Windows Vista Discussion

[King X13]

I dont know if anyone posted this, dont feel like looking through 106 pages to make sure, but its an interesting read on what symantec says about vista.

http://www.theregister.com/2006/07/19/vista_security_analysis/

 

[Osiris]

Microsoft is trying to encourage PC makers to spice up their PCs with the Vista Industrial Design Toolkit. The kit has been shipped out to about 70 designers in hopes of giving the PC world a facelift. I?m not sure about you but I think Microsoft might be on to something here. Bland, boring boxes just don?t cut it anymore.

The Windows Vista Industrial Design Toolkit, hand-delivered to about 70 designers, contains everything a PC maker needs?color palette, suggested materials, even graphics for icons and power buttons?to create computers, laptops, and peripherals that hew to Vista's look. A separate booklet exhorts hardware makers to eschew drab, utilitarian boxes.

http://www.hardocp.com/news.html?news=MjA0NTAsLCxobmV3cywsLDE=

 

[EricB]

What voice recognition software is ready? There is only a couple out there and they are shotty at best. Heck i cant even get Opera to recognize my voice yet. Let alone Windows. Even with going thru the voice training.

Plain and simple voice recognition isnt going to be good at all. Unless you speak loud and VERY clear it wont know what word you mean. If you forget to pronounce even a letter the software wont know. Like somthin instead of something. That will throw the software off.

So i wouldnt worry about the voice recognition not being ready since it isnt even workable in XP all that great.

you hit it on the nose

http://tech.cybernetnews.com/2006/07/29/demo-of-microsoft’s-vista-voice-recognition-misfires/

 

[Osiris]

Wednesday Winfuture.de, a German Windows enthusiast site, released a slew of screenshots of the recently aquired 5487 build of Windows vista.

It appears that the new task bar and sidebar have still yet to have been included, but you will notice a few changes here and there. The welcome screen appears to have been overhauled with many new features adding an "Offers from Microsoft" panel which gives quick access to many new Windows Live services such as Messenger, Mail Center (still currently known as Mail Desktop Beta) and OneCare.

Another thing you will spot is a slightly tuned interface in Media Center, nothing big as it appears they just tweaked the drop shadows and a few graphics.

Although the new sidebar didn't make an appearance in this build, some redesigned gadgets did. The system performance and weather gadget have been redesigned as well as the stocks gadget.

Last but not least is the new voice recognition feature (or after a bad performance at a Microsoft Conference last week, voice wreck-ognition may be a more appropriate term.) Voice recognition allows you to control the system and take notes by using audio commands which the system recognizes.

http://www.winfuture.de/index.php?page=wfv4/BSv2/scg-ia.php&id=1929&seite=1

 

[Osiris]

Symantec has shed more light on potential vulnerabilities in Windows Vista that could circumvent new security measures and leave users vulnerable to attack.

The security specialist expects hackers will try to work around restrictions in Windows Vista that sandbox code downloaded from the internet in the hopes of preventing attacks on other PC system resources. Symantec says it's just a matter of time before "a low-privilege, low-integrity level process" will ultimately bypass Windows Vista's new system for securing user's machines "and ultimately execute code at a high- privilege, high-integrity level."

Symantec released the information in its latest paper, Analysis of the Windows Vista Security Model Analysis, which updates its overview of Windows Vista's network security last month. Readers wanting technical details should click here for the PDF.

The paper stresses its assessment is based on an out-of-the box installation of Windows Vista running on code used in Microsoft's February Community Technology Preview (CTP). Symantec concedes later builds of the operating system have closed potential gaps, and that Windows Vista's out-of-the-box security is already a "significant" improvement over previous versions of Windows.

However, Symantec's principal security researcher Matthew Conover wrote he "expects several other privilege escalation vulnerabilities to be discovered."

The nub of the issue appears to be a system of privileges Windows Vista assigns to both code and the end user. Microsoft's User Account Control (UAC) asks users to enter their credentials, which will depend on their company's security policy, before they are allowed to do things like install software.

Windows Vista also defines the "integrity" of things like objects and processes to control different levels of access they have to different system resources.

According to Microsoft's documentation, all files and registry keys will have a "medium" default integrity level, while IE running in protected mode - which it will do when installed out of the box - has a "low" integrity level. That means IE is not allowed to modify existing files on a Windows Vista machine, and will receive "access denied" error messages should it try to change files.

One popular means of attacking PCs is for the user to either visit a web site running malicious code, with code automatically downloading, installing and consuming system resources or stealing data. Another is for the user to download and install code, breezing through any warning pop-ups that get in way. Changes in Windows Vista are designed to close these avenues of attack.

Conover, though, expects hackers will see this defense strategy as a potential challenge. He expects hackers will look for ways to turn code downloaded using IE from low to medium or even high integrity. Next, he predicted it will be "just a matter of time" before hackers find ways to abuse Windows local and remote procedure calls (LPCs and RPCs) using high-integrity processes.

LCPs and RPCs a favored method of attacking servers and PCs running older versions of Windows.

Of course, hyping Vista security fears can't hurt Symantec's business

http://www.theregister.com/2006/08/02/symantec_windows_vista_security/

 

[Osiris]

Microsoft made a test version of Vista available to about 3,000 security professionals Thursday as it detailed the steps it has taken to fortify the product against attacks that can compromise bank account numbers and other sensitive information.

"You need to touch it, feel it," Andrew Cushman, Microsoft's director of security outreach, said during a talk at the Black Hat computer-security conference. "We're here to show our work."

