Vista security discovered to be even more useless

[Jason]

Another gaping hole presented by Microsoft

I think a more appropriate title would be to take "security" out of it and you get the jest of my love for Vista...

AT THIS WEEK'S Black Hat security conference, two security researchers will discuss their findings which could completely open Windows Vista to hackers.

Mark Dowd of IBM Internet Security Systems and Alexander Sotirov, of Vmware Inc. have together discovered a hack that can be used to bypass all memory protection safeguards that Microsoft programmed into the much-maligned Windows Vista.

The methods employed have enabled the researchers to bypass Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by simply loading malware through a standard web browser.

Dowd and Sotrirov were able to load any content they desired anyway on a user's machine using a variety of scripting languages, including ActiveX, Java, and .NET objects.

From a distance these seem like the usual standard exploiting of bsic-security, however other researchers have confirmed that this exploits is a major breakthrough - and there is very little that Microsoft can do to fix the problems.

Apparently, these attacks work differently than the majority of other hacks, as they take full-advantage of the way Microsoft chose to secure Vista's fundamental architecture.

Other researchers have since commented that they believe that we may see similar techniques applied to other operating systems, including previous version of Windows.

Microsoft has yet to officially respond to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company is aware of the research and is interested to see the results once they have been made public.

More over at Neowin.net.

Source: The Inq

[WiCKeD]

Not much help in using Firefox either if the exploits are available via Java.

[justinsn95]

My only question is why (oh why) did they even bother to make a new OS, which has no noticeable improvements? I mean how long do they really plan on keeping NTFS? Jeebus.

[MrObvious]

The problem actually isn't Microsoft here but rather the makers of things like Adobe Flash, Firefox, etc. Fourtinately Firefox 3.0.1 has DEP turned on and ASLR turned on by default I believe. Vista x64 has these enabled mostly moreso so I think it is safer. You can check in the advanced area of IE7 settings in Vista if you have x64 to check.

[Anaema]

Mass hilarity.

[digitaldd]

I don't think there are any apps out yet that actually support DEP in full. if you change the boot.ini setting from optin to AlwaysOn you'll find your system to pop up with tons of DEP errors.

[Camride]

Quote:

Originally Posted by digitaldd

I don't think there are any apps out yet that actually support DEP in full. if you change the boot.ini setting from optin to AlwaysOn you'll find your system to pop up with tons of DEP errors.

Yep. I know for a while I was getting them pretty consistently with Object Dock. It'd randomly lock up and say DEP had to shut it down. The new version doesn't have that issue anymore thankfully.

[Sakesaru]

While you can blame Java for having the hole in the first place - you have to blame Microsoft for making it possible for executables to so easily bypass these security features so easily.

[Th3_uN1Qu3]

Quote:

Originally Posted by Sakesaru

While you can blame Java for having the hole in the first place - you have to blame Microsoft for making it possible for executables to so easily bypass these security features so easily.

No. You have to blame Microsoft for focusing on a ****ty security system that does nothing but annoy, instead of working harder to make it more useful for the average person. At least make it remember the folder view settings, **** it. And the long list of all those sorting options make it difficult to locate what you actually need. Why didn't they pop a search box in there as well?

There are some stupid Explorer bugs that are still there with SP1. And the only thing that all the protection BS does is annoy the user, for example, i need to modify some stuff in SysWow64 for compatibility. I have to deal with a million permissions to do that (and eventually got and patched the games themselves instead of patching Vista), while virus writers have found the way in long ago.

Does forcing the user to set a million permissions make the system more secure? No. Because eventually the user will find out how to set them, and will do his job (or **** up the system), just that it'll take a lot longer. But for a virus it only takes one second longer to do that, as there are a lot of command line tools in Vista that can be exploited.

If you didn't know, Unix/Linux isn't the only system with a powerful command line interface, just because you don't usually need to use it in Windows it doesn't mean it doesn't exist. I'm a heavy CLI user yet i still have a lot to learn about XP and Vista's command line utils, there's a lot of them. But virus writers already know them.

[Maniac]

it's possible to fix the "remember folder view setting" issue:
http://www.vistax64.com/tutorials/70...-settings.html

[Librarian]

Microsoft makes a "new" OS, and people are gullible enough to think that it's better or "reinvented". I honestly think they never cared about security, they say it's better, but as long as the money is coming in why should they care? We all know what kind of a company Microsoft is. What's amazing is that they have the gaul to work on another "new" OS while their "latest and greatest" one is a bunch of ****.

