News
- +
The Bugs Stop Here 11/06/2003 12:07:08
Don't Blame Microsoft. Don't blame the hackers. Blame yourself for insecure software. Better yet, Stop Blaming and start Moving towards operational ExcellenceVendors, for the most part, value time-to-market over security. As long as they can get away with shipping buggy code, they will. And CIOs, as a group, have been passive, assuming there was little they could do to effect change
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.Newsletter Subscription
A security firm has discovered one of the first security flaws to directly affect Windows Vista, a bug that it claims allows local users to escalate their privileges.
The flaw involves Windows' system for managing user security levels, User Account Control (UAC), which was introduced with Vista. UAC is designed to limit the damage that can be caused by mass attacks such as worms by giving standard users limited privileges, a practice common with other operating systems.
Combined with a remote vulnerability, the newly discovered bug could essentially render UAC useless, escalating standard user privileges to system-level access, according to eEye.
"A flaw exists within Windows Vista that allows local privilege escalation to System," eEye said in a note on its website. The company said it reported the bug to Microsoft on Jan. 19, and plans to disclose further details once a fix is available.
According to eEye co-founder Marc Maiffret, the flaw is similar to a buffer overflow.
Microsoft said in a statement it is aware of the report and is investigating. "The company is not aware of any public discussion of the report itself," Microsoft stated.
UAC is by far the most visible change in Vista's security system, to the point where some have criticized it as too intrusive. At the same time, researchers have already begun picking holes in the system.
What's more, Microsoft recently made it clear that it doesn't consider UAC a security feature, since it has deliberately left particular holes in the system for ease of use. That means bugs in UAC aren't security flaws, Microsoft says.
"Neither UAC elevations nor Protected Mode IE define new Windows security boundaries," wrote Mark Russinovich, a Technical Fellow in Microsoft's Platform and Services Division, in a blog post earlier this month. "Because elevations and ILs (Integrity Levels) don't define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs."
Instead of being a security barrier, UAC is intended "to get us to a world where everyone runs as standard user by default and all software is written with that assumption," Russinovich wrote.
Computerworld Member Login
Realise Your VMware Vision: Storage Consolidation and Virtualization for Small to Medium Businesses
10:30 - 11am (EST, Sydney, Australia)
Wednesday, 4th June 2008
Screening live at your PC
Join Computerworld and our expert speakers:
- Jean-Marc Annonier, Research Manager, IT Spending, IDC
- Howard Porter, SMB Channels Manager, VMware
- Clive Gold, Product Marketing Manager Australia/New Zealand, EMC Corporation
to learn about the various virtualization technologies available today and what factors are driving it in small to medium businesses. Discover use cases and technologies that allow successful virtualization and storage consolidation for a more flexible IT infrastructure.
- +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future. - +
Data Management Edition #9: Data centre makeover 24/04/2008 07:43:06
This week CW Live looks at the death of the old style data centre which is undergoing its first makeover in more than 30 years. - +
IT Security Edition #9: Inside the bug trade. 16/04/2008 09:08:12
This week guidelines are released for the mandatory reporting of security breaches and we go inside the black market bug trade.
Haley and Lagan Expand Strategic Partnership Serving Public Sector Clients 2008-05-13 06:49:00+10
Cognos Taps Partner Community to Accelerate Growth 2008-05-13 06:25:00+10
TechnologyOne wins new federal government, local council and commercial contracts for software and services 2008-05-12 16:05:00+10
North East Water to deploy Gentrack Velocity upgrade 2008-05-12 09:54:00+10
Kroll Ontrack Launches Hardware Erasure Solution 2008-05-09 08:42:00+10
Growth Strategies in Uncertain Times: Building and Maintaining Lasting Client Relationships in Professional Services Organisations
To stand out and build your business, there are certain key attributes you must build across your firm. Learn how to grow your business and to think strategically about building and deepening core client relationships by reading on.
