Some questions to ask yourself when assessing reported security breaches in Windows Vista


Most anyone who has been in the security industry for a while is familiar with the term ‘security theater’. It’s a term used for security that is about show, rather than substance.

Since I became the Product Manager for Windows Vista security I have noted that the same concept seems to increasingly apply to the  world of vulnerability disclosure – let’s call this  ‘vulnerability theater’.

Vulnerability theater is where an individual, or group, will report a vulnerability that is – and let’s be polite –  over-blown. OK, so maybe it’s not a brand new phenomenom but it certainly seems more common since  the release of Windows Vista!  Perhaps it’s a desire on the behalf of the person making the disclosure to be one of the first to find or report a flaw in a new OS, but in some instances the lengths and steps an individual will go through to claim a vulnerability strain believability.

Hypothetical  example: Someone might report a ‘stunning, world shattering’ Windows Vista vulnerability that allows an application to ‘steal all the users data’.  However when we dig past the shock and horror and into the actual facts behind the vulnerability we discover that this earth shattering attack requires that the attacker has both physical access to the PC as well as administrator rights to the PC. Well hang on a second…if you have physical access and admin rights to the PC you effectively have rights to the box. It’s 0wned!

That’s not a vulnerability – that’s ‘vulnerability theatre’.

So – how do we differentiate between the real and the less substantial?

Here’s a checklist of questions/observations one should consider:

1)      If the vulnerability requires Administrator credentials to execute then carefuly consider if it’s really a vulnerability. Admin’s 0wn the box. That’s the nature of the Admin account. User Account Control in Windows Vista means that far fewer people should have to run as Administrator or indeed have Admin creds at all.  You should ask yourself how the supposed vulnerabilty got admin rights.  If the assumption is the user already has them and then inapparopriately enters them, then it’s most likely not a vulnerabiity…. It’s a user completing or executing an action.


2)      If you provide Admin credentials to an application understand that it 0wns the box! That means it can download and install other stuff, disable stuff, export stuff and in fact generaly mess with stuff including a Standard Users environment. If the attack is a multi-stage attack that requires, at some point in time, Admin credentials then see point 1 above!  Many examples of supposed vulnerabilties we see are a varient of this point, which is really a from of social engineering (tricking the user into completing an action), as opposed to an operating system level vulnerability.


3)      If the vulnerability requires that a user ignore numerous warnings and carries on regardless then the O/S is doing what it’s told to do!  Let’s be reasonable: If a user is warned by Outlook that the email looks like spam but clicks on the link anyway, then is warned by IE that the website looks suspicious but continues to navigate to it anyway, if they then ignore the Defender warning that the mortgage calculator they just downloaded is spyware, then, frankly, the O/S is doing what the user intends that it do!


4)      Is the vulnerability addressed by an existing application setting or security policy? This is an important question to ask oneself.  Security is about making choices.  Make default policy too restrictive and users will have to interact with the software more to do what they want.  Conversely, focus on ease of use by making the default settings less stringent and you increase the chance that a system can be attacked.  I truly think that Microsoft has developed the right balance and made the right decisions when evaluating the tradeoffs between usability and security for the default Windows Vista experience; but what is typically overlooked is the fact that many of the security technologies have numerous options that allow for a user (or Administrator!) to make their own judgments as to their need for security balanced against usability. For examples go take a look at the Windows Vista Security Guide at .


5)      Theory and Practice! Another important point to consider is the real world applicability of a vulnerability. Hypothetical observation: Is a key-storage mechanism that takes 1,000 Billion years to theoretically crack more ‘vulnerable’ than one that takes  10,000 Billion years to theoretically crack. Yes it is, but would most companies or individuals really care?


Security is vitally important and I can assure you that everyone at Microsoft takes it very seriously.  This post isn’t meant to make light of how we react to and address potential security vulnerabilities in any Microsoft product – we take every potential threat very seriously and treat each report the same in terms of investigation. Rather, what I really wanted to highlight is that not all reported vulnerabilities are equal and that we should look a bit closer than the headlines and into the detail, and that sometimes, to borrow a common saying, the bark is worse than the bite.

Of course vulnerabilities do exist; none of the security features in Windows Vista, either individually or collectively, are intended as a “Silver Bullet” solution to the problem of computer security.  Instead, a defense in depth approach makes Windows Vista far more difficult to attack than any previous version of Windows, thus making it more secure.

It’s also important to remember that Microsoft has an unparalleled worldwide security response process operated through the Microsoft Security Response Center (MSRC) that responds quickly to security threats and to provide customers with the information, guidance, and mitigation tools and measures they need.

So, yes - whilst there are real threats to computer security I hope I have shown that there are also threats that get a tad over-blown. Please consider the five points above the next time you see a ‘shock-horror’ headline J

Russ Humphries


Comments (6)

  1. Still not impressed says:

    How would you rate MS07-17 on your little checklist?

    Those of us who have to work our butts off every month (month after month) patching (and rebooting) Windows boxes are not impressed with all the rhetoric from Microsoft on the subject of security especially when we continue to see buffer overflow-based bugs.

  2. Read the checklist of questions/observations one should consider at

  3. Chris Quirke says:

    On (4); sometimes different overlapping systems *are* the vulnerability.

    For example, XP Pro will not expose hidden admin shares via networking F&PS if the user account password is null, but will if the password is not null.  So far, so good; users wouldn’t have a password unless they wanted one, so presumably they will use a strong password, right?

    Seemingly unrelated; Sheduled Tasks will not run unless the user passwaord is not null (XP SP1 or was it SP2 added the option to "run only when logged on", which works with null password).

    So in order to run Tasks, the user who doesn’t want to bother with passwords, has to have one.  So they choose something "easy" like "ABC", set TweakUI to bypass on login, and ensure the screensaver doesn’t return via the Welcome screen, and forget about it.  

    Except now they’re waving full write access to everything via F&PS, inviting StartUp drop-ins, etc.

    Testing needs to explore all permitted options; non-default paths, multiple HD volumes, the works… else some settings can undermine others.

  4. Peter says:

    Hi everyone!  I’d bought Vista on day one and I like many others was disappointed by is lack of compatibility and security issues!  When I ran Windows XP I used the typical spyware, malware, and phishing applications but none of them worked to well on Vista for me.

    I sent some time looking through the internet until I was told about Blink Personal Edition, from they guys over at eEye Digital Security.  I purchased it and downloaded it and was pleasantly surprised to say the least.  This application really protects all of my personal data in a way the other popular applications don’t.  

    Thankfully all the computers on my home network are now free from zero-day attacks, viruses, and identity theft (I used to think it was a minor threat until I read this, which was something I feared more than anything prior to becoming and Blink Personal user.  If any of you are having security issues not just with Vista but any version of Windows I would recommend you check out Blink Personal over at eEye Digital Security’s website!  You guys will be happy with it’s price and protection!

  5. teyamani says:

    i hate this website!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  6. Mac on media says:

    This author has no idea what he is talking about. Go back to jr high pong programming and learn something. Another reason I hate this site.

Skip to main content