crap coders or Microsoft being shit (lame reasons when there are so many others that can be justified with examples) . They can't because it's too complex, subject to too many attack vectors, and closed from peer review of code.

Time was this refusal to allow external entities to search for and fix bugs in their code was acceptable as normal business practice. Since Linux got more popular, people have started to see that peer review of code is superior when it comes to finding and fixing errors.

I'd be willing to bet that if Linux was closed source it would be as defective as Windows is. That it isn't testifies to the usefulness of open source/bsd style approaches.

Re:stop whinning and just.... (2, Insightful)

tuzzer (617754) | more than 7 years ago | (#18394081)

I'd be willing to bet that if Linux was closed source it would be as defective as Windows is. That it isn't testifies to the usefulness of open source/bsd style approaches.
Something being closed source doesn't mean it can't be peer reviewed. We use peer reviews at my job all the time. The rule is you don't check your own code, others do. It helps. A lot.

Re:stop whinning and just.... (1)

Orion Blastar (457579) | more than 7 years ago | (#18394091)

What? Do you know how much money it costs to fix the bugs? Wait until next year when they release the Vista SP1 update. The bugs are a low priority because they still have Vista Server to bring out.

Missing the point (3, Insightful)

UnknowingFool (672806) | more than 7 years ago | (#18393749)

Why is it that MS always misses this point: Secure is relative. Advocating that MS can be more lax in its procedures because Vista is more secure is like saying you don't need to train anymore because you didn't finish last in a race. Microsoft may have better security than its predecessors; however, that remains yet to be seen whether or not it is adedquately secure. Given the companies history of boasting about security and then failing to deliver, it would be best if they were conservative when it comes to security. Wasn't there a recent slashdot article on how OpenBSD had an its second security issue in a decade? Compared to that, Microsoft security is a joke.

Tired article on a stupid statement. (3, Insightful)

lancejjj (924211) | more than 7 years ago | (#18393751)

Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses, according to [Michael Howard, a senior security program manager in Microsoft's security engineering group] who is often the public persona of the company's Security Development Lifecycle (SDL) process.
Microsoft shouldn't have this guy as the "public persona" of security if he isn't 100% within both the security & public communications loops at Microsoft. "Vista" is supposed to be all about security. Why are they having this guy "chat" about it when he isn't a communications expert and when he isn't representing Microsoft's corporate opinion?

I'm sure we've all said a few things that were externalized "thought experiment" instead of "well thought out conclusions". And I think I can see how his line of thinking was going, although I disagree with his statement. And I wouldn't be surprised that in hindsight he disagrees with his own statement.

Microsoft has inadvertently set this guy up as a fall guy by anointing him as a semi-official spokesperson. Hopefully he won't find himself on the street due to what is a failure of his management.

Re:Tired article on a stupid statement. (0, Redundant)

Anonymous Coward | more than 7 years ago | (#18393855)

"Vista" is supposed to be all about security.
No. Vista is about a fancy new composited desktop and "DirectX 10 games".

Re:Tired article on a stupid statement. (0)

Anonymous Coward | more than 7 years ago | (#18395709)

Well, Microsoft will probably find out who this guy is, and terminate him immediately because of negative PR.

Obligatory (5, Funny)

dkleinsc (563838) | more than 7 years ago | (#18393807)

You are trying to cover your own ass. Cancel or Allow?

Re:Obligatory (0)

Anonymous Coward | more than 7 years ago | (#18394425)

Allow. You never read what UAC tells you anyway.

Re:Obligatory (0)

Anonymous Coward | more than 7 years ago | (#18395445)

What he needs is an "anal bum cover". Ask Sean Connery about it; he has undoubtedly invented one by now.

That's a hard one. (2)

pilsner.urquell (734632) | more than 7 years ago | (#18393827)

Lets see, Microsoft has been selling crap all these years and now wants to be cut some slack? Yea, right.

progman.exe (0)

Anonymous Coward | more than 7 years ago | (#18393829)

all I think of when I hear 'Program Manager' is the program launcher from the Windows 3.1 days.

Was this naming deliberate??

Next your bug reports will be Unpatriotic. (-1, Offtopic)

AHuxley (892839) | more than 7 years ago | (#18393839)

In Capitalist Redmond Michael Howard pours water on your bug reports.
In Free Iraq Microsoft bug reports make CIA pour water on you.

