Promised Vista security falls flat in betas
We've been yearing for years now about Windows Vista, formerly called Longhorn, and how it's going to be so much more secure than previous versions of Windows and will prevent the kind of trivially-executed machine compromises that have plagued existing versions, leading to the creation by crackers of zombie botnets of tens of thousands of compromised PCs.
Symantec calls bullshit.
And no-one will be surprised to know that all the usual suspects are responsible:
"We discovered a number of implementation flaws that continued to allow a full machine compromise to occur," Matthew Conover, principal security researcher at Symantec, wrote in the report titled "Attacks against Windows Vista's Security Model." The report was made available to Symantec customers last week and is scheduled for public release sometime before Vista ships, a Symantec representative said Monday.
Conover looked at the February preview release of Vista. The report describes how an attacker could commandeer a Vista PC with Internet Explorer 7, the reinforced version of Microsoft's Web browser. The final version of Vista is not expected to be broadly available until January.
The attack starts out by planting a malicious file on a Vista PC when a rigged Web site is visited. The placing of the file involves using a specially crafted Web program called an ActiveX control, which exploits a security hole. The report then describes how the malicious program could gain privileges and ultimately give an attacker full control of the PC.
Microsoft claims to have addressed the issues raised by Symantec. But they've claimed a lot of things about Windows security before that have turned out to be false.
The biggest single thing Microsoft could do to improve the security of Windows is perfectly simple: Decouple Internet Explorer from the operating system and rip the inherently insecure ActiveX out of it. But Microsoft will never do it, because they're afraid of losing browser market share -- for a browser that they don't actually sell as a distinct product or make any money from anyway.