14 DAY TRIAL // Cupertino-based security company Symantec has taken another swing at Windows Vista designe to bring into focus Microsoft's inaccurate Teredo documentation and other common vulnerabilities and exposures in the operating system. At the basis of Symantec's initiative are no less than nine new CVEs issued just last week under the CVE project. Symantec claims that all the CVEs have been requested by a third-party but that they are all based on its Windows Vista Network Attack Surface Analysis report published on March 7, 2007.
"We don't feel that most of the issues are especially significant. Microsoft reviewed the paper prior to its public release and Symantec would participate in any warranted responsible disclosure for vulnerabilities," stated Jim Hoagland, with the Symantec Security response.
Adopting a mild tone of voice, Hoagland revealed that just CVE-2007-1535 can be considered an important issue and even make it as a half decent vulnerability Symantec has focused intensively on, the new network protocol stack in Windows Vista claiming that the technology is immature and inherently vulnerable. "Teredo is an IPv6 transition technology that provides address assignment and host-to-host automatic tunneling for unicast IPv6 traffic when IPv6/IPv4 hosts are located behind one or multiple IPv4 network address translators (NATs)," according to a Microsoft description.
And CVE-2007-1535 focuses directly on Teredo. According to Symantec, the technology has a tendency to become active despite Microsoft's own documentation. "The described issue is that Teredo (an IPv4 to IPv6 transition technology that works through NATs) becomes qualified (active) even in situations where the Microsoft documentation says it should not be," Hoagland revealed.
According to Microsoft, the Teredo component is enabled in Windows Vista but also inactive by default. Symantec disputes this and revealed that Teredo automatically became active in several common scenarios.