Every time you report... NSA needs a cpu.
Please, think of the NSA.

A little late for that... (4, Insightful)

Jasin Natael (14968) | more than 7 years ago | (#18393883)

By this logic, then, shouldn't most of the bugs for Linux and OSX have been rated as "relatively unsafe", while the Windows bugs were almost universally labeled "Über-pWnz0r3d"?

It seems like he wants this just so he can compare turds to turds, boosting the sales of Vista by saying the Windows 98 and 2000/XP bugs of yesteryear were worse because the same bug is arguably less severe under Vista. It may be true, but he should hope that if anyone takes him seriously, they don't start rating severity relative to similar bugs in competing products.

Be careful what you wish for...

Microsoft's own bug hunters... (1)

Ruvim (889012) | more than 7 years ago | (#18393893)

Microsoft's own bug hunters will not get the extra bonus because Vista sales suck so much, because Vista has bugs which hunters found... Hm...

softer... (3, Funny)

beando (1074553) | more than 7 years ago | (#18393925)

Vista making microsoft became microsofter...

Don't be surprised (1)

it071976 (1077237) | more than 7 years ago | (#18393941)

Vista includes security techniques and technologies that Windows XP lacks, the MSRC should reconsider how it ranks Vista when a vulnerability affects both Microsoft's new operating system and its predecessor, Windows XP. Don't be surprised if you see a bug that's say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place. Vista includes a number of new security features that randomize memory, check code for buffer overflows and require user permission for potentially risky operations. On Vista, the vulnerability will be so tagged, Vista-specific security technologies notwithstanding. Analysts and outside Microsoft security professionals took the MSRC's side and blasted Howard's idea. MSRC won...yes!!!

It would seem.. (3, Funny)

ChePibe (882378) | more than 7 years ago | (#18393963)

That Mr. Howard has yet to come to the sad realization [apple.com] that the rest of the Vista-using world has...

Re:It would seem.. (0)

Anonymous Coward | more than 7 years ago | (#18394519)

This is insightful? You must feel special.

Why you think there are so many car commercials on TV? For the most part they are not memorable, except to people who already own the car advertized. You see one of the core functions of advertizing is to convince those who already made an expensive purchase (like a car or Mac) feel good about their purchase and avoid buyer's remorse. You need advertising to feel good. Oh well, to each their own.

In my defense... (1)

ChePibe (882378) | more than 7 years ago | (#18395297)

This was actually intended as a joke. I suppose I should have added a smiley face or something.

MS Security Guy? (2)

Psx29 (538840) | more than 7 years ago | (#18393989)

Are you sure it wasn't a PR guy?

A slip of the tongue... (0, Redundant)

Stumbles (602007) | more than 7 years ago | (#18394007)

I'm certain when he said "and rate its vulnerabilities differently because of the operating system's new, baked-in defenses." what he really meant was "and rate its vulnerabilities differently because of the operating system's new, half-baked-in defenses. "

Awww (2, Insightful)

Centurix (249778) | more than 7 years ago | (#18394113)

They're hurting your feelings, come here and rest on my man boobs. There there, that's better isn't it mr security person. What, they're not as soft and comfortable as your moms boobs? Excuse me, I'd like you to rate my boobs better than that, after all, I am a MAN!

Re:Awww (1)

cyphercell (843398) | more than 7 years ago | (#18394665)

that was funny

Re:Awww (0)

Anonymous Coward | more than 7 years ago | (#18395691)

Man boobs? Maybe you should go on a diet, you fatass.

Threat Down: Vista? (1)

voice_of_all_reason (926702) | more than 7 years ago | (#18394115)

At least this will let bears retake their proper spot at #1.

Calling Dr. Howard (1)

Locutus (9039) | more than 7 years ago | (#18394209)

For some reason, this guy reminds me of one of the "Three Stooges".

"Calling Dr Howard, Dr Fine, Dr Howard"...

Maybe it's because he needs a brain transplant. ;-)

LoB

A new car (1)

Ec|ipse (52) | more than 7 years ago | (#18394221)

That's like buying a new model car and the dealer saying, "Sorry it just keeps stalling on you, but it's a newer model and were still working out all the bugs. In the mean time, here's a coupon for a free oil change, just don't complain to loudly."

