[ISN] Flaws Are Detected in Microsoft's Vista

From: InfoSec News (alerts@private)
Date: Tue Dec 26 2006 - 22:14:13 PST


http://www.nytimes.com/2006/12/25/technology/25vista.html

By JOHN MARKOFF
Published: December 25, 2006

SAN FRANCISCO, Dec. 24 Microsoft is facing an early crisis of confidence 
in the quality of its Windows Vista operating system as computer 
security researchers and hackers have begun to find potentially serious 
flaws in the system that was released to corporate customers late last 
month.

On Dec. 15, a Russian programmer posted a description of a flaw that 
makes it possible to increase a users privileges on all of the companys 
recent operating systems, including Vista. And over the weekend a 
Silicon Valley computer security firm said it had notified Microsoft 
that it had also found that flaw, as well as five other vulnerabilities, 
including one serious error in the software code underlying the companys 
new Internet Explorer 7 browser.

The browser flaw is particularly troubling because it potentially means 
that Web users could become infected with malicious software simply by 
visiting a booby-trapped site. That would make it possible for an 
attacker to inject rogue software into the Vista-based computer, 
according to executives at Determina, a company based in Redwood City, 
Calif., that sells software intended to protect against operating system 
and other vulnerabilities.

Determina is part of a small industry of companies that routinely pore 
over the technical details of software applications and operating 
systems looking for flaws. When flaws in Microsoft products are found 
they are reported to the software maker, which then produces fixes 
called patches. Microsoft has built technology into its recent operating 
systems that makes it possible for the company to fix its software 
automatically via the Internet.

Despite Microsoft assertions about the improved reliability of Vista, 
many in the industry are taking a wait-and-see approach. Microsofts 
previous operating system, Windows XP, required two service packs issued 
over a number of years to substantially improve security, and new flaws 
are still routinely discovered by outside researchers.

On Friday, a Microsoft executive posted a comment on a company security 
information Web site stating the company was closely monitoring the 
vulnerability described by the Russian Web site. It permits the 
privileges of a standard user account in Vista and other versions of 
Windows to be increased, permitting control of all of the operations of 
the computer. In Unix and modern Windows systems, users are restricted 
in the functions they can perform, and complete power is restricted to 
certain administrative accounts.

Currently we have not observed any public exploitation or attack 
activity regarding this issue, wrote Mike Reavey, operations manager of 
the Microsoft Security Response Center. While I know this is a 
vulnerability that impacts Windows Vista, I still have every confidence 
that Windows Vista is our most secure platform to date.

On Saturday, Nicole Miller, a Microsoft spokeswoman, said the company 
was also investigating the reported browser flaw and that it was not 
aware of any attacks attempting to use the vulnerability.

Microsoft has spent millions branding the Vista operating system as the 
most secure product it has produced, and it is counting on Vista to help 
turn the tide against a wave of software attacks now plaguing 
Windows-based computers.

Vista is critical to Microsofts reputation. Despite an almost 
four-and-half-year campaign on the part of the company, and the best 
efforts of the computer security industry, the threat from harmful 
computer software continues to grow. Criminal attacks now range from 
programs that steal information from home and corporate PCs to growing 
armies of slave computers that are wreaking havoc on the commercial 
Internet.

Although Vista, which will be available on consumer PCs early next year, 
has been extensively tested, it is only now being exposed to the 
challenges of the open Internet.

I dont think people should become complacent, said Nand Mulchandani, a 
vice president at Determina. When vendors say a program has been 
completely rewritten, it doesnt mean that its more secure from the 
get-go. My expectation is we will see a whole rash of Vista bugs show up 
in six months or a year.

The Determina executives said that by itself, the browser flaw that was 
reported to Microsoft could permit damage like the theft of password 
information and the attack of other computers.

However, one of the principal security advances of Internet Explorer 7 
is a software sandbox that is intended to limit damage even if a 
malicious program is able to subvert the operation of the browser. That 
should limit the ability of any attacker to reach other parts of the 
Vista operating system, or to overwrite files.

However, when coupled with the ability of the first flaw that permits 
the change in account privileges, it might then be possible to 
circumvent the sandbox controls, said Alexander Sotirov, a Determina 
security researcher. In that case it would make it possible to alter 
files and potentially permanently infect a target computer. This kind of 
attack has yet to be proved, he acknowledged.

The Determina researchers said they had notified Microsoft of four other 
flaws they had discovered, including a bug that would make it possible 
for an attacker to repeatedly disable a Microsoft Exchange mail server 
simply by sending the program an infected e-mail message.

Last week, the chief technology officer of Trend Micro, a computer 
security firm in Tokyo, told several computer news Web sites that he had 
discovered an offer on an underground computer discussion forum to sell 
information about a security flaw in Windows Vista for $50,000. Over the 
weekend a spokesman for Trend Micro said that the company had not 
obtained the information, and as a result could not confirm the 
authenticity of the offer.

Many computer security companies say that there is a lively underground 
market for information that would permit attackers to break in to 
systems via the Internet.

Copyright 2006 The New York Times Company


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Dec 26 2006 - 22:31:35 PST