by Playfuls Staff |
26th July 2006
It seems that the war started in May about the “misuse” of intellectual property by Microsoft has determined the security company Symantec to fire a few shots at the future OS Vista.[more]
This time, they were referring to some holes present in user account control and privilege escalation features. This report would be the second in a series of three Symantec plans to publish about Vista’s security flaws.
Symantec first revealed a missive about the bugs in the next-generation OS in mid-July, stating that networking is one of the weak points. Now, the report implies that what Microsoft calls advanced security features could actually be the next cadaver to be scavenged by worms, viruses and hoax, serving as loopholes.
In particular, Symantec details a handful of holes that affect Vista’s UAP (User Account Protection) feature. The UAP is designed to help companies reduce the impact of an infection with a virus, banning the malicious code to escalate its privileges on infected machines in order to further propagate itself or inflict other damage on affected computers.
Symantec insists on the fact that the UAP, also known as LUA (Least-Privilege User Accounts or Limited User Accounts), is a weak spot in Windows Vista, since it can be circumvented by outside attackers, based on several implementation flaws, allowing the possibility for someone to elevate a computer's access privileges and take over a desktop running the OS.
Security has been a main concern for engineers and programmers at Redmond and the implementation of new feature in this area is a key to the future success of Vista. But Symantec warns that the very tools that Microsoft has developed are sensitive to attacks.
A new feature in Vista known as mandatory integrity control, which is also designed to help confine privilege escalation capabilities, could also be used as an exploit to take control over an infected machine.
Despite the addition of the tools, the security company contends that attackers could still conceivably bypass the system to escalate their ability to attack computers.
The once-ally and now-rival of Microsoft says the flaw could allow an ActiveX control to plant a file that would essentially bypass Microsoft's security levels feature, meaning that even an "unprivileged" user could have his or her account taken over to do harm to the system.
Symantec's researchers also said that the task of completely rewriting Windows' sprawling code base without introducing any loopholes may be too much to expect from any vendor.
Microsoft, which pledged to deliver Vista sometime next year (they initially programmed it for January 2007, but since Office 2007 was also scheduled for January 2007 and it has already been delayed…) has replied to the new reports filed by Symantec that the critical vulnerabilities signaled by the security company are not to be found in the final version of Vista.
Throughout the company development of Vista, the software giant has applied a new process known as its SDL (Security Development Lifecycle), which requires that all of the operating system's code is scoured for potential problems before being added into the product.
Through SDL and "fundamental architectural changes" that will help make customers more secure from evolving threats, including worms, viruses and malware, Microsoft says that it has effectively minimized Vista's "attack surface area."
The final purpose of these security updates inside the Redmond giant is to deliver a release version of Windows Vista that could help companies and organizations secure and better isolate their networks.
"We continue to make improvements to the operating system based on this feedback," company spokespeople said in response to Symantec's research efforts.
"Highlighting issues in early builds of Windows Vista does not accurately represent the quality and depth of the features."
"The network stack in Windows Vista was rewritten from the ground up. In deciding to rewrite the stack, Microsoft has removed a large body of tried and tested code and replaced it," Symantec wrote, noting that it found vulnerabilities in the Windows Vista networking software. Symantec's report can be found at this Web site.
"Despite the claims of Microsoft developers, the Windows Vista network stack as it exist today is less stable than the earlier Windows XP stack," said after examining a beta release of the software.
"You get beaten up if you modify the old code; you get beaten up if you write new code," said Russ Cooper, a senior information security analyst at Cybertrust Inc. "The historic complaint against Microsoft has been that their code is bloated with all this legacy stuff. Rewrite it and now, 'this is too new; this is untested.'"
"Vista is really the first release of the operating system to go through our Security Development Lifecycle from beginning to end," said Ben Fathi, corporate vice president of Microsoft's Security Technology Unit. "That's fundamentally a different way of looking at building security into the platform."
Symantec has filed a complaint in May about misuse of intellectual property against Redmond based company Microsoft. Apparently the latter included in some of its products (including the long-expected Vista OS) a storage technology, patented by Symantec once with the acquisition of Veritas Inc., which Microsoft was allowed to use, following an agreement signed in 1996, but not allowed to develop products that compete with the licensed technology. Microsoft on the other hand claims that the integration is totally legal and even that ,,the [1996] contract ultimately gave Microsoft the option to buy out the rights to Veritas' code and intellectual property”.