[justinsn95]

The problem i am having with vista right now is it keeps dropping my internet connection. Yes, i am sure it is the OS itself as i have several other computers running off of the same connection and only one of them has vista and it is the only one that ever does this. I will be just browsing along the web, and then i go to click a new link or go to a new page and it asks me if i would like to connect to the internet. . I can't do anything else until i fool it into realizing it is connected again, which usually ends up in a reboot. Stupid freaking vista.

[SSPrncVegeta]

Quote:

Originally Posted by Maniac

it's possible to fix the "remember folder view setting" issue:
http://www.vistax64.com/tutorials/70...-settings.html

Confirmed. I've used that guide and haven't had the settings revert to default settings.

[Maniac]

Quote:

Originally Posted by SSPrncVegeta

Confirmed. I've used that guide and haven't had the settings revert to default settings.

there are lots of fixes for Vista problems/annoyances, it's genius that the end user has to fix them for Microsoft.

After the fixes Vista is quite a usable OS, it just takes way to much setup to get it to the point of a usable OS.

[SSPrncVegeta]

Quote:

Originally Posted by Maniac

there are lots of fixes for Vista problems/annoyances, it's genius that the end user has to fix them for Microsoft.

After the fixes Vista is quite a usable OS, it just takes way to much setup to get it to the point of a usable OS.

Besides getting drivers and software like any other OS install, disabling UAC (or running in super elite awesome Administrator mode) and correcting the folder setting bug is all there is to it.

[Mindwarp]

Quote:

Originally Posted by Maniac

there are lots of fixes for Vista problems/annoyances, it's genius that the end user has to fix them for Microsoft.

After the fixes Vista is quite a usable OS, it just takes way to much setup to get it to the point of a usable OS.

I've been running Vista since RC1. Drivers were an issue in the early days, not anymore. Security warnings very rarely popup anymore. It's one of those "the more you use it, the more it knows" type deals. Hardware shouldn't be an issue for anyone here as we typically run the latest gear, but I'm always amazed that the same people (this isn't pointed at anyone in particular here) who will buy new hardware just to get Crysis above 10fps are the same poeple who complain that Vista runs crappy on old hardware.
When Vista retail hit the market, I bought it, installed it and haven't looked back. It just works right out of the box. The only BSOD's I ever got were because of excessive oc's or crappy ram.

[SSPrncVegeta]

Quote:

Originally Posted by Mindwarp

When Vista retail hit the market, I bought it, installed it and haven't looked back. It just works right out of the box. The only BSOD's I ever got were because of excessive oc's or crappy ram.

Ditto. I've had the same exact install I've had since January 30th, 2007, and with updates and maintenance it's running better than then. I was never able to get an XP install to last this long.

[Mindwarp]

Quote:

Originally Posted by SSPrncVegeta

I was never able to get an XP install to last this long.

You know, that's a much neglected point but a very important one. With XP I had a BartPE slipstreamed disk that I needed regularly to get XP back up, not so with Vista.

[Maniac]

Quote:

Originally Posted by SSPrncVegeta

Besides getting drivers and software like any other OS install, disabling UAC (or running in super elite awesome Administrator mode) and correcting the folder setting bug is all there is to it.

not quite, you have to make all the same tweaks to Vista that you have to make to XP to make it function like Windows 2000 (IE all the folder options - showing hidden files, showing filename extensions, setting default view to detail view, turn off simple folder navigation, turn off simple file sharing/sharing wizard. Fixing the control panel default view back to classic. Fixing the start menu to classic if you hate the both the XP and Vista ones like me).

Then there's lowering shadow storage size, turning off Windows Search/Indexing service, dragging the folders/favorites divider up to the top in Windows Explorer so you can actually see the folders.

After that a lot of the tweaking is done, although rather than being bugs a lot of what I just listed is personal preference.

[Mindwarp]

Quote:

Originally Posted by Maniac

not quite, you have to make all the same tweaks to Vista that you have to make to XP to make it function like Windows 2000 (IE all the folder options - showing hidden files, showing filename extensions, setting default view to detail view, turn off simple folder navigation, turn off simple file sharing/sharing wizard. Fixing the control panel default view back to classic. Fixing the start menu to classic if you hate the both the XP and Vista ones like me).

Then there's lowering shadow storage size, turning off Windows Search/Indexing service, dragging the folders/favorites divider up to the top in Windows Explorer so you can actually see the folders.

After that a lot of the tweaking is done, although rather than being bugs a lot of what I just listed is personal preference.

Then why don't you just use Win 2000? Seriously, why are you using Vista if an older os is fine for you?