Linked by Thom Holwerda on Mon 16th Jan 2006 18:47 UTC, submitted by glarepate
Windows Microsoft has shipped the first critical security update for Windows Vista, the next version of its flagship operating system. Over the weekend, the company released patches for beta testers running the Windows Vista December CTP and Windows Vista Beta 1, and warned that the new operating system was vulnerable to a remote code execution flaw in the Graphics Rendering Engine.
Thread beginning with comment 87589
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[6]: Roll Up! Roll UP!
by glarepate on Thu 19th Jan 2006 21:02 UTC in reply to "RE[5]: Roll Up! Roll UP!"
glarepate
Member since:
2006-01-04

Please, there is no way such a thing would get past so many people at MS.

This presumes that the so-called "backdoor" (I don't believe it either) wasn't designed in as part of the OS. Others believe differently about a different, so-called NSA, backdoor.

But if they have the policies, tools and skills in place to detect and prevent a backdoor from being included in their product (without it being put in there by corporate decision) why can't they detect and prevent the [insert huge but undefined number here] other security issues inhering in the system? To me this looks a whole lot like one of the many of ease of use features that were implemented with no regard to the security consequences.

So arguing that it can't be there because it couldn't "get past so many people at MS" is as unsupportable as saying that it may have been done by some rogue programmer. Possibly more unsuppportable since there is more than adequate proof in the form of admissions by MS that providing customers with more choices drove the inclusion of the ease of use bugs.

Based on analysis by others that points out that Gibson's assertion that only a specific impossible construction in the metafile could have triggered it is wrong and that even correctly formed metafiles could trigger the defect I still don't believe that it's a backdoor. But the "many eyes" of MS doesn't hold any water either.

Reply Parent Score: 1

RE[7]: Roll Up! Roll UP!
by sappyvcv on Thu 19th Jan 2006 22:28 in reply to "RE[6]: Roll Up! Roll UP!"
sappyvcv Member since:
2005-07-06

But if they have the policies, tools and skills in place to detect and prevent a backdoor from being included in their product (without it being put in there by corporate decision) why can't they detect and prevent the [insert huge but undefined number here] other security issues inhering in the system? To me this looks a whole lot like one of the many of ease of use features that were implemented with no regard to the security consequences.

I would think the answer is obvious, but apparently not. A coding error which ends up as a security vulnerability is a mistake, an oversight. Something small, where someone forget to validate input (usually). A backdoor is explicit. You're talking about at least 1 engineer and some executives conspiring to put a backdoor in the most widely used desktop operating system. One that has gone unnoticed for a long long long time. If there was a backdoor put there, it would have likely been used and found out way before now. You're also assuming that no other engineers caught that the backdoor was put there.

It's simply ridiculous to think this was intentional.

But the "many eyes" of MS doesn't hold any water either.

In the case of a backdoor, I think it does.

Reply Parent Score: 1

RE[7]: Roll Up! Roll UP!
by sappyvcv on Fri 20th Jan 2006 15:39 in reply to "RE[6]: Roll Up! Roll UP!"
sappyvcv Member since:
2005-07-06