Of course! (4, Funny)

RMingin (985478) | more than 7 years ago | (#18394321)

Obviously any Vista security bugs should be rated less severe... I mean, nobody's running that OS, right? Minimal impact!

Rate Vista's Security Differently? (1, Funny)

Anonymous Coward | more than 7 years ago | (#18394347)

Allow or Deny?

An interesting response (4, Interesting)

Trelane (16124) | more than 7 years ago | (#18394359)

baked in? (5, Interesting)

DragonTHC (208439) | more than 7 years ago | (#18394647)

in Linux and Unix and Mac's BSD, what's higher than root?

in Microsoft Vista, what's higher than administrator?
    root
          superroot
                supersuperroot

that's right, there are three privilege layers above administrator in Vista.

users cannot access those, but software can.
"Oh, you're a process, here's the keys!"
"Oh you're a user? You want to access your computer, confirm or deny?"

Good Lord Knows (0)

Anonymous Coward | more than 7 years ago | (#18394757)

If Microsoft were to have a flaw, it would be that they are too modest and grade their own security issues too harshly.

OS bakers poem (3, Funny)

bl8n8r (649187) | more than 7 years ago | (#18394773)

wake-n-bake lets all take
a look at microsoft half-baked
hit the bong and sing this song
windows got security wrong
Around we go with disclosure fud
Michael Howard please pass the bud

I think MS needs to talk to a lawyer (2, Insightful)

SmallFurryCreature (593017) | more than 7 years ago | (#18395039)

Simple send each and every person who works for the company in anyway to a lawyer and tell the obey the first rule.

SHUT THE FUCK UP

Just stop talking, do NOT say anything, remain silent.

MS just can't do that and keeps blurting out things that make it seem extremely silly indeed.

This latest claim is like saying that a grease fire in your kitchen isn't dangerous if you live near a firestation. That getting shot through the chest isn't as much a of a hassle and shouldn't count as an attempt on your life because you happen to be in a emergency room.

A bug, is a bug, a security hole is a security hole. That they are even rated is already bad enough. They should have just one variable "fixed" wich is a boolean.

Claiming that a so called critical bug isn't as severe because the unproven untested OS it runs on has some safety measures, which by the way have been programmed by the same people who programmed the bug, is not exactly raising my opinion of MS.

Had they simply listened to the lawyer they would have kept their mouth shut and not dropped another notch in my estimation.

Perhaps it is all part of a cunning plan with them hoping that humans like computers suffer from wrap around and if they lower my opinion far enough it would wrap around to positive again.

or they are stupid.

But I liked the end, unless Vista picks up it will receive the same non-attention as OS-X, now that gotta smart.

OMG, It's True.... (1)

coastin (780654) | more than 7 years ago | (#18395249)

The Security is really baked-in [jalapenorepublic.com]

They want to do something about security? (2, Informative)

argent (18001) | more than 7 years ago | (#18395279)

The first thing Microsoft needs to do to get ANY credibility at all where security is involved is to take immediate and rapid steps to eliminate the role of the HTML control as an element of the security system.

That means getting rid of "Security zones". All documents displayed by the HTML control must be considered "untrusted".

To do this, start by getting rid of the ability for documents viewed in the HTML control to request the use of ActiveX objects, since no documents are considered trusted, ActiveX can't be used anyway.

At the same time, provide a mechanism like IO Slaves for applications to install controls... a mechanism that can not be requested by a document.

Modify Windows Explorer and Software Update to use this application-controlled mechanism to install components into the HTML control.

Create an IE shell that installs an "ActiveX IO Slave" to restore the existing behaviour. This shell will display windows with some visual indication that they are untrustable and dangerous. Users who acually require this functionality during the transition can run the "Insecure IE" shell.

In the next major release of Windows, remove that component.

If Vista is more secure than XP (1)

stites (993570) | more than 7 years ago | (#18395399)

then there should be exploits reported as attacking XP but not working on Vista.

------------------
Steve Stites

BTW, this is the guy who lectures MS devs on secur (1)

melted (227442) | more than 7 years ago | (#18395535)

BTW, this is the guy who lectures MS devs on security and likes to point out how insecure Linux is compared to W2K3. He's living in a bubble, which is fine by him as long as he gets a paycheck. To be fair, most of what I heard him say was sound advice, if overly verbose. I wish he wouldn't degrade himself to a bullshit robot when talking about Linux and Vista, though.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?