News Security flaw in Vista discovered

[CardJoe]

http://www.bit-tech.net/news/2008/11...a-discovered/1

Another security flaw has been discovered in Windows Vista, this time allowing for a buffer overflow in the networking subsystem to overwrite kernel memory.

[proxess]

Seriously... something as bad as this, and only a fix for the next SP? How soon will it come out then?

[Bauul]

Ah bugger Vista, I, and I get the impression a lot of others, are waiting for Windows 7.

[steveo_mcg]

Quote:

Originally Posted by Bauul

Ah bugger Vista, I, and I get the impression a lot of others, are waiting for Windows 7.

Yeah, don't really see the point in paying for vista when its about to be made redundant. Though i'm the man who stuck with 2k till 2k6.

[airchie]

Yet another reason to switch to Linux for everything bar gaming tbh...

[Dreaming]

Quote:

Originally Posted by airchie

Yet another reason to switch to Linux for everything bar gaming tbh...

I agree, but still doesn't outweigh the costs of having to switch to linux for a significant majority of users (including me!). Until linux is reeaaaaaally easy and works as well as windows 'out of the box', I can't see myself switching! Every single time I install (and I use ubuntu - linux for noobs) it goes wrong or theres some driver issue and it's not trivial to fix, unlike windows where it pops up a balloon, you click on it, and it installs drivers. that's my 2p anyway

Although it would be nice to know if this is a vulnerability as in someone hacking into your PC from the internet or whether you have to actually execute malicious code, in which case the vulnerability is the user which makes any system vulnerable.

Though people shouldn't level lots of hate against vista - it's probably not worth upgrading if you already have XP, but it is sufficiently superior to definitely recommend it over XP for someone who is building a new system.

[GoodBytes]

Oh no Vista has 1 issue found after 2 years and half about. Where XP you have issues at every corner.

[proxess]

Quote:

Originally Posted by Dreaming

I agree, but still doesn't outweigh the costs of having to switch to linux for a significant majority of users (including me!). Until linux is reeaaaaaally easy and works as well as windows 'out of the box', I can't see myself switching! Every single time I install (and I use ubuntu - linux for noobs) it goes wrong or theres some driver issue and it's not trivial to fix, unlike windows where it pops up a balloon, you click on it, and it installs drivers. that's my 2p anyway

I honestly can't consider pressing next next next every time some piece of hardware is detected or having to keep inserting a CD or downloading software/drivers being "out of the box". Only if you mean "Out of the Installation CD Box". Of course its trivial, compared to installing some piece of hardware/software on Linux, but more and more is Linux (and specifically Ubuntu) more and more trivial, which you simples plug it in and thats it, or open up synaptic and select and install.

[steveo_mcg]

Quote:

Originally Posted by GoodBytes

Oh no Vista has 1 issue found after 2 years and half about. Where XP you have issues at every corner.

Yup first flaw in vista, pretty good
http://www.google.co.uk/search?clien...=Google+Search

[wiak]

i agree
vista had alot less security issues since release
xp still have security issues since it was released, just check windows update on a XP RTM system and check how many security updates you get :P
its gonna be many

[GoodBytes]

I have a XP pre-SP1 disk...
Takes me a day and half to download all the updates up to SP3, and about 2 GB of bandwidth.

I know my previous comments was a bit exaggerated but compared to XP, it feels this way.

[DXR_13KE]

Quote:

Originally Posted by GoodBytes

I have a XP pre-SP1 disk...
Takes me a day and half to download all the updates up to SP3, and about 2 GB of bandwidth.

I know my previous comments was a bit exaggerated but compared to XP, it feels this way.

i feel the same.

[ssj12]

I thought M$ stated they were not making a second service pack for Vista....

[johnmustrule]

Vista is definately my favorite OS right now. If your not an idiot its not really very hard to keep any computer running top-notch, windows computers always fill up the fastest and that's because they are the largest target for hackers, nothing surprising there.

Advanced Windows care v3
Glary Utilities
ccleaner

Basically those and a decent anti-virus are all you need, best yet there free.

[Cadillac Ferd]

Quote:

Originally Posted by proxess

Seriously... something as bad as this, and only a fix for the next SP? How soon will it come out then?

Honestly I didn't get the impression from the article that it a huge pressing concern. As stated in the article currently all that the flaw can be proven to do is shut off the computer and it needs admin rights to do that. It doesn't really sound like they need to be tripping over themselves working on a patch.

[nukeman8]

if you read all the article it states theres a possibility of injecting code and bypassing admin rights completely, very bad stuff.

[PederVM]

If you know how DHCP works, you know that it would be quite hard to exploit this flaw.

To exploit this flaw you have to control the DHCP-server in the machines local subnet and be able to send a specially crafted DHCP-response, a DHCP-server does not send anything unless a DHCP-client requests it, to a DHCP-request from a DHCP-client (the DHCP-request is send as at broadcast [1] and not to a specific IP-adress, unless the machine is connected to a switch with management and the possibility to setup an IP-helper-adress where DHCP-request gets forwarded to).

[1] its highly unlikely your router is configured to forward broadcasts to outside adresses, including to the internet.

Most ISPs configure the routers so they works as a local DHCP-server, so pcs connected to the same network can reach eachother eventhough the internetconnection is down. If your router is configured this way, an intruder would have to take control of the router, modify the firmware on the router and wait for your machine to send a DHCP-request and then try to break the machine.

Most routers dont run software that users can compile or modify themselves, Linksys has a few that runs Open Source firmware (i can only remember openwrt.org). So watch out if you are in the habit of upgrading your router with firmware from suspicious websites.

[seanblee]

Quote:

It may even be possible for the exploit to run without user interaction, too: while current versions require a user with administrative rights to execute the code, Unterleitner believes that it may be possible to code a specially-crafted DHCP packet that could “take advantage of the exploit without administrative rights.”

So, if I execute a piece of code and give it admin rights, it can reboot my PC. Wow. A batch file containing 'shutdown -r -t 0' would do exactly the same thing, but that doesn't have people shouting 'oh no, Vista, full of security holes, run Linux, it's teh win!!!!1111one'. People are weird.

[Gareth Halfacree]

Quote:

Originally Posted by seanblee

So, if I execute a piece of code and give it admin rights, it can reboot my PC. Wow. A batch file containing 'shutdown -r -t 0' would do exactly the same thing, but that doesn't have people shouting 'oh no, Vista, full of security holes, run Linux, it's teh win!!!!1111one'. People are weird.

Except a batch file containing "shutdown -r -t 0" wouldn't overwrite kernel memory with garbage, which is rather more serious than a clean shutdown. Especially if you can control exactly what garbage gets written...

[cpemma]

Quote:

Originally Posted by Bauul

Ah bugger Vista, I, and I get the impression a lot of others, are waiting for Windows 7.

And your grounds for believing Windows 7 will be unbreakable?