IT IS NOT OFTEN that anyone at Waggener Edstrom, Microsoft's pet public relations firm, writes to The INQUIRER. Read on, and we think you'll soon understand why that's the case.
We received the following missive a couple of days ago:
From: [email address]
To: [email protected]
Subject: Article: Vista kernel is vulnerable
Date: Tue, 2 Dec 2008 18:20:17 +0000 (GMT) (10:20 PST)
Emailed from The Inquirer...
I wanted to let you know that the Windows Vista vulnerability identified in your article is located in the Device IO Control, and when exploited, causes a buffer overflow which then corrupts kernel memory. The vulnerability does not lie in the Windows Vista kernel itself.
It would be great if you would be able to update your story - please let me know if you can.
Rickard Andersson [phone]
Since our article explicitly said that a "buffer overflow flaw exists in Vista's networking I/O subsystem," we didn't pay that email any mind. In particular, we did not notice the sender's email address. Rarely do our stories that mention Microsoft fail to generate at least one or two flames.
Apparently accustomed to dealing with somewhat more accommodating publications, such as those that receive significant revenues from Microsoft's advertising, but not having seen a quick change to our story, our correspondent emailed again yesterday:
From: Rickard Andersson
To: [email protected]
Subject: Re your article: Vista kernel is vulnerable
Date: Wed, 3 Dec 2008 15:12:55 +0000 (07:12 PST)
Writing from Waggener Edstrom, Microsoft's PR agency, as I wanted to let you know that the Windows Vista vulnerability identified in your article is located in the Device IO Control, and when exploited, causes a buffer overflow which then corrupts kernel memory. The vulnerability does not lie in the Windows Vista kernel itself. Would you be able to update your story to reflect this? Please let me know.
Vista kernel is vulnerable
Monday, 24 November 2008, 4:49 PM
Senior Account Executive
Waggener Edstrom Worldwide - London
[miscellaneous other bumf]
Well sure, Rickard... since you insist. We'll be glad to clarify that story for our readership.
As we initially reported, this particular security flaw in Windows Vista is indeed in the I/O subsystem, specifically – as you have pointed out – in the Device I/O Control module, and we will be glad to take your word for that nomenclature.
Further, the security flaw is a buffer overlow that, when triggered, corrupts Vista kernel memory. That can – again, as we initially reported – "cause a blue screen of death system crash, allow denial of service attacks, or enable injection of rootkits or other malware..."
So yes, technically, this security glitch is not in the Vista kernel itself, since you consider it important to make that distinction, but in the Device I/O Control module, so very different.
This would tend to suggest that the Vista kernel remains perfectly secure... as long as you don't actually use any devices in your computer. You know, things like a keyboard, mouse, video screen, hard disk, DVD/CD drive, printer, or... network interface.
But the fact is, the security flaw enables corruption of kernel memory, that is, potentially compromising the integrity and security of the entire Vista operating system, and with it, the entire computer system itself.
This obsession with meaningless classification of security flaws is simply characteristic of Microsoft, which has a long history of defining away, making excuses for, simply hiding, and even flatly denying numerous, continuing and overlapping problems with its horribly designed, bug-ridden, user-hostile, DRM-infested, poorly performing software products.
So this security problem doesn't originate within the Vista kernel, it merely has the plainly obvious potential to completely compromise it. Fine. Microsoft's statistics look better now.
It reminds us of Microsoft's attempts to compare the number of security patches to Windows itself with those distributed for all of the thousands of applications, utilities and so on that make up a modern Linux distribution.
The Vole hasn't tried that one for a while now, so it's due to come around again. Maybe it will come up along with the next self-serving round of Microsoft-sponsored Total Cost of Ownership studies, since those seem to be about ready to ramp up again in this recession.
Similarly, the gaping security holes in the Vole's Internet Exploder and Microsoft Lookout must not count either, we're sure. It's just a coincidence that those security vulnerabilities are present by design and have spawned a robust software industry populated by vendors of security products catering almost exclusively for Windows-based computers, certainly.
Does Microsoft still maintain that this proven security flaw in Windows Vista is somehow so unimportant that it's still unable to say whether a fix will be included in the next Vista service pack or estimate when that service pack might be released?
We guess we'll see. µ
Vista kernel is vulnerable
The week in Google in brief
Sega hedgehogging its bets
And not a purple duck in sight