Vista security not ‘broken’

The researchers who discovered a fundamental flaw in Vista’s security set-up have spoken out to clarify that “the sky is not falling”. And they’ve pointed out that XP is actually less secure.

As many tech writers, including myself, reported last week, Alexander Sotirov and Mark Dowd gave a presentation to the Black Hat security conference in Las Vegas in which they revealed that some expected security features were absent from Vista’s memory protection system. That’s the way in which the operating system allocates memory to different programs such that no one program can hog the whole memory; it also prevents rogue applications accessing the entire system.

I wrote that “it’s not something that can be fixed with a patch, because it’s an underlying problem in Vista itself.” Having read Sotirov’s comments, I’d like to clarify that it’s not yet clear exactly how much of a solution Microsoft can offer. At a guess, it will be a case of limiting (or even eliminating) the ways people can exploit the flaw, rather than ‘fixing’ the flaw itself.

However, some tech writers went much further and portrayed Vista’s entire security as worthless, with some even claiming it was a reason to stick to XP.

Sotirov (pictured) has now spoken out and clarified some of the points which he made:

• As we reported, the problem isn’t a security issue purely in itself; it merely means hackers exploiting a separate vulnerability will be able to do more damage.
• Updates to Flash and Java, which were particularly vulnerable to this flaw (as they don’t have a common back-up security measure), “will contain specific measures that limit the impact of the techniques”.
• Sotirov and Dowd have spoken directly to Microsoft about the problem and expect the firm to work on limiting the potential damage.
• Vista is still more secure than XP: the flaw allows hackers to bypass security measures in Vista which don’t even exist in XP.
• Browsers will likely always be the most common targets for hackers, particularly now that it’s often impractical for businesses to block web access to employees on their network.

• Vista security could be fundamentally flawed
• Microsoft security claims on Vista can lull users into false sense of security
• The truth about Windows Vista security
• Microsoft concedes Vista and Internet Explorer security flaw
• Security firms warn of zero-day Vista and IE7 exploit