14 DAY TRIAL // There has been a consistent quantity of "ink" spilled over the vulnerabilities and security of Windows Vista. The new technologies and features integrated in Windows Vista in order to enhance the overall security level of the operating system have been targeted with criticism. Symantec and McAfee have addressed a variety of issues but, according to the perspective of Microsoft security guru Michael Howard, three of them stand out, just because they made him smile.
On his personal blog, Howard downplayed the implications of the issues underlined by both Symantec and McAfee. He addressed the revamped protocol stack in Windows Vista which Symantec has labeled an immature technology and a security liability. Howard revealed an alternative take on the issue, in the eventuality that Microsoft had not implemented new TCP/IP stack in Windows Vista.
"In Windows Vista, Microsoft retained the TCP/IP networking stack that is built on the existing networking stack found in Windows NT 3.51, some of which dates to the original TCP/IP add-on for MS-DOS. While improvements have certainly been made to this code, the shaky security foundations of this code ensure that, we can continue to expect a host of new vulnerabilities," Howard wrote.
Additionally, if Microsoft had not introduced User Account Control in Windows Vista, Howard believes that it would have been a reason for criticism. "In Windows Vista, Microsoft has not done anything that helps users recognize when they're taking administrative actions on their system. Because of this, malicious code will continue to be loaded on user's systems."
Howard also took on the so called Sticky Keys vulnerability revealed by McAfee, which falls in the joke category together with the Speech recognition flaw. The successful exploitation of this vulnerability requires that a user with administrative privileges replace the executable for "Sticky Keys" sethc.exe with a malicious file, which is a far fetched scenario, to say the least.