Linked by Amjith Ramanujam on Mon 11th Aug 2008 16:13 UTC, submitted by gonzo
Ars Technica has analyzed recently publicized Vista's security flaws. "Unfortunate, yes, but not as was reported in the immediate aftermath of the presentation evidence that Vista's security is useless, nor does this work constitute a major security issue. And it's not game over, either. Sensationalism sells, and there's no news like bad news, but sometimes particularly when covering security issues, it would be nice to see accuracy and level-headedness instead. ... Furthermore, these attacks are specifically on the buffer overflow protections; they do not circumvent the IE Protected Mode sandbox, nor Vista's (in)famous UAC restrictions."
Thread beginning with comment 326524
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Comment by Soulbender
by Soulbender on Mon 11th Aug 2008 17:48
in reply to "RE: Comment by Soulbender"
Member since:2005-08-18
So then he wasn't ironic. You agree with him.
No I don't. "Not game over" is not the same as that it's not a serious matter. Game over would be an error that could not possible be corrected while a serious/major error can.
He wasn't understating then.
Yes he is. He is trivializing it with statements like "it's not a major issue" and "it worked on XP too".
FAIL
Indeed you do.
RE[3]: Comment by Soulbender
by WorknMan on Mon 11th Aug 2008 18:16
in reply to "RE[2]: Comment by Soulbender"
Member since:2005-11-13
Yes he is. He is trivializing it with statements like "it's not a major issue" and "it worked on XP too".
I don't think he was saying that it wasn't a serious issue, just that this isn't the mother of all security flaws that the original article made it out to be. From what I gather, the exploit only works with certain applications (the article mentions IE7 and FF2, but mentions nothing regarding Opera and FF3, so I'm not even sure if those are affected), and even if you're using said application/plugin, there'd still have to be a buffer overflow vunderability built into the app before any damage could actually be done. So, let's look at the criteria:
1. You must be using an application/plugin that 'opts out' of random memory addressing
2. That application must have a vunderability to exploit
Sure, it's a serious issue, but it's a far cry from the 'all Vista users are screwed' tone of the original article, which was the author's entire point.
Edited 2008-08-11 18:17 UTC
RE[3]: Comment by Soulbender
by Bounty on Mon 11th Aug 2008 18:28
in reply to "RE[2]: Comment by Soulbender"
Member since:2006-09-18
You trivialize it by saying "it's not really game over" and agree with the author on that point! no take backs.
A serious error and game over are not the same thing. I'm not aware of any public unpatched exploits that take advantage of this. There may never be one. There are critical exploitable, common, bugs patched monthly, and they don't get the coverage and hype of this. The act of installing flash/plugins has screwed people from a security standpoint well before this bug was public.
not this time.
Member since:
2006-09-18
"it's not really game over "
So then he wasn't ironic. You agree with him. He wasn't understating then. Anything short of 'game over' is SSDD. We would need a kickass exploit turned wurm ASAP to get anything out of this... and since XP doesn't have buffer overrun protection anyways, if 0Day of that caliber already existed it would be out there. Or have hackers really been waiting for DEP to be circumvented before they release exploits? So they can maybe someday hit that extra 15% marketshare?
FAIL