Just how bad is the first Vista security flaw?

Just how bad is the first Vista security flaw?

Summary: Microsoft has publicly acknowledged the discovery of the first Windows Vista security flaw. But just how serious is it? Opinions seem to vary widely.

SHARE:
TOPICS: Windows
59

Microsoft has publicly acknowledged the discovery of the first Windows Vista security flaw. But just how serious is it? Opinions seem to vary widely.

The New York Times claims the flaw is serious enough to result in Microsoft "facing an early crisis of confidence in the quality of its Windows Vista operating system."

Not surprisingly, Microsoft isn't portraying things as being quite so dire. Stephen Toulouse, a senior product manager in Microsoft's security group, said he's not seeing any wringing of hands in his circles:

"No one will ever get the software right 100% out of the gate. What we've done as a company is build in defense in depth capabilities in the products themselves, as well as create good processes internally that prioritize reported vulnerabilities and get them into the update cycle, while also taking the root cause information and changing the way we create the software so we can learn from these situations," Toulouse blogged.

BetaNews, which conducted its own tests on the vulnerability, is siding more with Microsoft's characterization than that of the New York Times.

"(T)ests of the flaw conducted by BetaNews suggest that, while the (message box) bug can crash Windows XP, its roots in the Win32 API dating back to Windows 3.1, coupled with the fact that the source code for the proof-of-concept appears to be straight ANSI C, directly contradict the Times' implication that the bug somehow afflicts Internet Explorer 7.0," BetaNews reported.

While all Windows flaws deserve serious attention, it seems like Vista Flaw No. 1 may not be as horrendous as some headlines and stories may be suggesting.

Topic: Windows

About

Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

59 comments
Log in or register to join the discussion
  • What a cop-out!

    "while the (message box) bug can crash Windows XP, its roots in the Win32 API dating back to Windows 3.1"

    So, Vista is just a bunch of re-compiled old code? Why does it cost four times more than Win95 did? Oh, and Win32 was not in Win 3.1 - It was in Win98 (this was the API that ensured users would not buy the superior IBM OS2 Warp since this Win32 API 'broke' Windows compatibility in OS2 Warp).
    nomorems
    • What a useless rant.

      "So, Vista is just a bunch of re-compiled old code?"

      Ummm, not by a long shot. Yes there is SOME code for compatibility, but it sure isn't a big part of Vista. (A knowledgable IT person understands the difference. I guess that explains your confusion.)

      As far as compatibility with a dead OS (OS/2) who cares? No one I know.
      No_Ax_to_Grind
      • Do everybody a favor this years resolution

        cut your internet connection go in the basement and stay there .

        If there someone who make worthless rant and stuff its you ....
        Quebec-french
        • He Never Leaves His Basement

          He's an old washed-up doddering fool...or havent you figured that out yet?
          itanalyst
        • Good Idea

          What are going to do, work for an indepedent Quebec, fully governed by apple computers...
          Moosehouse
      • Keep your 'knowledge' No_AX

        I prefer not to be corrupted by the Borg. Apparently there is ENOUGH OLD code that Vista has a failure 25 days after release. And I did not write anything about Vista compatibility with OS2. I was just pointing out yet more C.R.A.P. that Microsoft HAS to use to sell their warez, since their warez is OBVIOUSLY not good enough to sell on its merits. You know, C.R.A.P. like lying that Win32 exists in Win3.1 (not until 98) and C.R.A.P. like 'Vista is the most secure OS ever' (and this is really sad. They use the SAME words, verbatim, that they used when the lied about Windows XP being the most secure OS ever. When will buyers ever learn?).
        nomorems
        • win32s

          Apparently you never used Win 3.1x. There was an add-on that gave 32 bit processing to calculation intense applications. It was called Win32s (Windows 32 bit subsystem) that was widely distributed in many application installs and was, I believe, a core part of Win 3.11.

          Also I believe that Windows 95 included this as well.

          Other than that little misapprehension, you're spot on!
          msolgeek
          • win32

            Win32 was not a core part of Windows 3.11 or even WFW, it was an addon period. There were only a few USEFUL programs that actually used it at the end of Win3.1's life. I still remember dealing with DLL version problems and going though addon installs to get the Win32 version of programs like Winzip to run.
            And you are right, 95 did reuse it as a subset because this flaw wouldn't exist if it didn't. Microsoft embraced and pushed object oriented programming before the release of Visual Studio to impress upon people the time saved by recycling code and using it as a subset. Well, what they didn't say was it amounted to bloated code it created doubling the size of each revision, and the same flaws were carried over in consecutive revisions unless specifically delt with.
            The next version of Windows will probably have to be distributed on a Blue Ray disk and it'll require 4 GB of memory, a quad core 4 GHz CPU and have a 20 GB hard drive footprint. And updates will require us to download gigabytes to patch Windows.
            And somewhere deep within all of that code will be another Windows 3.1 flaw which will rear it's ugly little head.
            Rude Union
        • The Borg 'eh?

