In a recent podcast Steve Gibson of grc.com has drawn attention to a detailed report [.pdf] by engineers at Symantec who demonstrate that Windows Vista contains a completely virgin network stack that has been programmed from the ground up. The Symantec software engineers have monitored the behaviour of the new stack through a series of beta releases and have documented that it contains most of the basic bugs and security holes that have long since been fixed in other stacks - even the Windows 95 stack. Since it has not had a chance to mature and develop in the wild, the likelihood that it contains new, uncharted holes and errors is very high. Some have already been found. Gibson stresses that the ramifications for the security of the new stack are disastrous.
To read all comments associated with this story, please click here.
Member since:2005-07-06
Member since:2005-07-06
I know that Gibson has something of a reputation for hype and slightly wild assertions but that one was priceless. 
Sorry, but Gibson is an idiot; this is the same guy who came out of the woodworks 5 years ago, drumming up hype over the fact that Windows XP had raw sockets, and according to him, the world will come to an end due to the *possibility* of that *STANDARD* TCP/IP feature being exploited by malicious coders.
Here we are 5 years ago, after the doom and gloom scenario's he painted for the IT world, and none has come to fruition.
Here is again, pulling the same publicity stunt to make his company high profile; its another example of grand standing in the worst possible way.
Windows Vista doesn't have a 'virgin stack'; it uses the same stack from Windows 2003, with problem and security prone parts completely replaced; I don't know about you, but Microsoft seems damned if they do, damned if they don't.
If they replace problem prone parts of their software with, what they consider, more secure, easier to maintain code, they're blasted for introducing 'virgin code' and if they simply fix the code, they're accused of 'working around the issue rather than addressing the fundamental flaws'.
If these companies have an interested in promoting security, wouldn't it be best to not only with the 'blast' include a solution, for example, "as I analysed the TCP/IP stack included with Windows Vista, I noticed several flaws in its implementation that could possible cause security issues at a later date, but suggested resolution would be.......". But again, like I said, Gibson is more about hype and showmanship rather than actually anything that benefits the IT community overall.
Member since:2005-09-02
If they replace problem prone parts of their software with, what they consider, more secure, easier to maintain code, they're blasted for introducing 'virgin code' and if they simply fix the code, they're accused of 'working around the issue rather than addressing the fundamental flaws'.
When it's closed source then it doesn't matter, you'll never know for sure how (in)secure it is.
Member since:2005-07-06
Member since:
2005-08-17
Towards the end of the podcast Gibson suggests that if you must use Vista you should just install it as second OS and "only play with it on weekends". I know that Gibson has something of a reputation for hype and slightly wild assertions but that one was priceless.