Linked by Amjith Ramanujam on Mon 11th Aug 2008 16:13 UTC, submitted by gonzo
Ars Technica has analyzed recently publicized Vista's security flaws. "Unfortunate, yes, but not as was reported in the immediate aftermath of the presentation evidence that Vista's security is useless, nor does this work constitute a major security issue. And it's not game over, either. Sensationalism sells, and there's no news like bad news, but sometimes particularly when covering security issues, it would be nice to see accuracy and level-headedness instead. ... Furthermore, these attacks are specifically on the buffer overflow protections; they do not circumvent the IE Protected Mode sandbox, nor Vista's (in)famous UAC restrictions."
Permalink for comment 326526
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:
2005-11-13
I don't think he was saying that it wasn't a serious issue, just that this isn't the mother of all security flaws that the original article made it out to be. From what I gather, the exploit only works with certain applications (the article mentions IE7 and FF2, but mentions nothing regarding Opera and FF3, so I'm not even sure if those are affected), and even if you're using said application/plugin, there'd still have to be a buffer overflow vunderability built into the app before any damage could actually be done. So, let's look at the criteria:
1. You must be using an application/plugin that 'opts out' of random memory addressing
2. That application must have a vunderability to exploit
Sure, it's a serious issue, but it's a far cry from the 'all Vista users are screwed' tone of the original article, which was the author's entire point.
Edited 2008-08-11 18:17 UTC