Windows Vista: Next Generation OS with old flaws

Windows-XP successor Vista has not yet hit the market but the recently published pre-release, targeting developers and system administrators, requires a security update already.

Windows Vista is planned to be released in the second half of 2006 and a beta version has been released recently. Now, the Redmond, Va -based software giant Microsoft had to release a security update patching a 16 year old hole in the next-generation operating system.

According to German IT publisher heise.de, the patch shall close the WMF flaw that has been detected in basically all of Microsoft's operating systems only recently. The problem allows attackers to gain complete control of the system by using a function implementing in the OS to display WMF-graphics and to abort print jobs. Thus it has become obviuos that Microsoft has reintegrated the outdated technology into its next-generation operating system.

As heise.de authors put it, this is a bad omen, since a WMF-flaw in Vista indicates that other known bugs and flaws have also been ported into the new operating system.

Some security experts even maintain that the WMF-bug is not a programming error but was a deliberately integrated backdoor to be used by Microsoft. Steve Gibson, for instance, argues that in case Microsoft wanted a shortcut to execute code on Windows PC the WMF-flaw provided it. However, a majority of security experts considers this to be rather paranoid. Nonetheless, Gibson is right in that apart from most security holes the WMF flaw is not a code weakness but a integrated function that was originally used to abort print queues and display WMF files.

It remains a question, however, heise.de writes, why and how such a potential danger, despite of having been detected and documented, could slip through Microsoft's intensive security review mechanisms

Sources : http://www.heise.de/security/news/meldung/68360

http://www.heise.de/security/news/meldung/68369

Critical Windows Updates available