Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Windows Operating Systems Software Security

Flawed Survey Suggests XP More Secure Than Vista 235

SkeeLo writes "One of Vista's big selling points is security, but a report from CRN concludes that Vista offers little in the way of security advancements over Windows XP. Ars Technica analyzed the report and found some methodological problems. 'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software — something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.' That's not all: 'It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter.'"
This discussion has been archived. No new comments can be posted.

Flawed Survey Suggests XP More Secure Than Vista

Comments Filter:
  • Let's see (Score:5, Funny)

    by anss123 ( 985305 ) on Thursday May 31, 2007 @06:47PM (#19345123)
    Study finding Vista more secure then XP = X hits.

    Study finding XP more secure than Vista = Y hits.

    if (x > y)
      post Vista more secure than XP
    else
      post Vista less secure than XP
    • Re: (Score:3, Funny)

      by dgatwood ( 11270 )

      XP more secure than Vista, apparently.

      Google fight [googlefight.com]

    • Re: (Score:3, Informative)

      Taking cues from the other posters, I tried "battling" the same searches they did but adding quotation marks around the phrases. (I did them all in "googlefight" because it required less typing)

      "study finding xp more secure than vista" -- 0 results
      "study finding vista more secure than xp" -- 0 results

      "vista more secure than xp" -- 1820 results (note I changed "then" to "than." It's amazing what differences correct spelling can make)
      "xp more secure than vista" -- 2 results

      Then I wondered how these results
      • "xp more secure than vista" -- 2 results
        "xp more secure then vista" -- 131 results!


        The only reasonable conclusion, then, is that only idiots post that XP is more secure than Vista.
      • "linux more secure than windows" 9210 results

        I think we have a winner.
  • Anti-Virus (Score:4, Insightful)

    by biocute ( 936687 ) on Thursday May 31, 2007 @06:47PM (#19345125) Homepage
    That's life for being MS.

    If MS put in a AV software, other AV companies will file for anti-competition lawsuits; If MS didn't, consumers will moan about it too.
    • Re: (Score:2, Insightful)

      by flukus ( 1094975 )
      Because it's an unfair advantage to make an insecure OS and then charge "protection" money!
    • they put in their anti-spyware program. i'm wondering if the anti-spyware companies that charge for their products will bitch and moan, even though the best anti-spyware programs are all free (even if they don't do real-time protection).

      i still put most of the blame on the user who clicks every popup even if it says "don't click this, your computer will be immediate infected with viruses". i haven't had a virus or spyware infection when running XP, 2000, 98, and for the past several months since i install
      • Nobody's bitching - their anti spyware app sucks, hard. I've had to sort out three trojanned vista boxes now (don't know anyone else running it) - all running 'microsoft anti spyware' which declared there was no spyware on the machine, even as porn popups appeared on the desktop..
    • Re: (Score:2, Insightful)

      by Rodness ( 168429 ) *
      When your product REQUIRES antivirus software, your product is not secure by itself.

      Of course, if they had engineered in things like privilege separation and all the other "security" features of Unix (any of 'em, take your pick, Mac, Linux, what have you) then they'd enjoy all the "intrinsic" lack of NEED for antivirus that Unix systems enjoy.

      Had they actually spent the last 7 years improving the underlying privilege model instead of just building and dropping vampireware like WinFS that never saw the light
      • by baadger ( 764884 )
        Windows XP may have had 6 years of testing and pawing over by people with various shades of monochrome hats but there is still an appreciable stream of security related bug fixes coming out of Redmond on the 2nd Tuesday of every month.

