quote:

---

Microsoft has made a high-profile pitch to lower public expectations of the security mechanisms built into Windows Vista, particularly User Account Control (UAC).

Mark Russinovich, technical fellow in Microsoft's Platform and Services Division, used a talk at last week's CanSecWest security conference to assure professionals that despite UAC malware "will end up thriving in the standard user environment, setting up botnets, grabbing your keystrokes," according to a blog report by industry journal ZDNet.

Russinovich predicted that malware would find ways of elevating its privileges, through social engineering or by compromising applications that run with higher privileges, the report said.

This isn't the first time Russinovich has thrown cold water on Vista's security mechanisms, which Microsoft originally made out to be one of the principal improvements in Vista over Windows XP. In February, he made the surprising declaration that UAC is not really a security feature.

He said malware authors will be able to do more or less what they like within UAC boundaries, such as setting up botnets and infiltrating user data, without taking over the entire system. But UAC will, at least, help protect the overall system and other user accounts, he said.

His comments followed a lengthy analysis of UAC and its shortcomings by hacker Joanna Rutkowska, who said she was surprised by Microsoft's dismissive attitude to bugs in UAC's implementation.

"Is this supposed be a joke?" she wrote. "We all remember all those Microsoft’s statements about how serious Microsoft is about security in Vista and how all those new cool security features like UAC or Protected Mode IE will improve the world's security. And now we hear what? That this flagship security technology (UAC) is in fact... not a security technology!"

---

"UAC and their underlying technology, "integrity levels", were not intended to guarantee that processes with higher privileges are protected from compromise by lower-level privileges, but rather as a way of changing the way Windows software is developed, Russinovich said in a February blog post.

'If you aren't guaranteed that your elevated processes aren't susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption,' he wrote.

Microsoft's drive is to get users off of administrative accounts and onto those with limited privileges, even if the new arrangement isn't water-tight from a security point of view, Russinovich said."

said by dave :

Ah. One employee of Microsoft says something, and it's reported as 'Microsoft says'...
I bet you'll find some core OS engineers that agree with Russinovich and some that are seriously pissed off at him for dissing their baby in public.

quote:

---

In a postmortem of last month's Windows animated (.ANI) cursor vulnerability, one of Microsoft Corp.'s security development gurus today spelled out how the bug sneaked into Vista

Michael Howard, an authority on Microsoft's Security Development Lifecycle (SDL) -- a multipart initiative that aims to get developers to design more secure code -- posted an extensive entry on the brand-new SDL blog that outlined lessons learned from the ANI vulnerability. "SDL is not perfect, nor will it ever be perfect," Howard acknowledged yesterday. "We still have work to do, and this bug shows that."

That bug, which first surfaced late last month and posed enough of a threat that Microsoft went out of cycle to patch it, affected all older editions of Windows as well as the newest, and supposedly more secure, Windows Vista. Some security researchers, in fact, took Microsoft and its SDL process to task for not catching the flawed code as Vista was written, debugged, tested and polished.

---