OSNews

Actually, it does make sense to have different rating for Vista.

For example, if a bug is found in IE7 and:

- on XP it may allow remote attacker to take complete control over the system, delete system files, etc,

- on Vista, due to the fact that IE7 runs in protected mode, same bug can't be exploited and do no damage at all

Hence, it is not the same.. I think

A remote exploit that gives the attacker the privilege of an ordinary user suffices to install a spambot, steal the attacked person's credit card numbers (often stored in the browser's history), delete all the user's files, and do all other kinds of mischief. It's true that it's easier for malware to hide itself if it can be installed with administrator privilege, but it's good enough for most purposes.

But IE7 on Vista runs in protected mode, which has *fewer* privileges than "ordinary user". So an IE7 exploit on Vista would not allow the attacker to "delete all the user's files, and do all other kinds of mischief" because IE7 does not have access to the user's files. Whereas on XP, the same exploit in IE7 would allow an attacker to muck with the user's data (if running as ordinary user) or system files (if running as admin). So the IE7 exploit in question could receive "extremely critical" rating on XP but "not critical" rating on Vista.

(I doubt your "credit card numbers are often stored in the browser's history" scenario; I don't think browsers store https data in browser history, and even if the did, it's https data and so would be encrypted.)

Well said.

http://rainrecording.co.uk/vista/performance

Which is the opposite of all other benchmarks so far - and this benchmark is done by some obscure company which is clearly not trustworthy considering the look of contents of the website.

I really wish Microsoft would stop whining. If they put all the time and effort their exects and PR guys spend whining into development and bug fixes, maybe we would see more progress.

True; Microsoft is trying to play the victim game, the 'look at us, we're victims of this grand anti-Microsoft conspiracy!'.

The reality is that the vulnerability is analysed, the seriousness of it is then analysed, and the final rating is a culmination of the bugs seriousness and possible impact over all - which takes into marketshare as well.

The problem with Microsoft is this; they want to rush their products out the door, chock them to the brim with features then hope that they have enough time to work through their bug database issuing bugs before they're found.

Like I said with the Solaris review, its weighing up whether you want a bleeding edge product which the latest and greatest features, or something that is more conservative - Microsoft has decided to go down the track of 'features, features, feaures' whilst at the same time pushing aside prudent code auditing.

Hence my skepticism when Microsoft claimed they had 'stopped production and sent their programmers back to school'; secure programming can't be taught once your application has already been established, I don't doubt that the classes might have improved the quality in some instances, but at the same time, however, ultimately, what we're seeing today is the result of stupid decisions made 10 years ago - the old story, you reap what you sow.

True; Microsoft is trying to play the victim game, the 'look at us, we're victims of this grand anti-Microsoft conspiracy!'.

I actually agree with them on this - however, the fact that this is true is only because EVERYONE ELSE has been victim to a "grand anti-Everyone Else conspiracy" on Microsoft's part. So don't expect me to have any sympathy for them any time soon. (I know, you weren't!)

I agree with you on the rest.

In related news, "People in Hell want ice water."

"""
What a surprise... the release management director whose job depends on how successful his software development process proves to be in reducing the number and severity of bugs wants the QA team to artificially deflate the severity of bugs that occur in software developed with his procedure. Anyone with experience at a large commercial software vendor is familiar with these tactics.
"""

As someone who does not have experience at a large commercial software vendor, I thank you for pointing this out.

It's all too easy to think of MS as one big Satan, forgetting all the little, competing, Satan wannabes inside.

Or perhaps that's not the best way to put it. These little "Satans" may just be "doing their jobs"... trying to "feed their families"... or keep making the payments on that sexy red Porsche. ;-)

This guy wants security vulnerabilities ranking reduced, therefore, if it is not marked "critical" most people will ignore it.

I will end up with more spam in my inbox.

UAC will only protect as long as everyone does not blindly click OK as they do with XP.

You're right, and even right now, when you run "Internet Explorer 6", you'll find that people are still asked 'do you trust this publisher' and asked whether they would like an activex component installed, along with various other quesitons, and these very people simply go ok.

Ultimately it Microsofts fault for making elevation so easy; for the end user to put in the password, warn the end user what *could* possibly happen - that putting in the password will allow the programme to do what ever it wants with the system - and could possibly infect it with a virus or corrupt files.

Not scare tactics, but warning about the impact of their decision when they make it - and ultimately, I think its the end users who have to take responsibility, whilst at the same time, software companies need to say, "yes, we've done the best we can to inform the customer about the decision they make, but they still continue on"

With that being said, most of WIndows problems squarely lay around just simply crappy code more than it being the result of end users making stupid decisions.

Once again Windows is Just As Secure as Unix, on paper.

Whew! Glad I don't get my Unix on paper.

What a stupid comment! How can you compare a server operating system to one used by 90% of the online public to browse and download porn?

Unix isn't really a server OS. It has generally lived as a workstation OS and at the same time was somewhat popular as a server OS (against what really was a server OS: VMS).

Today it's even more popular as a server OS, especially Linux on really cheap servers (web servers). And it's also popular for HPC and gaining for desktops (all be it slowly).

To call Unix a server OS is a bit silly. It's not even designed as one... The things that make it interesting: A well pipe-able shell+utilities, X11 aren't interesting on the server but on the advanced users desktop.

but that wouldnt work, then they couldnt keep claiming they dont want windows pirated, which they really really do

A gun isn't safe in a child's hand especially if it's loaded and it so easy to flick the safety off (I wont be giving my son a 9mm any time soon).

With Vista its so easy to turn off UAC and so irritating you want to turn it off. My take is it wont be long before we have Vista SPAM bots.

I don't see how UAC is so irritating, it doesn't ask me for a password any more often than my Kubuntu box. Maybe it's only irritating if you aren't used to that sort of behaviour, or if you are looking for something to complain about.

It asks some people more than others. It does depend on your application set.
If you're using an application that depends on admin rights to work you'll get prompted every time you start that application. And it's something application users should be fixing, although I think Microsoft is punching holes in UAC to fix application binaries that get large numbers of complaints.

OK. I also can run Firefox on linux inside on a virtualization program or a chroot environment and say the same.

I can also run IE6 on linux using wine and a fake drive. No linux damage but this doesn't imply that IE is secure.

I never said you can't do it on Linux. I was comparing IE7 on XP and Vista.

On the other hand, how many "Joe Sixpack" users would know how to do that on Linux? On Vista, IE7 runs in protected mode by default.

n4er has a point. Too many people who wish to see Microsoft in a bad light take words from an individual in the company and use it to paint broad strokes about the whole firm. It's even worse when people cite "news" articles that take these words, add their own interpretations and then brand them as facts. Michael Howard is a Microsoft employee and he has a penchant for talking up Windows security features (and talking down others' features, particularly Oracle), but he's not an idiot and I haven't seen him say anything that's clearly a lie.

He is actually serious about security and never fails to acknowledge that bugs get out there and need to be fixed regardless of the amount of work that's done to prevent them. What most above posters are forgetting is that exploiting code flaws is often hard, clever work (I assert that design flaws are less onerous to exploit). Adding more security checks and mitigations makes the puzzle harder and can make the difference between a trivial exploit and a harder, less reliable one.

The reason he's not happy about the severity ratings game is that it fails to acknowledge that the same bug on Vista will be less reliably exploitable in practice than it is on XP. He never says that the rating should change. Just view this as a few words of marketing for himself and his Security Oragnization.