        You're right that security isn't a product, it's a process, but over the last 6 years we would hope MS would have learnt enough about the issues they faced with XP to incorporate solutions into Vista.. What you have to remember is a product can be the end of a very long proces
    • by rtb61 ( 674572 )
      Have you not read the M$ (P)OS warranty/EULA, they wont gaurantee that the OS is even virus free, so the very first thing an anti-virus embedded version of windows would have to do is un-install itself ;). M$ are also silly enough to have the same clause in their anti-virus offering :/.
  • AV is not a lock (Score:4, Insightful)

    by normuser ( 1079315 ) * <normuser@whyisthishere.com> on Thursday May 31, 2007 @06:49PM (#19345139) Homepage Journal

    Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

    By the time your AV software comes into play your already infected. So AV software is not the lock on your door. Its the rifle in your house.
    Still important, But vary different.
    • That's not strictly true any more tbh, with net traffic monitoring systems like imon in nod32. the code, or at least part of it (I'd expect a lot of threats would be detected before the code was completely downloaded) , may have been downloaded but couldn't have been activated at all.
    • by misleb ( 129952 )
      I wouldn't call having a file on your desktop (from email, for example) that could potentially infect your system and infection in and of itself. A good AV package will detect and clean the virus BEFORE it infects your system. That is, before you open/exec the file. Though there are other viruses that infect through the network without any user action required. So in that case your are correct.

      I'd say AV software is more like having a bouncer at the door... preferably with a rifle. :-)

      -matthew
    • I thought mail scan and on access file scan are 'before the event' and also part of AV. How could anyone rate the parent as insightful? Oh, sorry, i just noticed i'm on slashdot.
  • Urg (Score:5, Insightful)

    by hyfe ( 641811 ) on Thursday May 31, 2007 @06:52PM (#19345163)

    Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'

    Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.


    Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.

    • Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.

      Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.


      Even if Vista was as secure as OS X or a tinfoil hat version of linux you'd still have to contend with insecure applications and stupid users. Apple's install base tends to have more
      • Re: (Score:3, Insightful)

        by MrCrassic ( 994046 )

        Apple's install base tends to have more of a clue then Windows users and Linux boys can at the very least ID when their infected or comprimised.

        What?

        If you are talking about the population that uses Apple Mac products, then I think you are HIGHLY misinformed. The main reason why many of them made the switch is PRECISELY BECAUSE of their inadequate knowledge on how to protect their Windows PC from viruses, spyware, etc. Many experienced power users who run Windows (XP, at least) software have NO protection and can still have great security provided strictly by the OS. Are all of those configured BY DEFAULT? Of course not, which is a major reason

      • by jez9999 ( 618189 )
        Linux boys can at the very least ID when their infected or comprimised.

        How, exactly? The key to a well-designed trojan is that the user can't easily tell it's there.
    • by QuantumG ( 50515 )
      So long as users can create "executables" then viruses will exist. Of course, the problem in Windows is that just about everything is executable. Was a time when if it didn't have .exe on the end then it wasn't an executable.. now you have scripts (which for some inexplicable reason can write to my harddrive) and brain dead things like Microsoft running an exe if you rename it to be a png (did they ever fix that?) and Microsoft hiding the extensions of files so you have no idea whether or not they are exe
      • Was a time when if it didn't have .exe on the end then it wasn't an executable..

        Was that in the long-ago days before the ".com" extension or the ".bat" file...unless you're referring to some halcyon period before MS-DOS?
      • by pe1chl ( 90186 )
        The problem is easily fixed by:
        - having users use a least-privileged account that cannot write into C:\WINDOWS and C:\Program Files
        - installing a service like TrustNoExe that disallows running programs that are not stored in those directories

        Users can download whatever they want, they just cannot run it, install it, etc. They will have to log in as an Administrator first (or at least provide the password).
        In a company environment this works very well. At home it probable does less, because the user and th
        • Great - until the apps won't run, which in my experience is most of them. Oh and a least privileged account should *only* be able to write into their own home directory. Listing what they can't do is backwards - assume deny by default and allow a limited set of actions.

          MS could have sorted the mess out by locking down vista by default, instead they bottled it and introduced all sorts of shadow directories so the apps still think they have write access to program files and the system registry... and they a
    • exactly. These were never necessary before the 'leave everything open' operating system mentallity that microsoft bread. Then taking over all other spaces and having all their applications talk to each other and trust each other without any question was an even bigger mistake. Hence, if it was built by Microsoft and runs on Microsofts and uses Microsoft, then it must be safe... let it through. WRONG!!!

