How Microsoft Security Bulletin MS07-017 affected Windows Vista


Feliciano Intini (a senior security guy in Microsoft Italy) has posted an excellent analysis of the MS07-017 bulletin released today. Essentially, it’s a roll up of graphic-related fixes.


Of the seven discrete fixes:



  • All seven affected Windows 2000.

  • Six affected Windows Server 2003 SP2.

  • Six affected Windows XP SP2.

  • Only three affected Windows Vista.

The link below gives a better overview of the bulletin.

http://blogs.technet.com/photos/pcfs-gallery/picture725076.aspx

 

Comments (15)

  1. I’m kinda (not) feeling sorry for all the security programs/fixes/patches/workarounds/etc that banked on security inefficacies in previous versions of windows.  I’m quite proud that Vista has stood up to the harsh critisisms, and has proven thusfar that it is more secure.

  2. michael_HOWARD says:

    there’s a long way to go yet!!

  3. C Gomez says:

    Michael,

    Thanks for these updates.  I was wondering if you believe more of the security related bugs found in Vista will be related to items actually coded many many lifetimes ago, such as for Windows 2000 or XP.  It seems that the practices put in place at MSFT should really slow to a crawl the number of "new bugs" based on newer code.  I’m sure it is a huge job to pour over everything that’s ever been written.  As you say, a long way to go…

  4. SM says:

    Michael:  Can you respond to this article?  

    http://blogs.zdnet.com/Ou/?p=460

    Thx.

  5. michael_HOWARD says:

    SM, the big issue with DEP/NX is lots of stuff breaks when it runs in IE. For example, JVM, QuickTime etc.. but we are trying to address this.

  6. michael_HOWARD says:

    C Gomez, there will certainly be bugs we’ve missed, and there will be bugs in new code. Of that, I have no doubt. However, when we look back two years from now, we’ll see a great deal of improvement.

  7. Related to this question of fewer vulnerabilities in Vista as compared to previous and bug rates in legacy code vs. new Vista code I’d like your take on Andy Ozment’s paper on a similar issue in OpenBSD.

    http://www.cl.cam.ac.uk/~jo262/papers/qop2005-ozment-security_growth_modeling.pdf

    I think it will be interesting over time to see the vuln rates for the Vista code vs. the legacy code and the introduced bug rate for the newly developed code.

    Do you think you’ll be in a position to release some of this kind of data in say a year, after we have a few more samples of bugs/vulns to discuss?

  8. no-longer a MS fan says:

    How about the fact that this has caused multiple computers, mine included, to load 3 files on boot then crash.  seems to be overwriting a file on boot and corrupting it.

  9. Matthew Murphy says:

    I opined on Stephen Toulouse’s blog that the *number* of vulnerabilities affecting XP vs. Vista, for example, isn’t the real selling point for SDL.

    The selling point I see for Vista and the SDL process is the reduction in default attack surface.  With the Animated Cursor incident, our deployments had a problem: most of our users log on interactively to Windows as administrators (just like a staggering percentage of enterprise mobile users do), and so the protective guidance for any compromised XP laptop was "game over; reimage the box."

    We simply couldn’t take the chance that a kitchen sink full of malware had marched right onto the box through the front door, including enough stealthing wares to render an experienced admin oblivious to their presence.  You can’t just "clean up" a box in that condition of compromise.

    If more of our machines had been on Vista, we could have easily cleaned up the mess, even for those users who had some compatibility or other reason for running with admin rights.  The combination of UAC and IE’s Protected Mode would leave us with at least some assurance that the damage could be and had been contained.

    Now if only we could get a more aggressive "No Read Up" policy working on things like "My Documents" and most of "Application Data", so that we have some protection against a confidentiality compromise of the data on those endpoint machines. (nudge)

  10. michael_HOWARD says:

    to no-longer a MS fan,

    This is news to me – what files are loaded and which OS?

  11. michael_HOWARD says:

    Andy

    I have read Ozment’s paper. In fact, he and I debated in Rome last year at ISSE 2006! I agree with his final comments in the paper: "inconclusive"

  12. edward says:

    I have not tried vista but I heard that it is full of bugs.

  13. michael_HOWARD says:

    edward,

    >>I have not tried vista but I heard that it is full of bugs.

    if you heard it on the Internet, it must be true!

  14. Please include a similar summary table in all security bulletins. It’s a very concise way of presenting all the information that I usually need to get from the bulletin, and the color coded format really helps.

  15. michael_HOWARD says:

    Alexander, yeah, it’s a great asset. Actually, I just met the guy who creates the tables, he’s over from Italy. I’ll pass this info onto him, and to the MSRC folks here.. thanks!