Security Update for Windows Vista
Posted by Daniel Fleshbourne on 14 January 2006 - 15:11 · 82 comments & 16288 views
A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it.
Download: Vista Beta 1 | x64 Download: Vista December CTP | x64
About the Author
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(6 replies)
#1 Posted by Adamb10 on 14 Jan 2006 - 15:16
- best to fix the vulnerabilities now rather than when it's released to Customers,
-
#1.2 Posted by Mad_Griffith on 14 Jan 2006 - 19:09
- ahahahaah thas was damn good mate :lol:
-
#1.3 Posted by DarKnight on 16 Jan 2006 - 07:10
- Lol.
Windows XP has been out for years now, and it's always getting problems fixed. Even older versions of Windows need things fixed.
There will never be a Windows release that doen't need fixes.
-
#2 Posted by mad_onion on 14 Jan 2006 - 15:19
- well there will be easily enough when its been released as well its not like this one will make any difference. i would try not to think of security holes in software as a finite number that can all be fixed. im sure the holes that have been fixed in windows xp over the years are a tiny proportion of the holes in the code, its just that nobody ever finds them all, and everytime you fix a hole you probably make a new one. i think thats the best way to think of it
-
(9 replies)
#3 Posted by orangebrand on 14 Jan 2006 - 15:56
- as much as i am looking forward to using vista when it comes out and as much I want it to succeed, this is sad. I do realize that it is still beta, but it gives me second thoughts about the security improvements.
-
#3.1 Posted by macro on 14 Jan 2006 - 16:01
- Why sad? They fixed a bug early. There are gonna be vulnerabilities and bugs for the whole lifecycle of it even if MS is all securityish. If anything you should smile, because they are getting it fixed up quickly
-
#3.2 Posted by dagamer34 on 14 Jan 2006 - 16:02
- Betas are supposed to find bugs? Maybe it's because Vista Build 5270 is the first build to have Automatic Updates via Windows Update and they wanted to test it out instead of merging the fix with the latest build? A lot of people have decided to run Vista most of the time, so that's good news for us anyway.
-
#3.3 Posted by Jugalator on 14 Jan 2006 - 16:50
- orangebrand, you'll likely never see an Internet-enabled OS that's 100% "secure".
There's no such OS on the market today anyway, Linux and OS X included. Both have regular security updates as well. -
#3.4 Posted by rev23dev on 14 Jan 2006 - 17:01
- how many times have you personally ever been affected by one of these vulnerabilities. run up to date virus software and turn on automatic updates and there is no issue.
-
#3.5 Posted by orangebrand on 14 Jan 2006 - 17:30
- yeah, thats true. im up to date all the time
-
#3.6 Posted by threedaysdwn on 14 Jan 2006 - 20:41
- You do realize that the effect of this exploit was significantly mitigated on Vista even without the patch - thanks to LUA... right?
-
#3.7 Posted by aristotle-dude on 14 Jan 2006 - 20:56
- You do realize that the effect of this exploit was significantly mitigated on Vista even without the patch - thanks to LUA... right?
That depends on whether the graphics rendering engine was running at the user's security privilege or that of the system. If it is the latter and it can be exploited, you have the same situation as you do now with XP and everyone being root user. -
#3.8 Posted by sphbecker on 14 Jan 2006 - 23:03
- The problem I have with it is that Microsoft claims that their new development techniques and the use of managed code makes their new code vastly safer then old code. Well part of Vista is all new code, and here we are. A little sad, but glad to see it fixed in beta.
However, the fact that MS turns the firewall on by default is a really good thing. Even if there is a vulnerability in a service with a listening port, it isn't a very big deal if the firewall blocks it (but should clearly still be fixed). -
#3.9 Posted by aristotle-dude on 15 Jan 2006 - 02:07
- Speaking as a programmer, we are only human and we make mistakes. Some people never learn from their mistakes.
I think they should have hired entirely new people to work on Vista and fired everyone (including the managers) who worked on XP. At the very least, they should have hired trainers to teach the programmers there proper programming techniques before integrating them with the new teams.
-
(1 reply)
#4 Posted by Kushan on 14 Jan 2006 - 16:13
- Is this the same WMF vulnerability that's been getting so much media attention lately?
-
#4.1 Posted by andrewhaji on 14 Jan 2006 - 17:07
- Yes.
-
(1 reply)
#5 Posted by Syphonic on 14 Jan 2006 - 16:37
- I think MS have a hard struggle ahead if they want to make this a truely secure OS.
-
#6 Posted by rvdlaar on 14 Jan 2006 - 16:43
- at least they try
i just only hope that they will become faster in supplying the patches.
-
(1 reply)
#7 Posted by Dale on 14 Jan 2006 - 16:55
- haha, i like the milestone one logo you posted up there...
