Linked by Amjith Ramanujam on Mon 11th Aug 2008 16:13 UTC, submitted by gonzo
Privacy, Security, Encryption Ars Technica has analyzed recently publicized Vista's security flaws. "Unfortunate, yes, but not as was reported in the immediate aftermath of the presentation evidence that Vista's security is useless, nor does this work constitute a major security issue. And it's not game over, either. Sensationalism sells, and there's no news like bad news, but sometimes particularly when covering security issues, it would be nice to see accuracy and level-headedness instead. ... Furthermore, these attacks are specifically on the buffer overflow protections; they do not circumvent the IE Protected Mode sandbox, nor Vista's (in)famous UAC restrictions."
Thread beginning with comment 326771
To read all comments associated with this story, please click here.
MollyC
Member since:
2006-07-04

Alexander Sotirov is one of the authors of the "How to Impress Girls with Browser Memory Protection Bypasses" paper that had so many Microsoft haters orgasming in the "Vista's Security Rendered Completely Useless By New Exploit" thread (http://osnews.com/comments/20167 ). Turns out those orgasms were premature.

http://arstechnica.com/journals/microsoft.ars/2008/08/12/black-hats...

Alexander Sotirov states:
"The articles that describe Vista security as "broken" or "done for," with "unfixable vulnerabilities" are completely inaccurate. One of the suggestions I saw in many of the discussions was that people should just use Windows XP. In fact, in XP a lot of those protections we're bypassing don't even exist. XP is even less secure than Vista in this respect. [What] we established is that the security advantage of Vista over XP is not as great as [previously] thought. Vista is still very good at preventing vulnerabilities."

Details are found here:
http://blogs.zdnet.com/Bott/?p=512

Edited 2008-08-13 18:40 UTC

Reply Score: 3

vaette Member since:
2008-08-09

Ah, excellent news that the facts are getting out. Sure it is unlikely to be reposted on most sites like Slashdot and OSnews (as corrections are dull and non-sensationalistic ones are doubly so), but at least there are some very official statements to clear this whole confusion up. Makes my day ;)

Reply Parent Score: 1

vaette Member since:
2008-08-09

Well, I guess that was a stupid thing to say, as OSnews already did correct the story by this one we are commenting on. Replace OSnews with some other random site in the above ;)

Reply Parent Score: 1