SuperSite Blog

....yet another reason to upgrade to Vista.

I'd say the "Barbie defense" works for them in this case.  Security IS hard, but: "Protected Mode just works - even against stuff we don't know about".

So Paul, what were you saying about people not being able to pay you to go back to XP?  ;)

I'd say the real "Barbie defense" would be users saying "security is annoying", so they turn it off.

Transparency, admission of mistakes, being proactive:  This is a new MS.  This is good stuff.

Thank goodness Gates is gone.  

This is just funny.  Enjoy:

>>IBM tried, and spent a huge amount of money developing OS/2 but could never keep up with Windows.  Apple tried to create their own system for years, but finally gave up recently and moved to Intel and Microsoft.

It's just not possible that a freeware like the Linux could be extended to the point where it runs the entire computer from start to finish, without using some of the more critical parts of windows.  Not possible.<<

paranoidmike.blogspot.com/.../as-david-hsing-says-best-troll-ever.html

Clicking a UAC "OK" button is hard!  :-)

Actually, despite Paul's "Barbie defense" implication, this kind of problem is insanely hard to find manually and pretty tricky to find even with state of the art tools. It sounds like the latest version of the internal security test tools will now cover it. Of course, the downside is that it'll take longer to run those tests and to weed out the false positives.

And, of course, as Waethorn points out, the inherent security features of Windows Vista, 7 and Server 2008 are amazingly effective at protecting against even unexpected security risks.

Ocean

Actually, all the proactive openness came about while Bill Gates was still running the company as did the big security pushes. Sorry to burst your demonizing.

btw: If you are at all interested in security (or are going to make technical comments on this posting) you should really read Michael Howard's article that Paul references. The excerpt really doesn't do the article justice. And, of course, Michael Howard is about the best person on the planet to read on anything relating to computer security. He literally wrote THE book on the subject.

Paul, I wouldn't stress the "NINE years" -- It's not like they've been acitvely reviewing the databinding code each and every year trying to find holes in it.  My guess is that the databinding code hasn't even been looked at in since it was first written for IE4 -- except for the 2002 security review and of course now.

"....yet another reason to upgrade to Vista."  

Or you could go less drastic, cheaper and much quicker to implement.......Fire Fox 3.

Honestly with IE's histrory of holes, and its lack luster performance, who (that knows there are other alternatives) uses it???

I use IE, on a rare occasion, to verify/test my OWA is working in premium mode, after applying those oh so wonderful Exchange 2007 SP1 rollup up patches, and then I close it.

Mike,

Perhaps.  But at that time it was in name only.  The company had moved on, even if just now we're starting to reap the benefits.

Lindy, you are missing the point; the new security enhancements in Windows Vista, 7 and 2008 protects the user from unknown exploits, that's the real advantage. Is not about this bug or even Internet Explorer, is about 3rd party software as well such as Firefox, Opera or any other application, the new security enhancements will provide an extra layer of security that XP just doesn't have.

"Or you could go less drastic, cheaper and much quicker to implement.......Fire Fox 3."

Welcome to Bizarro World:

blogs.zdnet.com/security

blogs.zdnet.com/security

Firefox still doesn't have a "Protected Mode".  IE does.  Firefox does what instead?  Relieving itself [sic] of your memory?!

"Firefox does what instead" Does not have a 9 year old whole.  Runs way faster, especially 3.1 and has Adblock Plus.

@ehcap I am fully aware of what you get with Vista.  Security is by far its biggest advantage (if not the only) over XP, with the sand box mode for IE.

I have recommended Vista or OS X to a few people I know that have teenage children that they cant/wont control what they do on a PC.  I got tired of rebuilding XP for them.

"Does not have a 9 year old whole [sic]"

... that you know of. In any case, I wouldn't be surprised if IE7 has had fewer holes than FF2 and FF3, especially on Vista. If speed is all you care about, there's Chrome anyway. It's probably the ad blocker that caused Google to release its own browser, so I wouldn't be surprised if Google found a way to show more ads on a web page than other browsers.

Serious questions:

At what state is/was Android considered "1.0" release status?

Wasn't Chrome only *just* RTM'ed?

Doesn't that mean that the apps on shipping HTC Dreams is in beta?

More importantly, who the f* would pay for a phone with officially beta-status software on it?  (snide comments about any other phone aside)

"If speed is all you care about, there's Chrome anyway."

If speed is all you care about, there's XP anyway.

If speed is all you care about, there's 98 anyway.

If speed is all you care about, there's 95 anyway.  

If speed is all you care about, there's 3.1 anyway.

If speed is all you care about, there's DOS anyway.

If speed is all you care about, there's the human brain anyway.  

Maybe you should use yours Lindy.

(Good point Sharky!)

I remember a quote from FastTracker II many moons ago (which was a DOS stalwart).

"Windows, bringing the power of yesterday's computing.... Today!"

"Windows, bringing the power of yesterday's computing.... Today!"

Thank God. I will be ready for today tomorrow. Today, I am barely ready for yesterday. Yesterday was a different story altogether.

That said, wasn't there a study that said Windows had fewer vulnerabilities than competing products and was quicker to patch them?  

"[W]asn't there a study that said Windows had fewer vulnerabilities than competing products and was quicker to patch them?"

Actually, quite a few of them. You can generally find them under Days-of-risk assessments if you do a search.

Microsoft's security group gives themselves a report card every so often (I think it's 2x per year) based on that sort of thing.

For example, in 1H2008, total vulnerabilities by OS were:

Microsoft - 58

Ubuntu -153

Apple - 222

Red Hat - 292

Weighting those using the NIST severity criteria it's:

Microsoft - 53.2

Ubuntu - 75.8

Apple - 96.5

Red Hat - 121.5

For Days-of-risk, for all vulnerabilities (This is how long it took between a flaw being discovered and the patch going out)

Microsoft - 24.22 days

Ubuntu - 72 days

Apple - 97.95 days

Red Hat - 105 days

If we just look at High Risk flaws, the Days-of-risk is:

Microsoft - 25.5 days

Red Hat - 37.5 days

Ubuntu - 42.02 days

Apple - 70.6 days

Looking at it another way is percentage of vulnerabilities fixed within 1 day

Microsoft - 89.7%

Red Hat - 38%

Ubuntu - 23.5%

Apple - 17%

You can, of course, find lots of other studies from other sources. They'll tend to say the same basic things. Microsoft Windows has fewer vulnerabilities and is faster at fixing them than their competitors.

More:

>>In a security bulletin released yesterday, Microsoft is saying a somewhat simply exploitable vulnerability exists in all presently used versions of SQL Server dating back to SS 2000 Service Pack 4. It has to do with a Transactional-SQL (T-SQL) statement which apparently uses a parameter that isn't checked for type.

BetaNews has seen the code for a publicly available exploit based on information uncovered by security engineer Bernhard Mueller, who contributed information to two of the incidents covered by Microsoft's last Patch Tuesday round. Mueller is the good guy in this story; unfortunately, malicious users with no ingenuity of their own rely on news from Mueller and others for their inspiration.

Based on what we've seen, we can say it's a fairly simple process to run a T-SQL script, or run commands from the command line, that use the sp_replwritetovarbin command to trigger a heap buffer overflow.<<

www.betanews.com/.../1230053233

Pingback from  links for 2008-12-23 | hxf148