-
#8 Posted by tiwaris on 14 Jan 2006 - 17:25
- If vista is not released to the common public (public beta-testers) why is there a public announcement of a security hole? Doesn't it defeat the purpose?
-
#9 Posted by some_guy on 14 Jan 2006 - 17:56
- since its the wmf problem... it should be understandable to everybody here... after all, some code is based off old code.
-
#10 Posted by CDog on 14 Jan 2006 - 18:02
- ...are we going to get one of these for every bug they find in this OS before it goes final?
-
(2 replies)
#11 Posted by guruparan on 14 Jan 2006 - 18:13
- its not even entered code complete mile stone, there will be bugs & vulner. Vista is going to Rock and take us to a new life (like win 95 did)
-
#11.1 Posted by toadeater on 15 Jan 2006 - 05:29
- Have you tried the beta? Nothing too "rocking" about it yet. There are some GUI enhancements--but performance, stability, security, that's all still questionable.
-
#11.2 Posted by Ryster092 on 15 Jan 2006 - 05:44
- Toadeater, Performance and stability have not been the focus of the development so far and will get more attention after the product reaches feature complete or even beta 2 status. Also, there is plenty of new stuff to wet the appetites of even the most resistant of windows users. I'm not gonna list them here, go read some previews or something. FYI: I am an official Vista beta tester.
-
#12 Posted by majortom1981 on 14 Jan 2006 - 18:20
- Why is everybody going nuts. Vista is still in beta and this is what beta is for.
-
(2 replies)
#13 Posted by Avi on 14 Jan 2006 - 19:47
- Funny, so what's the point in marking this "beta software" if they are going to give updates for it... lol...
-
#13.1 Posted by random_n on 14 Jan 2006 - 20:02
- Perhaps to test the update mechanisms? After all, betas are all about testing things!
-
#14 Posted by mentalindustries on 14 Jan 2006 - 19:51
- Its not even a bug people.
if its the same as the one in xp (which im sure it is)
then its based on misuse of a FEATURE that MS put in there on purpose its not like they have overlooked something.
-
#15 Posted by qwertyx on 14 Jan 2006 - 19:51
- hahaha
-
(5 replies)
#16 Posted by Matt500 on 14 Jan 2006 - 19:53
- How much of XP have they used to make vista
What on earth have they been doing all this time since XP? -
#16.1 Posted by megamanXplosion on 14 Jan 2006 - 20:02
- Windows Vista builds off of Windows 2003 Server.
-
#16.2 Posted by balupton on 14 Jan 2006 - 20:38
- megamanXplosion no, its built off xp, but it is very very very modified and updated, like say wmp6 to wmp10.
Watch the channel9 vids. -
#16.3 Posted by McJeronimo on 14 Jan 2006 - 21:14
- Actually balupton, megamanXplosion is correct. It is built off Windows Server 2003. It was originally going to be build off XP, but when Microsoft started over in 2004, they used Win 2K3 SP1.
Check out http://winsupersite.com/faq/vista.asp -
#16.4 Posted by Ryster092 on 15 Jan 2006 - 05:47
- balupton, if you want to contradict someone at least make sure you know what you are talking about. You are wrong, megamanXplosion is correct. Vista is based on 2003 SP1 code. 2003 was based on XP originally.
-
(1 reply)
#17 Posted by Netrack on 14 Jan 2006 - 20:14
- if only everyone in this world had a decent head on their shoulders we would never have to worry about this...takes one to find the bug, but a whole nother person to exploit it
-
#18 Posted by kaozgamer12 on 14 Jan 2006 - 20:25
- When it said download Vista Beta 1 i thought it was the actual beta not the patch, it should say download FOR Vista Beta 1
-
(10 replies)
#19 Posted by TRC on 14 Jan 2006 - 20:29
- When are finally going to get a new version of Windows, and by new I mean not Windows 3.0 with 20 years of updates tacked on.
Last edited by TRC on 14 Jan 2006 - 20:45 -
#19.1 Posted by balupton on 14 Jan 2006 - 20:41
- When the world all sudenly buys extremely expensive computers 3000+ to handle the true Next-Gen OS, and when the consumers and developers are prepared to scratch everything.
So never.
And actually acording to what you said then u mean 1994/95 when windows 95 came out. -
#19.2 Posted by threedaysdwn on 14 Jan 2006 - 20:44
- Umm, you do realize that there's abosolutely no direct relationship between Windows 3.0 and Windows 2000/XP/Vista - right?
