Microsoft Pulls Vista RC2 Public Download

CNET says RC2 still isn't ready and that we need another interim build. My big concern is security. In Microsoft's recent Patch Tuesday (which set a new record for vulnerabilities), two of the vulnerabilities were in XML handling in Windows Vista. That means we're getting security vulnerabilities and patches in an OS that's not even released yet. I get a bad feeling in my stomach when I think about where Vista will be three years from now when it comes to security. Thankfully, analysts say only 35% Vista adoption by 2008, but that's still a lot of vulnerable people running new, untested, version 1.0 Microsoft APIs.

Preseton October 12, 2006 (Article Rating: )

First off, it would appear that most people knew it was a limited download, so it wasn't a surprise when it got pulled.
Secondly Preseton/Bonch: "running new, untested, version 1.0 Microsoft APIs"
At last you agree there's new stuff in Vista! Does this mean you won't be saying how it's just an expensive upgrade anymore? Or will that be your next post?

Benn21uk October 12, 2006 (Article Rating: )

"My big concern is security."

No it's not. Your concern is trying to post any drivel that makes Windows look bad. Your posts are too biased to suggest you have other intentions.

Any IT admin that can't disable write access on every Windows PC and redirect all file-writes to server folders in less than 20 minutes has no business managing PCs. Add any proxy server capable of enforcing ACLs and it becomes virtually impossible to have security problems. Once that configuration is in place you could have a whole network of un-patched machines and no way of compromising them. Still, there should always be a WSUS server, email scanning, and virus detection on the file server for perimeter defense, but that’s precautionary. You can get everything you need (sans virus scanning, which can be had for free) out-of-the-box with SBS 2003 R2 Premium.

Unfortunately, modern "friendly" operating systems have a way of taking novice users (who look brilliant in comparison to even more clueless peers) and turning them into IT admins. "Joe knows how to open Regedit, he *must* be smart enough to run our entire business infrastructure!" The perfect example was a certain news network who had broadcast issues due to not applying a patch that was available for *months*.

As for home users, Vista's UAP and other defenses should take care of the rest. More than likely, there will be hundreds of vulnerabilities discovered over the life of the OS. If the OS is fundamentally secure, than holes, in and of themselves, are harmless. They *need* to be fixed in a timely manner, but there will be no cause for alarm. The largest problem will be social-engineering attacks that instruct users to turn off security precautions. In this regard, the home version of Vista should have made it physically impossible to disable these protections. They should have required Vista Business or better for those prone to tweaking or disabling services. That's my only quibble.

Christopher October 12, 2006 (Article Rating: )

"Any IT admin that can't disable write access on every Windows PC and redirect all file-writes to server folders in less than 20 minutes has no business managing PCs. Add any proxy server capable of enforcing ACLs and it becomes virtually impossible to have security problems. "

Yeah. Virtually impossible, yet oh-so-prevalent.

"Unfortunately, modern "friendly" operating systems have a way of taking novice users (who look brilliant in comparison to even more clueless peers) and turning them into IT admins."

Yes, we call that "MCSA Certification".

(Relax. It's a joke.)

lotsamystuff October 12, 2006 (Article Rating: )

@Benn21uk:

"At last you agree there's new stuff in Vista! Does this mean you won't be saying how it's just an expensive upgrade anymore? Or will that be your next post?"

Yes, there are new APIs in Vista, like Avalon and the new network stack. And none of that makes $400 any less expensive.

@Christopher:

"No it's not. Your concern is trying to post any drivel that makes Windows look bad. Your posts are too biased to suggest you have other intentions."

Excuse me? How am I biased by being concerned about security?

"Add any proxy server capable of enforcing ACLs and it becomes virtually impossible to have security problems."

Excuse me, but nothing is impossible in the security world, and if it was so easy to secure Windows, we wouldn't have had so many problems for the last six years. "Trusted Computing" was a failure. You can put your head in the sand if you'd like, but the rest of us will keep just as strong an eye on Vista as we do XP. Even with UAC, Vista isn't intrinsically invulnerable to attack. Finding points of entry in Microsoft software has become so profitable that there's a lucrative black market business around the practice.