          "I prefer not to be corrupted by the Borg."

          Actually, you'd be assimilated into the MS culture if they were the Borg. You wouldn't be corrupted. If you were corrupted, they'd just get rid of you.

          "like lying that Win32 exists in Win3.1 (not until 98) and C.R.A.P. like 'Vista is the most secure OS ever'"

          Ahh yes. I wonder where it was said that Vista is the most secure OS ever... The reference I found in the security section of MS hype for Vista says this "Windows Vista is engineered to be the most secure version of Windows yet."

          Hmm, saying it's the most secure version of Windows yet is alot different than saying that they said 'Vista is the most secure OS ever'. You wouldn't be mis-representing a quote would you?

          When will they learn, indeed.
          Badgered
          • It's the kinda

            It's the kinda tripe you would come up with.
            Think Apple have been feeding you what too much bulls**t..
            Moosehouse
          • Huh?

            Apple what?

            I'm sorry. I only speak english. If you could please rephrase whatever your point was into english and a coherent sentence, then I can fully defend my tripe.
            Badgered
          • Sorry, what I meant to say was

            I will say it slowly for you, so that you will understand. Your so full of it that it?s oozing out of every pore.
            Moosehouse
          • re: sorry what I meant

            Good, at least I know where you're coming from. Insultsville.

            What part of my statement "Ahh yes. I wonder where it was said that Vista is the most secure OS ever... The reference I found in the security section of MS hype for Vista says this 'Windows Vista is engineered to be the most secure version of Windows yet.'"

            Was "full of it"? I can provide you the link if you prefer. Or would you just like to sling insults all day?
            Badgered
    • Way off

      Win32 actually had its origins in Windows 3.11 (Windows for Workgroups) and was intended as a go between for the old 16-bit world and Windows 95's 32-bit world. (Look up the term "thunk" and you'll get the picture.)

      Win32 had very little to do with IBM or the OS2 development. NT was the primary descendant of the OS2 program. Warp was just as much of a "breaking away" from the proposed standards of OS2 as anything Microsoft did with NT. By the time Warp came out Microsoft and IBM were not at all on the same page.

      As far as superiority? OS2 had its pluses, but its lack of hardware support was a huge detriment during its early days. Warp was just the dying gasp.
      ceegh
      • Wrong. Win32 was born in Win95

        and did not become mature enough for wide-spread use until Win98. Thunking was a Win95 tool. Win 3.11 has two Win32 dll's, everything else was 16bit only.
        nomorems
        • Stubborn, aren't we.

          OK, don't want to believe me. Well how about this:

          http://en.wikipedia.org/wiki/Win32s

          Yes, it wasn't "mature" until Win98 (of course, one could argue it never did "mature"), but as you just said it was at least the basis for Window 95.

          Thunking works both ways. http://searchwinit.techtarget.com/sDefinition/0,290660,sid1_gci860582,00.html

          Have you even used Windows 3.11 or 95? How about programmed for both of them at the same time? If you have, fine. But you're writing like a new millennium graduate that has no concept of what things were like circa 1995, and just spouting information based on your prof's "fond memories".
          ceegh
          • Hmmm...don't know that Wikipedia is the best source for proof.

            After all, it can be edited by anyone. I still hold to my original statement that Win95 is a better 'starting' point for Win32. The fact that Win3.1 was mentioned in the article also proves that the writer was making emotional statements on not basing it on fact. Otherwise he would have a:) Told the real truth and stated that Win3.11 was the first version of Windows to use Win32 instead of Win3.1 (at least 2 years separated those versions). b:) Fessed up that Win95 is when it really was in widespread use (i.e. people finally believed they needed it) and again apologize for making incorrect statements in his article.

            Oh, and yes, I can be stuborn. Especially about propaganda issues.
            nomorems
        • Also Wrong

          Win32 was "born" in Windows NT, long before the release of Win95.

          Win32s was a subset of the Win32 APIs which had been developed for use in NT.

          Win95 had the "thunking" to enhance performance of legacy 16-bit code; since the OS was half-and-half, both types of code were similarly inefficent, meeting half-way, rather than having one side efficient and the other less efficient, or duplicating everything on both modes so that both would have been efficient (well, would be if it all fit into memory together...)

          NT was already "pure" 32-bit, so that the 32-bit code ran more efficiently under NT than under 95...
          fde101
      • Not only "thunk" but think win32s

        A handy dandy subset of win32 used widely on windows 3.x.
        zkiwi
        • Yes...but I think he missed my point.

          Win32s is not Win32. The story states that Win32 was in Win3.11 - The story is wrong.
          nomorems