      They are JUST NOW realizing that both a) leaving your system wide open is a bad idea and b)having all app

  • is this /.? (Score:4, Funny)

    by defwu ( 688771 ) on Thursday May 31, 2007 @06:53PM (#19345173) Journal
    Seriously. A pro-MS article? whats next, mr spock with a goatee? Doc
  • by Ren.Tamek ( 898017 ) on Thursday May 31, 2007 @06:55PM (#19345209) Homepage
    "Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted."

    I'm sorry, but if I bought a security door that claimed it would keep out 99% of criminals, I would be a bit pissed off if I got it home and realised that an actual lock for that door was considered an 'optional extra'. The idea of browsing the internet with IE, no anti-virus and the windows firewall for any length of time, even no longer than it takes to download zonealarm and avg, gives me the heebie-jeebies.

    • MS is damned if they do and damned if they don't. If MS put AV in Vista there would be loud cries of "unfair competition, you're taking away our niche!" and we'd be on another round of anti-MS propaganda. If they don't, the cries are "unfair! I wanted to buy a door with a lock and now anyone can get in."
      • If MS put AV in Vista there would be loud cries of "unfair competition, you're taking away our niche!" and we'd be on another round of anti-MS propaganda.

        I've always thought there's a huge disconnect between the way most computer users think, and the way people think who'd bitch about that "unfair competition". The operative word in the quoted statement above is "our". Those people constituting the "our" group are much, much less important than the regular computer users.
        I, being one of those "most computer users", think that however Windows is secured is just fine by me, as long as it doesn't limit _too_ much of the functionality. I d

      • The problem is Windows still NEEDS to have something that stops viruses. In XP it is a required 3rd party addition; without it the OS is toast in operating as it was intended (to go into a network or on the Internet.)

        Microsoft should not have to "include an AV program" or "provide one by default" they should eliminate the need for any such thing entirely.

        Of course, I am well aware (as is surely those at MS) that it would break too much compatibility of all those many, many legacy apps that keep the custome
  • Comparing XP to Vista security is kind of like having a SUV milage competition, except SUV's are sometimes useful and that utility is destroyed by poor fuel economy.

  • Missed? (Score:3, Interesting)

    by schlichte ( 885306 ) on Thursday May 31, 2007 @07:08PM (#19345333)
    Maybe I missed it when I RTFA, but it didnt mention which version of XP was used... a look at HPs site shows that the HP Compaq nc6400 did ship with XP Pro (whether that matters much compared to home edition or not)

    Also... were these systems ran all the way default, as in, boots up as Administrator with no password? (again, not sure how much that matters in a test like this)

    I do agree with the title, flawed survey indeed.

    I dont blame Vista or XP so much as I blame IE version X.XX

    Id like to see the exact same suite of tests ran against the latest version of Opera, Netscape and Firefox.
    • by dabraun ( 626287 )

      Also... were these systems ran all the way default, as in, boots up as Administrator with no password? (again, not sure how much that matters in a test like this)

      By default the Administrator account in Vista is disabled and you can not log in as Administrator. You need to go to mmc to change this, it isn't visible in the normal "users" control panel applet (and you shouldn't change this, if for no other reason than because MS did not spend a significant amount time testing Vista running as Admin and there

      • News to me.. I've logged into administrator hundreds of times on vista and never changed anything.

        Oh and administrator does have UAC. I only wish it didn't.. it's a royal pain in the ass trying to get anything done until I've created a privileged cmd.exe shortcut (itself a pain in the ass as they've blocked the name cmd.exe from elevating, you have to create a renamed copy).
  • by kosmosik ( 654958 ) <kos.kosmosik@net> on Thursday May 31, 2007 @07:09PM (#19345341) Homepage
    Of course from practical point of view XP right now is more secure. And I don't mean default install. For example take my company and few facts:
    - we managed to make the machines behave as we will
    - we have invested money into third party security software
    - we have invested time (which equals money) into free (as in speech) third party security software
    - we have some knowledge and experience into XP security -- after these - what like 7? - years who doesn't?!