"Unfortunately, modern "friendly" operating systems have a way of taking novice users (who look brilliant in comparison to even more clueless peers) and turning them into IT admins."

And other modern operating systems are built on UNIX, which grew up in a multi-user, networked environment. XP and Vista are still relying on Win32, an API that dates back to the single-user DOS days. Windows is overdue for a rewrite, and it sucks that we have to wait for Vienna for Microsoft to do it (that's assuming Vienna ever sees the light of day).

The fact remains that security experts and academia tends to swing toward non-Windows systems for a reason. UNIX/Linux powers the Internet, and 45% of computers purchased at Princeton are now Macs (http://www.dailyprincetonian.com/archives/2006/10/12/arts/16162.shtml).

Preseton October 12, 2006 (Article Rating: )

"The fact remains that security experts and academia tends to swing toward non-Windows systems for a reason. UNIX/Linux powers the Internet, and 45% of computers purchased at Princeton are now Macs (http://www.dailyprincetonian.com/archives/2006/10/12/arts/16162.shtml).

"

I would imagine there using linux because it is free and works well for their needs. The reason Princeton students are purchasing macs is because they are relatively safe from malware and viruses. I bet the student demographic groups are one of the strongest surfers of malicious web sites because of pirating.

anonymous October 12, 2006 (Article Rating: )

There are probably millions of lines of code in Windows. It's been developed over a long time and while there's a lot of stuff in it that needed hardening, it's likely that the work they're doing is going to make it the most secure OS for the number of users that use it.

While *nix has a better base most programmers are not security experts and so all that code out there can be compromised if it's written poorly.

And while Vista may not be ready (I'm of the personal opinion it could use a little more time in the oven), it will probably be fine by Q3 2007. Microsoft probably won't even slow down development of Vista significantly until late next year. Vista's release now while prudent financially and ultimately fine for both businesses and consumers is premature. But honestly Vista isn't going to be any worse than XP in terms of security.

orion.adrian@gmail.com October 12, 2006 (Article Rating: )

@orion:

I'm sure most departments will be waiting for SP1 before considering Vista, if they're even thinking of leaving 2000 or XP at all. Given the new changes that Microsoft has hammered onto the old Win32 codebase, there are a lot of potential points of entry for hackers to exploit the system.

There's already a report that PatchGuard is expected to be cracked and publicly revealed within the year. That means direct kernel access for malicious code.

Preseton October 12, 2006 (Article Rating: )

I agree with Orion that Vista could use a little more time. I think if they waited until January before RTM then they could have something that was pretty much rock solid in terms of stability, unlike the rather dodgy experience a lot of people seem to be having now (something in RC2 makes it less stable on my PC than RC1).

On the other hand, when they do release it, I believe it won't be security that stops corporations from adopting it quickly, but application compatibility. The evidence for this lies with those who still aren't on XP SP2, they need their applications to continue to run. Even though MS do apparently try everything to remain compatible with apps, they can't check everything and stuff does break. With Vista, this is going to be even worse as apps are prevented from writing to places they previously could, or editing registry entries as if they owned them. As much as MS have worked on making this a non-existent problem, it will still be an issue.

And Preseton, can you please try and be consistent in your paragraphs? Windows is due a rewrite because Win32 dates back to DOS, yet Unix (with even older APIs) isn't? And I'd be willing to bet that the report on PatchGuard came from Symantec. And I'd also suspect that the changes "hammered onto the old Win32 codebase" are there to *reduce* the number of potential points of entry for hackers.

Benn21uk October 13, 2006 (Article Rating: )

"But honestly Vista isn't going to be any worse than XP in terms of security."

Maybe that should be Microsoft's marketing slogan for Vista: "Honest...It's no worse than XP!"

Yeah. That'll work! ;-)

lotsamystuff October 13, 2006 (Article Rating: )