It's not old Windows with updates tacked onto it... It's a new OS that's compatible with certain functions of the old one. That means supporting all the same functions like SetAbortProc. -
#19.3 Posted by TRC on 14 Jan 2006 - 20:46
- Balupton, you're right but there's still plenty of Windows 3.0 and even older stuff still in there too; like most of the old programs, games, mouse pointers, and even this WMF thing. I really think it's time to cut the compatibility apron strings though. If people want to run their ten year old programs on their ten year old computers then too bad for them, they can just stick with an older version of Windows. I think we're finally moving in the right direction though with getting rid of the BIOS (even if it's only on the Macintosh right now). Now we need to get rid of all the other old legacy junk and have a fresh new operating system to run on it.
-
#19.4 Posted by sphbecker on 14 Jan 2006 - 23:10
- You have to wonder about people who make posts like this. What benefit do they think would come from doing a complete rewrite of Windows? The Windows NT product line is tried and true; updating it is a far better choice then spending needless time and money starting over with all new bugs.
The only thing I can think of is that they are the same kind of people who reinstall Windows at the first sign of a problem. They must think it works the same way in the coding arena. -
#19.5 Posted by TRC on 14 Jan 2006 - 23:32
- "What benefit do they think would come from doing a complete rewrite of Windows?"
A modern, secure operating system perhaps, instead of one shackled by legacy code.
"The only thing I can think of is that they are the same kind of people who reinstall Windows at the first sign of a problem."
The only thing I can think of is you might have a superiority complex. -
#19.6 Posted by sphbecker on 15 Jan 2006 - 00:33
- I would not call Windows shackled by legacy code. In what way does the legacy support in Windows hold you back??? And don't say because its not modern, that doesn't mean anything after all. Anyway, Windows has the youngest kernel on the market. Linux is younger, but I wouldn't count it because it was built to mimic UNIX's kernel, which is far older then NT.
If MS deleted their code base after XP and started over then we MIGHT start seeing the new OS about the same time as Vista. It would look nice and flashy, but would have about the same level of refinement of and support of OS X 10.0; not to mention it probably wouldn't support any of the old apps.
Anyway, you can keep talking about all new code until your blue in the face. It isn't going to happen. However, MS does have a road map for dropping old legacy code and support as newer stuff becomes available. You should be happy to know that they are pruning out old 16-bit kernel support in Vista. -
#19.7 Posted by TRC on 15 Jan 2006 - 00:36
- "In what way does the legacy support in Windows hold you back???"
Well the WMF exploit was no picnic, and it was caused by...guess
Old, legacy code. -
#19.8 Posted by Ryster092 on 15 Jan 2006 - 05:51
- TRC, I guess you would like an operating system that was incapable of running on all existing hardware and was also incapable of running all existing software right? They cannot go "all new" and you know it.
-
#19.9 Posted by TRC on 15 Jan 2006 - 06:51
- Nonsense, Apple went "all new" and they are doing just fine. Better than ever in fact. Yeah there's a lot more PC software but so what? If people need to run their old software let them keep their old operating system, or use something like Virtual PC. You do realize that the software manufacturers have the ability to update their programs don't you? Besides, even when XP came out tons of software was broken. It will be the same way with Vista. That's just the way it is, but no one is forcing you to upgrade. As for hardware, ever heard of drivers? The cool thing about them is that you can write new ones. Amazing isn't it...
Trying to support all the legacy garbage is holding us back. -
#19.10 Posted by sphbecker on 16 Jan 2006 - 19:48
- "Well the WMF exploit was no picnic, and it was caused by...guess"
The WMF was not even part of the OS; just part of a little tool that was included. If you made the argument that MS should have a schedule to replace and completely revamp all of the included programs and accessories in Windows then I would agree. But there is not reason why that has to all be done in a single OS release.
-
(2 replies)
#20 Posted by Kalphegor on 14 Jan 2006 - 20:31
- "security update for a beta product", so funny, it's Microsoft way to do this
-
#20.1 Posted by balupton on 14 Jan 2006 - 20:39
- Y not, its a good way to test the newly introduced windows update for vista.
Y wait for the next beta for the update.... -
#20.2 Posted by threedaysdwn on 14 Jan 2006 - 20:45
- Why would they not release an update? Should they just leave their beta testers, TAP users, and developers out in the cold?
-
#21 Posted by DarkSim905 on 14 Jan 2006 - 22:21
- I think people are going nuts, merely because it's been so long.
-
#22 Posted by ruey on 14 Jan 2006 - 23:26
- wow..already hit with a major flaw... poor MS. I really hope Vista to be successful...
how come it seems the recent flaws are due to images-related matters?
-
(1 reply)
#23 Posted by P1R4T3 on 14 Jan 2006 - 23:47
- I really like xp and like vista as much as xp but the I really dont like the logo. Maybe Im too used to the XP logo, I dont know, but the vista logo seems more like a bull's head, and the color is like kid's stuff.
-
(1 reply)
#24 Posted by daPhoenix on 15 Jan 2006 - 00:29
- Ah, the irony. Vista GDI was supposed to be written from ground up..