    Right now we have quite healthly and working infrastructure based on XP and surrounding (like VPNs, IDSs, AVs, proxies, backup, imagining etc.) services. We know how to do it, we have experience.

    Now Vista from my standpoint is just big black hole - another system from MS that does not offer me anything significant but opens a can of unknown worms... I don't see any serious businesses building their security infrastructure around brand new shining Vista systems.

    Of course in *theory* Vista can be more secure, but from practical standpoint it is new and untested product that has ben rushed to the market.

    It really depends on your security definition. Security is not a product - security is a proces in which you have knowledge about what you are doing. In which you have educated users. In which you have policies and audits and so on. Vista isn't anywhere near to be even a stable product from security standpoint.

  • Don't look that flawed to me.

    XP: No AV included
    Vista: No AV included

    Report says: "Vista no improvement over XP"

    Report is pretty much correct.
  • by icepick72 ( 834363 ) on Thursday May 31, 2007 @07:17PM (#19345423)
    I'm getting tired of the XP vs. Vista vs. XP vs. Vista vs. ... articles posted here all the time. Microsoft will eventually drop support for XP and will continue to support Vista. Microsoft will continue to focus on Vista. If Vista is now less secure than XP Microsoft will eventually it stronger ... that is until the next Windows OS is released. Dammit we had to listen to XP versus everything-else-before-it. Tiresome, damn tiresome. No worthwhile discussion came from it last decade but you never know ....
    • The point that Microsoft will drop support is moot. There are a lot of companies that still run NT servers and workstations. I worked for one last summer that used embedded NT workstations as a frontend to access the GE LM6000 turbine PLCs. They also had NT servers and NT desktops for SCADA. My current desktop at a different company is windows 2000. Companies will balance cost, security, and familiarity. Microsofts support cycles often have nothing to do with that.
    • All you have to know about the difference between XP and Vista is that the business model for the latter will include a subscription-based version eventually. Microsoft has executives and marketing people who go to meetings where over-and-over again they ask, "How else can we provide less product for more money?"

      It's not like they are wholesalers who buy 100 units of something for fifty bucks and then turn around and sell 100 units of something for eighty dollars at retail. Perhaps they will someday begin

  • by A beautiful mind ( 821714 ) on Thursday May 31, 2007 @07:30PM (#19345561)
    Let's face it. Anti Virus software is the day after pill. I daresay if someone relies on defending against viruses by antivirus software, the security model is already utterly, completely broken. So no, not including an anti virus software doesn't mean an operating system shouldn't employ design and tactics against viruses. Ars Technica is simply wrong.
    • Noooo.

      Since few people update their AV software each day they use their computer and indeed since the best that AV software can do is reactive in nature... AV software is more like the month after pill or even the 9 months after pill.

      At best AV software is doomed to failure. This incident illustrates how serious the lack of security in common practice is. Clearly the perpetrators were a novices. Perhaps they were just a couple script kiddies playing around wondering if the lack of security was real.

      If an
    • by Nebu ( 566313 )

      I daresay if someone relies on defending against viruses by antivirus software, the security model is already utterly, completely broken

      So how do you defend yourself against viruses? The only ways I can think of off the top of my head are:

      • Don't download any software, ever. In fact, don't even connect to the internet at all. Assuming the OS itself didn't come with a virus, this is the only 100% foolproof way to avoid getting a virus.
      • Don't download any software, ever. But allow yourself to be connect to
      • I defend against viruses by either downloading software from a gpg signed trusted debian repository, or compiling software from sourcecode.

