Malicious code, not a vulnerability

George Ou explains to me that the security issue associated with the Monad command shell that is part of the Windows Vista rollout for next year is not a vulnerability, but an example of malicious code.

These are not remote exploits or buffer overflows.  These are standard scripting features of the Vista operating system similar to Linux scripting.

If I wrote a cmd script that said something to the effect of:

delete all documents
delete critical program files
delete all registry keys

That is not a vulnerability in the OS, that is a vulnerability in social engineering to be able to get someone to run that script.  Fortunately, Vista will default to non-admin mode which will limit the damage of a script if a user fell in to the trap of running it.  You could do the exact same kind of script in Linux, UNIX, or Mac OS X.  In fact, a proof of concept script is readily available for OS X.  No body reports those as vulnerabilities for Linux or Mac OS X.

This is just like the incorrect reporting of the donut virus which was portrayed as the first virus against the Microsoft .NET framework "vulnerabilities".  Again that was not the correct use of the word "vulnerability".  It was simply written using the .NET language which required the .NET framework runtime engine.  It obviously didn’t go too far because most computers don’t have the runtime installed.