Vista security discovered to be even more useless

And so the stupid tossers are going to make it public instead of just keeping their fat geeky mouths shut and giving microsoft a heads up. So now we can all look forward to a greater chance of having our PC's screwed up with viruses and spyware. Lovely. Nice work guys I hope you get shot in the face.

Why didn't they bring this in secret to MS to get something done about it before making it public?

Duh.

Parable of the Two Gardens

There were once two gardens. One was grown by slaves in a City behind closed Gates, overlooked by a castle above. The other garden was grown in the open commons by a community of Penguins. 

The slaves in the Gated city were not free to talk to their King, and were forced to plant seeds and tend crops in a regimented manner. Those who spoke out were quickly punished by having furnishings from the castle hurled down against them. As a result, the slaves were not careful how they planted the seeds -- which often withered or were stunted -- and much seed was necessary to produce these crops. The shadow of the Castle also darkened the garden, making the plants thin and sparse. 

The slaves ignored the weeds in the garden, fearing that they would be punished for the neglect of others. The weeds were poisonous if eaten, so the King ordered that crops be bundled tightly after harvesting, lest customers become aware of the weeds within. Many people from neighbouring villages were poisoned by eating the packaged crops of the Gated City. The King of the Gated City loudly proclaimed that these illnesses were caused by plagues, yet gave out small bags of gold to those in charge of the villages in which the deaths and illnesses occurred. Thus, the people in the other villages were very sad, but the villages kept buying the crops of the Gated City.

The Penguins' garden, being kept in the open, was tended more carefully, and received much sun. Penguins were always at work, and those walking by also stopped and were commended by others if they managed to spy a weed and remove it. Any seeds that were misplaced during planting were quickly repositioned by others, who were happily thanked by the one who had mis-planted it. As a result, the garden flourished, and very little seed was required to yield a bountiful harvest. The seeds became stronger and stronger each year. The Penguins sold the harvest in open bushels, so that those in other villages could see the healthy plants, free of poisonous weeds.

One day the villagers began to talk with one another. They discovered that the crops of the Gated City contained the poisonous weeds, as those eating these crops often became ill or died, whereas those eating the crops of the Penguins remained healthy and strong. They threw down the small bags of gold, knowing that the King had lied to them about the plague that was killing them. The villagers from all the villages took up the packaged crops and, ignoring the bellowing King in the Castle, flung them against the Gates of the City, bridging the walls, and allowing the slaves within to escape to freedom. 

Many of the freed slaves joined the Penguins, who taught them to garden in the open and help with the crops. Others took residence in the surrounding villages, and lived happy lives.

And the King in the castle was banished to the wilderness.


ActiveX? .NET?
I'll carry on using firefox I guess.

Java you say?
I'll carry on clicking "NO" I guess.

Or perhaps this is some magical attack that can load itself without an end user actually downloading it and allowing it to run in the first place.

Sounds overblown to me. Soon find out won't we.

I think you guys should just call the site microsoftandnvidiasuck.net

Basically sums up about half your "news" this year.

Supposedly unusual amount of patches
this time on Tues patch day. Those prob
don't pertain to this hole (s).
btw keep doing your weekly backup of critical files and restores, just in case.

It's Microsoft that are the 'stupid tossers' - people tell them over and over again what's wrong and how to fix it but they won't listen to anybody.

It's painfully obvious they've got an infinite number of monkeys working there but they have yet to turn out the complete works of Shakespeare.

"rename?
I think you guys should just call the site microsoftandnvidiasuck.net

Basically sums up about half your "news" this year."

That's because they are big corps who are always fouling things up. If they were better then there would be no need for all these negative reports. Take Nvidia for instance. They have removed video mirroring from TV out on their 8 series cards (and it looks like they are trying to do the same with earlier cards in their latest drivers) all because of Vista and DRM. They have admitted this publicly too.

Feel the love.

Great idea. Keep the security hole secret while MS write a hole new operating system - read the article the fault is Fistula. Man and Dog write tons of software etc and lock all their business work into Fistula. MS release new operating system with other as yet undiscovered flaws. No-one buys it until they tell all about old flaw. All that work lost to hackers - assuming someone else hadnt discovered flaw. And companies loose fortunes converting to Fistula 7. MS wins user loses. 
Tell about flaw and people wont waste their lives or work on heap of ordure that does absolutely nothing it says on the tin. User wins for once.
Computers are for everyone - not just for MS to clear out their bank accounts at will.

I think the fact that this hack will be used on "other" operating systems, namely past windows, shows that the hacks are becoming more sophisticated. This hack probably would have been useful even before windows vista came out. I don't see how you can blame this one on vista if its a hack that affects more OSes than it. Worst case its a flaw from MS that originated 20 years ago and affects all windows. Even so I expect a fix from someone, maybe not MS (there are plenty of skilled anti-virus SW writers out there). Best case is this is an overblow news article about a new hack that requires you to click on the porn that only people without anti-virus software can get.

"Mark Dowd of IBM Internet Security Systems and Alexander Sotirov, of Vmware Inc." sound like professionals who wouldn't publish a new and fatal hole in Windows and MSIE without giving Microsoft lengthy warning first, even though the Microsoft implies they didn't give warning.

So they were able to get buffer overflows in IE. But with UAC and IE protect mode, the exploit cant do shot to the OS. 

http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html

I dont think anyone is saying keep it secret forever, What I think was meant here is give MS a few weeks notice before making it public. this whole security industry is backwards, they tell the hackers and scammers all the bugs at the same time they tell MS, so we all have a month or two of crap from them before its fixed.

Noone is saying keep it secret forever, And im not implying to do it to get MS off the hook, im saying it for all the poor users out there stuck with Vista who just got blown wide open by a team working on 'PC security'

Those comments from people who think that keeping security holes secret is the best way to stay safe are the biggest tossers of all.

Security by obscurity DOES NOT WORK. Bringing out into the open safeguards us all so we can protect against it. Just because you don't know about something does not make it secure and you must a total c*ck if you think it does.

Thats why open source software is the most secure of the lot.

This is one of the reasons why I'm using MS-DOS on all my computers.

Anyways, nothing is 100% secure.

What they have actually demonstrated in their article, which you can find at http://taossa.com.nyud.net:8080/archive/bh08sotirovdowd.pdf, is a number of ways in which the protections can be bypassed in order to successfully exploit a vulnerability. The key is that a vulnerability must be found in the first place - the point is that Vista's protections, if used (and they're turned off in current browsers, for backwards compatibility with non-compliant plugins) make it significantly more difficult to produce a successful exploit. Not impossible, just far harder.

Neowin's analysis was wrong.