My Take on Windows Vista Security “Vulnerabilities”

I love looking at and analyzing security bugs, but I also enjoy observing how people react to knowledge of security bugs. Over the last few weeks, I’ve seen a number of interesting articles about Windows Vista security that made me smile. So I thought I would paraphrase the articles and re-write them with an opposing and cynical view! Here goes.


If there was no new TCP/IP stack in Windows Vista.

In Windows Vista, Microsoft rewrote retained the entire TCP/IP networking stack that is built on the existing networking stack found in Windows NT 3.51, some of which dates to the original TCP/IP add-on for MS-DOS. While this is probably a good thing long-term, improvements have certainly been made to this code, the shaky security foundations of this code ensure because this is new code, we can continue to expect a host of new vulnerabilities as the code is tested.


If we had never done UAC

In Windows Vista, Microsoft has not done anything introduced User Account Control (UAC) that helps users recognize when they’re taking administrative actions on their system. Because of this, While this is a step in the right direction in fostering limited privileges, UAC doesn’t work because it raises too many prompts: users will just get used to clicking OK and malicious code will continue to be loaded on user’s systems.


A little more context about the Sticky Keys ‘vulnerability’ article

In Windows Vista, it’s possible for a user with administrator privileges to replace the executable for “Sticky Keys” sethc.exe with another file and call it at the logon screen when they’re at the system’s console. Vista’s Trusted Installer makes this more difficult, but you can get around this by running commands on the system as a user with administrator privileges and change the permissions on the file. However, Aa user with administrator privileges who is at the system’s console could also log on and could use this to add a new user to the system and add them to the local administrators group.


Perhaps I’m just getting old and grumpy!


Comments (16)

  1. Mark Burnett says:

    Hah, yeah I think we’re all getting a bit old and grumpy.

  2. malcomvetter says:


    I’m 100% supportive of this post!  Once being an anti-Microsoft bigot who fruitlessly participated in the OS "religious wars", I am impressed with the improvements Microsoft has made (but they need to keep up the improvement cycle– the next task should be more code simplification).  I realize this type of post is not the typical Microsoft response, but I think you owe it to the critics.  Well done.


  3. Peter Ritchie says:

    Yes, the old complain-about-whatever-Microsoft-does is getting old and tiresome.  It’s not productive.  Rather than these people simply complaining about things like UAC they should be offering what they think are solutions.

    I’m first in line to speak up about what I think Microsoft is doing wrong; but I bring along my opinion on how it should change.

    For those simply complaining: get used to being ignored.

  4. I don’t usually do this on weekends, but I found a lot going on in the past few days, so here’s a special

  5. I don’t usually do this on weekends, but I found a lot going on in the past few days, so here’s a special

  6. Paperino says:


    do you have pointers to the original articles?

  7. Arthur Strutzenberg says:

    OK people complain about UAC (me included) but here are some pearls I learned from other security gurus, professors etc:

    The general "best practice" for operating any PC is to run as a normal user.  If you need to make a change to the box, you ask for the OS to elevate your permission level, and once done you release this level to run back in normal user mode.  

    That being said, What is the difference between UAC under Vista and sudo under ‘nix?  

    Along this same line, something else I do for convenience depending on configuration under ‘nix is to have a shortcut to an administrative console–running the command line as an administrator, for those times when I need to keep admin level privleges–I’ve found that I do something similar on my vista boxes–I have a shortcut to the console, which I interface via the context menu’s "run as Administrator"?

  8. C Gomez says:

    Whatever MSFT does, some will complain it is the wrong thing.

    What’s more annoying is that with every new operating system, we are told to wait a year or more to upgrade.  If we followed the advice of the major PC magazines, we’d be running DOS 6.0.

    UAC is not a panacea.  It really does little good when most uneducated users will click on Yes because they know and learn clicking No means nothing will happen.  They’d rather something happens, so they’ll allow the malware to install.

    But there are many of us out there who WILl raise an eyebrow when an unexpected administrative privilege was being asked for.  It’s like when a software firewall suddenly shouts at you about some process you’ve never seen… ever… asking about some port you know you don’t care about.  You can’t help but say "What the heck is on my system?"

  9. Mihai says:

    A lot more fine-tunning is definitely needed.

    Just go and create a folder called "Blah" under "Program Files."

    I agree that a warning message is needed, but you get exactly 4! Please don’t tell me this is ok!

  10. paperino, this isn’t meant to call out one specific story or report, but more to reflect a tone that we see in some stories on Vista security.  

  11. Mihai, this is on the radar for fixing 🙂

  12. Corrine says:

    I really get tired of the headline grabbing and have "complained" about it several times recently.  I am beginning to think that some journalists get paid per view.  Thus, by including Vista or IE7 in the headline, they get more attention.

    Recent complaints:  

  13. Nathalie Oldenburg says:

    @Peter Ritchie:

    "It’s not productive.  Rather than these people simply complaining about things like UAC they should be offering what they think are solutions."

    Peter, that is another world. It’s called Linux, where people CAN offer solutions to be taken honest, and CAN make things better.


  14. gary says:

    A lot of it from a company with a fairly limited product line that claims the title of a "security company" while a defect in one of their *security* mainline products is responsible for fairly significant worm spread:

    And typing Symantec into the vendor field at the Securityfocus site just proves its easier to throw rocks than to build houses:

    And the sticky keys "discovery" is just plain ludicrous.

  15. Nathalie, so how do you rate Linux security, and what metric are you using? I’m just curious.