The writer obviously needs a lesson in Microsoft security if his reason for calling Vista more secure than XP is "You have to patch it less". Microsoft is known for keeping things secret from the public, just not acknowledging them or just taking their sweet time fixing things. The ActiveX component that he's talking about, it took MS around a year to solve that issue.
http://www.examiner.com/x-14651-Minneapolis-Information-Technology-Examiner~y2009m7d9-Microsoft-acknowledged-this-latest-ActiveX-bug-a-year-ago-so-why-isnt-it-fixed
So according to the writer's opinion, this issue didn't count as a security issue because it wasn't fixed until now. If he were to say, go out and really do some research, then I might be able to determine if he's creditable or not. From my stand point here in the field, he's not.
Here's some proof: Do you know that the Windows Logon Screen Saver is a security flaw? It is, simply shutdown Windows, and either use a Windows Recovery CD, or put your hard drive into another system. (FYI, this assumes you don't have the password for a system that has a password; Google is your friend if you need help, Yahoo and Bing are sales people) Rename C:\windows\system32\logon.scr to logon.scr1 (back it up to hide your trail). Then copy cmd.exe to logon.scr and restart the computer. Wait about 5-15 minutes for the screen saver to appear and viola, you have a command line. When you're done, use the Recovery CD again, or put the hard drive in the other computer again and then delete logon.scr and then rename logon.scr1 to logon.scr and reboot.
You can do this with any other program you want as well, say another command line program if yours doesn't want to work properly. The command prompt will give you System access so you can play with almost anything out there. When it loads up, type in Explorer to get the shell, but keep in mind, Explorer will kill itself usually, but the command prompt will still be there (Alt+Tab is your friend here). This is a security flaw, and is there a patch to it yet?
I'm a computer technician, and I've used this to get into several computers. Some with viruses, some with idiot users.
If the screen saver ran with Guest or Limited permissions, then yeah it could be seen as a non-issue, but it's running as SYSTEM. You can edit the registry so that when an Admin logs on, you can run a malicious program that will take over the system, and it will have Admin access.
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