I wonder what more is to be expected, perhaps a problem from W2k will pop up that will require patching Vista as well. -
#24.1 Posted by Ryster092 on 15 Jan 2006 - 05:54
- That may be so, but they still have to support old standards. So instead of re-inventing the wheel, they keep some old code to save time. Besides, re-writing everything new when it is not necessary would introduce more bugs. Best to stick with bits of code that are familiar.
-
(1 reply)
#25 Posted by war on 15 Jan 2006 - 07:20
- It's all about money, money, money people!
If Microsoft were to come out with a "new OS", and I mean compleletly new, and zero and I mean zero programs worked on it, well besides the ones included with the OS of course, and perhaps only Microsoft's own new products; people would be ****ed, so much so I am willing to bet all my savings that Microsoft would go out of business! If not for everyone suing them to hell and back or even just the fact that none of your software works in which case most people would switch to another OS such as Mac and Linux.
So to the point, it would be STUPID and would cost them billions, if not trillions, in loss revanue to create a "new OS". That's if they even manged to some how, GOD only knows how, surrive as a company in the first place after the FTC and alike deems Windows illegal. lol
So I never see it happening, do you?
Hope that clears that up. -
#25.1 Posted by TRC on 15 Jan 2006 - 07:24
- It would be stupid if it couldn't run any existing programs, but Microsoft isn't that stupid. NT was a brand new OS back when it came out in 1993, but it could still run DOS and Windows 3.1 applications. Also look at ReactOS, a Windows NT clone. It contains absolutely no copyrighted Microsoft code at all but it still runs Windows programs just fine. Even Linux can run tons of Windows programs simply using WINE. You're making it out to be some impossible task, but it isn't.
-
#26 Posted by war on 15 Jan 2006 - 11:07
- When I say new I mean it!!!
I'm talking new hard ware, a compelte new OS. No old code at all. NONE! Does not even run off todays hardware or tommrows for that fact. Compeletely new. Impossable to emulate since its a new OS and no emulaters.
I'm talking new programming language, the works. From the ground up. Perhaps all managed code. None of the crap they got now though, as that would not be new. 
Oh and NT was not a "new" OS. It was still old code. That is it browes code from previous versions of Windows, just like all other windows versions, which of course makes sense. Basiclu just a new kernal. Its still Windows is what I'm getting at.
A "new" OS would not have anything to do with Windows at all! Thats why none of the software would work when it went RTM. Happy now. It would be like trying to run linux or unix software "nativly" on windows or perhaps even worse than that, more like on dos.
Thats what I mean by "New". So I'm not talking Windows here!
Last edited by war on 15 Jan 2006 - 11:12
-
#27 Posted by jivemastert on 15 Jan 2006 - 17:56
- Glad they are catching bugs and security holes early.
I don't understand why everyone bashes MS when security updates come out. Would you rather they didn't release security updates? No one bashes Apple or any of the Linux distros when a security update comes out. Sheesh, so many trolls and fanboys out there that it's just getting a little tiring.
If you don't like the fact that MS releases security updates or that Windows has vulnerabilities in it, then don't use it, but I'd be hard pressed to find an operating system that is perfect. To MS, it is all about the money though... the way you keep customers and get people to keep buying your stuff is to make the clients happy. If there were hundreds of known security flaws in Windows that weren't being fixed, then people would get upset and switch to a different operating system.
-
(1 reply)
#28 Posted by rIaHc3 on 15 Jan 2006 - 19:31
- This has nothing to do with Microsoft
This has nothing to do with Vista
This has EVERYTHING to do with Neowin's news reporting.
Why you ask? Ill back this up....
Many of you may or may not know that there is a public testing right now of Java "Mustang" 6. In build 67 (thats 66 builds this problem has existed [in theory] and god knows how many other internal private builds), this bug was fixed:
"jconsole doesn't start on Windows 2003 Server (x32)"
I dont know whats more important/shocking; a great [at least they fix it] security update for Vista (which is in beta) or a program (which is in beta) not being able to run on a modern operating system. Conclution: Neowin should have never posted this story because it is not for public users nor does it concern them at all. Plus this has been fixed. Thats it. End of story. Nothing to see. The only reason to post a story about this is because its is truely and highly critical and MS have yet to fix it. Beta testers problably have AUs turned on and have already recived this. Why dont you post ALL the small security updates that come out for the rest of the OSes....
You are ASKING as a website for a flamewar against Microsoft...
Dont know if this post might get deleted but if so you should change your name to (because ive seen this alot on this site/forum):
"Neowin.net - Where editing opinions looks better"
-
#29 Posted by matt74441 on 16 Jan 2006 - 05:45
- Comments Cleaned.
