Microsoft released five critical patches on Tuesday as part of its latest Patch Tuesday update. The release also included three bulletins over security flaws rated by Redmond as "important". The worst of the quintet is a flaw in ActiveX. This update also includes a kill bit for the Yahoo! Music Jukebox product, the topic of a …
Vista Advanced Security...
So many reviews on vista will always fall back to the OS' enhanced security and conclude that, if indeed there is ANY reason to move on to using vista, it would be to take advantage of this enhanced and much better security than XP can provide.
'Vista is as affected by these critical bugs as XP.'
Well I think that one line quoted from the article says it al really.
Who needs such great security?
i particularly liked...
...the update to ensure future updates install properly. Very useful description :)
Not sure why these updates weren't included in SP1 really (well i understand that one not being, as its one of the pre-sp1 fixes), It's not officially been pushed out yet, so i didn't expect to get all of these.
The OS is secure. The apps are Swiss cheese.
Reminds me of that pwn2own contest last week. No-one even bothered to attack the three machines on day 1 when they were only allowed to target the OS. As soon as applications were fair game, the machines started to fall. The Windows box finally succumbed to some sort of flash exploit.
Fast forward one week, we find Adobe patching a flash vulnerability and Microsoft "conceeding" that their ActiveX problem affects Vista as much as XP. Hmm. That would be because it runs the offending control. I expect Linux/WINE is equally affected if you can find an app to host the control for you.
It's time to move the flame wars to a new battle ground. The big security holes are not in the OS anymore. They're in the apps, and Adobe should be worrying about whether they are the new Microsoft.
From the article:
"... The ISC reckons a flaw that leaves Windows DNS clients vulnerable to spoofing because of entropy in a random number generator is better thought of as critical.
It also considers an input validation vulnerability in the windows kernel that allows privilege escalation..."
You might want to rethink that comment Ken :o)
"It also considers an input validation vulnerability in the windows kernel that allows privilege escalation..." for which
"An attacker must have valid logon credentials and be able to log on locally to a vulnerable system in order to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."
Which is why it isn't a critical updates because Critical is reserved for "A vulnerability whose exploitation could allow the propagation of an Internet worm without user action."
Mines the beige one, and off to The Pedant Arms for a pint
"Which is why it isn't a critical updates because Critical is reserved for "A vulnerability whose exploitation could allow the propagation of an Internet worm without user action."
I don't disagree with you, however my point that it's an OS vunerability and not an App-related one remains (and perhaps exploitable at a publicly accessible terminal/kiosk) :o)
Ken I couldn't disagree with you more.
Of course it is a problem with the operating system?!
It's so blindingly obvious that there's no need to waste time trying to explain it further...it's all there in the article.
I find it strange that you should think the way you do.
Are you a vista developer?