Microsoft has faced blistering criticism for security holes that have led to network outages and business disruptions for its customers. After being accused for not putting enough resources into shoring up its products, the software maker is trying to convince outsiders that it has changed.

"They're going directly to the bear in the bear's lair," says Jon Callas, the chief technology officer at PGP Corp., which makes encryption software and other security products. "They are going to people who don't like them, say nasty things and have the incentive to find the things that are wrong."

Due early next year, Vista is the first product to be designed from scratch under a Microsoft program dubbed secure development life cycle, which represents a sea change in the company's approach to bringing out new products. Instead of placing the addition of compelling new features at the top of engineers' priority list, Microsoft now requires them to first consider how code might be misused.

A security team with oversight of every Microsoft product -- from its Xbox video game console to its Word program for creating documents -- has broad authority to block shipments until they pass security tests. The company also hosts two internal conferences a year so some of the world's top security experts can share the latest research on computer attacks.

Cushman said the presentations have already paid off. One talk, delivered in March by a security expert named Johnny Long, detailed a new way to identify security holes using Google. Shortly after the talk, a Microsoft manager applied the technique and discovered a customer was at risk because it hadn't properly set up a computer that was running SQL, a database program that competes with business programs sold by Oracle Corp.

But internal conferences are one matter. Taking Vista to Black Hat, where some of the world's foremost security gurus annually make sport of ripping through programming code to find bugs, is another.

"The fact that they're releasing it here is probably a bold statement," said Mike Janosko, a security expert with Ernst & Young who has been reviewing Vista for several months.

http://www.cnn.com/2006/TECH/ptech/08/03/microsoft.hackers.ap/index.html

 

[Tyler1989]

Microsoft is confident about Vista being secure they brought Vista to the Black Hat / Hacker Convention to give them a try at ripping it apart and they praised Vista's Security.

 

[KSoD]

Really? From what i hear they had absolutely no problem hacking into Vista.

Vista hacked at Black Hat

While Microsoft talked up Windows Vista security at Black Hat, a researcher in another room demonstrated how to hack the operating system.

Joanna Rutkowska, a Polish researcher at Singapore-based Coseinc, showed that it is possible to bypass security measures in Vista that should prevent unsigned code from running.

And in a second part of her talk, Rutkowska explained how it is possible to use virtualization technology to make malicious code undetectable, in the same way a rootkit does. She code-named this malicious software Blue Pill.

"Microsoft is investigating solutions for the final release of Windows Vista to help protect against the attacks demonstrated," a representative for the software maker said. "In addition, we are working with our hardware partners to investigate ways to help prevent the virtualization attack used by the Blue Pill."

At Black Hat, Microsoft gave out copies of an early Vista release for attendees to test. The software maker is still soliciting feedback on the successor to Windows XP, which is slated to be broadly available in January.

>> Source: ZDNet News

So how is it you say they praised it when this clearly they werent very impressed if they hacked it that fast.

 

[Osiris]

Below I have quoted an article written on the IE Blog;

"I had mentioned a while back that we planned to call the version of IE7 in Windows Vista "Internet Explorer 7+".

Well, the feedback we got on the blog was overwhelming ? many of you didn't like it. So, as we've said on our website, we heard you. I'm pleased to announce that we're switching the name back to "Internet Explorer 7". No plus. No dot x. Just "Internet Explorer 7".

Specifically, here are the official full names:

-For Windows XP: "Windows Internet Explorer 7 for Win XP"
-For Windows Vista: "Windows Internet Explorer 7 in Win Vista"

http://blogs.msdn.com/ie/comments/688899.aspx

 

[Osiris]

Researchers have demonstrated how to bypass security protections in order to inject potentially hostile code into the kernel of prototype versions of Windows.

The demonstration by Joanna Rutkowska, a senior security researcher with Coseinc, highlighted the possibility of loading arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thereby circumventing Vista's policy of only allowing digitally-signed code to load into the kernel.

The attack, presented at the Black Hat conference in Las Vegas last week, can be performed "on the fly" (i.e. no reboot is necessary) but it does require admin privileges, unlike most malware attacks that are equally successful in conventional user mode.

Used successfully, the attack creates a means to install a rootkit (contained in an unsigned device driver) onto compromised hosts by disabling Vista's signature-checking function, Information Week reports. Disabling kernel memory paging could be implemented among a number of workarounds against the attack, she added.

Rutkowska also demonstrated her previously announced technology for creating stealth malware, Blue Pill, which uses the latest virtualisation technology from AMD - Pacifica - to inject potentially hostile code by stealth, under the radar of conventional security defences, onto a server.

Although Vista wasn't as secure as Microsoft would have us believe, Rutkowska commented that Microsoft had done a good job with the OS, adding that her attack didn't mean Vista was inherently insecure.

Microsoft director of Windows product management Austin Wilson was among the delegates who attended Rutkowska's well received presentation on Thursday, Information Week reports.

Wilson said correcting the security shortcomings highlighted by Rutkowska was on Microsoft's development road map for Vista. He added that the driver-signing function was only implemented by default on 64-bit versions of the OS.

Microsoft is going out of its way to reach out to the security community in its attempts to improve the security of Vista prior to its release, now expected early next year.

Microsoft director of security outreach Andrew Cushman began the week by encouraging ethical hackers to poke holes at the OS.

Later, Microsoft security group manager John Lambert explained the security development process behind Vista, claiming the OS had been through the biggest penetration testing effort ever mounted against an operating system. Redmond had recruited more than 20 security researchers to give Vista a "body-cavity search", he said.


http://www.theregister.com/2006/08/07/vista_black_hat_attack/