        Thing is, there is no 100% percent way, as you say. Noone wants "100% security" either, because it's impossible to have. But there are good methods to have a reasonable percentage of security and there are methods that don't guarantee a thing and only bring a marginal increase in security against unwanted code. Antivirus software is the latter. There is a huge fucking
        • by Nebu ( 566313 )

          There is a huge fucking gap of security and usability between the "sound security practices" and "using a virus scanner" (The third option from the back and the second from the back on your list).
          Right. But the list recommends that you do both. And so do I.
  • by smartin ( 942 ) on Thursday May 31, 2007 @07:34PM (#19345603)
    Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

    I think the point is that M$ should have learned their lesson last time, and the time before that, and made vista such that having anti-virus software would be unnecessary. Or in the terms of the analogy, Having forgotten to put a lock on the door of their previous house and repeatedly come home to find their underwear scattered all over the yard, you would have thought they would have made a secure door this time.
  • the report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software

    I thought the big issue everyone had with Windows products were that they needed AV products in the first place because they were fundamentally insecure?

    Shipping Vista with an AV package would have practically been admitting that they can't make secure products and the only thing left to do is have a separate layer in the OS to try to intercept stuff before it caused problems (or clean up after it), rather than blocking the holes in the first place - which is, I believe, part of the point of Vista's entire

  • "Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted." This simply means that Vista is a basically a faulting program!!! Any Linux distro or OSX do not ship with antivirus either. That doesn't make them faulty or unsafe to use it. Vista should be safer "regardless" of the presence of the antivirus, otherwise it simply faulty by design.
    • The problem with locks is that no matter how good they are, they can be picked, one way or another. If the bad guys can make a set of lockpicks that work on an almost everyone, there's no point in making tools to break the few locks that their existing tools won't.

      Point is, Linux and OS X don't ship with AV software because they simply aren't big enough targets for people to actually care about.
  • 'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'

    Vista is supposed to have these features built-in, as well as a host of other improvements. Such as service hardening, anti-malware (which does claim to kill viruses), network a

  • More fanboys.

    For whoever doesn't see this screaming at him, here's a breakdown:
    In home-user-land, credendials were an option nobody used until Vista. NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one. Vista and XP for the home user are incomparable and are in totally different leagues, vista winning by very, very, very long shot.

    In corp-land, everybody (who gives a da
    • Re: (Score:3, Informative)

      NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one.

      ... *sets IP datagram length to 1400* ... *sets TCP datagram length to 63* ... *lets kernel copy remainder of IP packet to 63 byte buffer* ... *obtains kernel level access without even connecting to an open port, before the packet even reaches the installed zonealarm/mcafee/norton firewall or built-in Windows fi

      • /Specific/ overflow bugs are a VERY POOR basis for an OS choice decision that will accompany you for the next so-and-so years. Why? because they will be fixed next week.

        I'm not saying vista in unexploitable, or that particular exploits do not at all contribute to an OS's security rating. I'm saying a car with a seatbelt is better than a car without a seatbelt, regardless of which has what easily-pathchable (hence, minor) flaws.

        I don't think there is *ANY* debate as to whether /WITH/ user-level security mode
        • He made a blanket statement. I blew cold air under it. Yes I know the hypothetical overflow doesn't exist; point is though, UAC or sudo or whatever doesn't magic-bullet your security because, yes, OS services run with high privileges. On Windows crap like IIS has uberuser access (not administrator superuser, but System access!); on Apache, not just things like Web servers and DNS, but also directory servers and core system processes like printing run with restricted privileges. If Windows took a least-p
  • My company gets delivered (hey, it's free, so they don't argue). As such, I've run across their "reviews" before this. And I believe I can summarize.

    They look at things from a distinctly user-centric POV. They're focused on what the apps/solutions/OS they review do for the end user.

    As such, they're not a "technical review" in any real way, shape, or form.

    The term "fluff piece" comes to mind.

