Second Symantec Report Criticizes Vista Code

Researchers say Vista's account privilege management tools may introduce a collection of vulnerabilities unless Microsoft fixes the bugs before shipping.

Security researchers at Symantec have published the second of three reports calling out potential security issues in Microsofts next-generation Vista operating system, this time taking a shot at several of the products user account control and privilege escalation features.

According to the latest report, which follows a similar missive issued by Symantec in mid-July over flaws it believes to exist in the Vistas networking technologies, some of the very tools Microsoft is touting a security advancements in the OS may actually serve as loopholes.

Specifically, the Symantec paper details a handful of flaws it believes to exist in Vistas UAP (User Account Protection) feature, which is meant to help companies reduce the ability of viruses to escalate their privileges on infected machines in order to further propagate themselves or inflict other damage on affected computers.

Also known as LUA (Least-Privilege User Accounts or Limited User Accounts), Symantec maintains that the system can be circumvented by outside attackers, based on several implementation flaws, allowing the possibility for someone to elevate a computers access privileges and take over a desktop running the OS.

Another security issue highlighted by Cupertino, Calif.-based Symantecs report involves a new feature in Vista known as mandatory integrity control, which is also designed to help confine privilege escalation capabilities.

Despite the addition of the tools, the security company contends that attackers could still conceivably bypass the system to escalate their ability to attack computers.

The security companys researchers have repeatedly stressed that the perceived flaws detailed in its reports are present in three publicly available beta iterations of Vista, and have conceded that Microsoft has eliminated large numbers of potential vulnerabilities with each successive release of the software.

Symantecs researchers also said that the task of completely rewriting Windows sprawling code base without introducing any loopholes may be too much to expect from any vendor.

Microsoft, in Redmond, Wash., which is slated to deliver a final version of Vista sometime in January 2007, has also pointed out that the vulnerabilities critiqued by Symantec will not necessarily apply to its final product.

Throughout the company development of Vista, the software giant has applied a new process known as its SDL (Security Development Lifecycle), which requires that all of the operating systems code is scoured for potential problems before being added into the product.

Through SDL and "fundamental architectural changes" that will help make customers more secure from evolving threats, including worms, viruses and malware, Microsoft says that it has effectively minimized Vistas "attack surface area."

This work aims to improve system and application integrity and helps organizations more securely manage and isolate their networks.

/zimages/2/28571.gifRead more here about Vista security concerns.

"We continue to make improvements to the operating system based on this feedback," company spokespeople said in response to Symantecs research efforts.

"Highlighting issues in early builds of Windows Vista does not accurately represent the quality and depth of the features."

In the earlier report, Symantec researchers reported finding three different types of potential flaws in Vistas underlying software code, including the presence of stability issues that could cause the OS to crash when presented with attacks that utilize malformed files to deliver their payloads, some undocumented IP protocols with no known purpose in the product, and issues with some new protocols deep within the operating systems so-called network stack.

Symantec has long made a large share of its revenue off of products used by businesses to secure Vistas Windows predecessors, and the companies remain what officials from both firms term as "close partners."

However, in addition to making a significant effort to make its new OS more secure than its forbears, Microsoft has also charged headlong into the information security market, placing the companies as direct rivals in several sectors including Symantecs core desktop anti-virus niche.

Symantec researchers maintain that their recent work in studying potential flaws in Vista is motivated by users concerns over the new OS, and not rooted in a desire to poke holes in Microsofts attempt to make its products more secure.

"SDL is having a major impact into the development of entire OS, but no matter how hard you try, developers are human and tend to make mistakes," Oliver Friedrichs, director of emerging technologies at Symantec Security Response, said of Vista.

"Microsoft is certainly not alone here, any software vendor, including security vendors, are susceptible to vulnerabilities in new products."

/zimages/2/28571.gifCheck out eWEEK.coms for Microsoft and Windows news, views and analysis.