    They add just enough to give the business users who read CRN a bare taste of what they're talking about. Any more,
  • by SadGeekHermit ( 1077125 ) on Thursday May 31, 2007 @09:29PM (#19346539)
    ...That submarines with screen windows offer slightly better floatation than submarines with screen doors.

    MacroSubs has affirmed that this is incorrect, however, and stated today that the question will be settled once and for all when their new submarine, entirely made out of screening material, captures the imagination of the nation with its launch in 2009.

    So-called "alternative" submarine manufacturers continue to insist on using steel for their doors and heavy lexan for their windows. They claim this quaint, antiquated approach lets them offer better floatation, efficiency at depth, and crew survivability, but independent studies have shown that their apparent "floatation edge" is due to the fact that far fewer of these submarines are produced, not any superiority in design. A. Noying, of an independent think-tank funded in part by contributions from MacroSubs, had this to say:

    "Look, we all know that as more of these all-steel and plastic subs get produced, you'll start seeing network effects and their buoyancy will be reduced down to normal levels. Currently, with only a few percent of the market, the oceans aren't interested in them as a point of ingress. This will change soon and you'll see some interesting numbers from my lab to back this up."

    When asked about the widespread buoyancy failures of MacroSub submarines around the world, Mr. Noying said only "it's hardly MacroSub's fault if submarine captains tend to drive their submarines into reefs and long-forgotten sea monsters. Their duty is only to make subs buoyant, not idiotproof. However, they are working on an interesting feature called USC, or User Submergence Controls, which should make things a little easier. The submarine will basically ask the captain if he's really, really sure he wants to increase depth, once per fathom. If the captain insists on running into that reef after all the help he's been given, perhaps he shouldn't be driving a sub anyway..."

  • People. Get off the denial job already. Vista is not magically going to become the upgrade you were hoping for; No matter how many studies, weblogs, reviews, taste tests, or procto exams happen, Vista sucks, end of story. Microsoft will come out with service packs this fall, there will be all sorts of heavy breathing once again, but it's going to be the same historical disappointment. Microsoft needs to get their shit together and stop robbing people.
  • Whose security? (Score:2, Insightful)

    by Livius ( 318358 )
    The "security enhancements" in Vista were to protect Microsoft from piracy, not to protect Vista users. Microsoft still doesn't care about them.
  • Those dirty little penguins! Who knew?

    Other flawed surveys show:
    - Bush Is Actually Orangutan In Suit
    - RIAA Hates DRM Music, Gives Thousands To College Kids
    - Emacs Is Better Than Vim
    - IE Is Most Secure Browser Of All Time
    - Volcano Likely To Erupt In Redmond

    You know what they say: "News for nerds. Stuff that matters."
  • by pookemon ( 909195 ) on Friday June 01, 2007 @12:01AM (#19347653) Homepage
    "'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'"

    No, it's like comparing an old door without a lock to a new door without a lock and saying that the new door is no more secure than the old door. (Which sounds reasonable to me)
  • by Whuffo ( 1043790 ) on Friday June 01, 2007 @01:20AM (#19348073) Homepage Journal
    The summary says that Vista has "taken care" of buffer overflow problems. I'd like to submit that one of the key features of XP SP2 was that they'd gone over the code completely and eliminated all unchecked buffers - which (according to MS) eliminated buffer overflow problems.

    Microsoft is their own worst enemy; they make wild claims about the functionality of their latest version but that functionality never meets their or their customers expectations. Then some exploit points out that they were being economical with the truth. Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

    I mean, how can a company whose email clients automatically launch attachments say that they take security seriously? Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista. Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs. Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.

    What continues to amaze me is that the file type security is applied based on the file extension - but when you execute a file, the system looks at the file header to determine how to open / execute it. This bit of design stupidity has been the cause of millions of systems being exploited. Just a simple check to see if the file header matches the selected file type would go a long way - but no, this is too difficult. Here, have a UAC nuisance instead...

"Now this is a totally brain damaged algorithm. Gag me with a smurfette." -- P. Buhr, Computer Science 354

Working...