Was that a Vista fix released on Patch Tuesday?

20 vulnerabilities fixed on Patch Tuesday, one of which was - debatably - a Vista fix

Users can chalk up a critical vulnerability -- now patched -- in Windows Vista, a Microsoft security manager said Wednesday. Though if people want to get picky, the fix for the company's malware scanning engine isn't really for a flaw in the operating system's core code. And therein lies a debate.

The question of whether Vista was patched against its first remote code vulnerability may be academic in the long run, but researchers and customers alike are keeping close tabs on the operating system for the first confirmed vulnerability. Microsoft has repeatedly touted Vista as its most secure version of Windows ever.

Tuesday, it released 12 security updates to fix 20 vulnerabilities, 11 of them pegged as "critical" in the company's four-step scoring system. One of the bulletins, MS07-010, patched a critical bug in the malware scanning engine used by Microsoft's security lineup, including Windows OneCare, Windows Defender and the Forefront Security and Antigen products.

Windows OneCare and Windows Defender run on Vista client systems; Defender is in fact built into Vista.

"The underlying component [of Windows Defender] does ship with Vista," acknowledged Mark Griesi, security program manager for the Microsoft Security Response Center (MSRC). "That's the correlation people are drawing. The vulnerability is in the malware engine, which is part of Defender, which is part of Vista. So, yes, you can say that Vista [itself] is vulnerable.

"But is it a direct vulnerability in Vista? I wouldn't characterize it like that," he added.

One point of confusion with the scanning engine bug is how it's patched. In Vista, for instance, it would never appear in the Windows Update window. Although Windows Defender relies on Vista's own update mechanisms to retrieve new signature files and security updates such as the MS07-010 patch, it does that behind the scenes. Windows OneCare, on the other hand, has its own internal update feature that circumvents Windows Update. Forefront and Antigen, meanwhile, use the Forefront Server security update service.

"By default, all have auto update turned on," said Griesi. "Enterprises can set [Forefront and Antigen] to not auto update, of course, but users should see an update on whatever cycle the software's set to." While Microsoft throttles down updates -- a process that means it may take several days for all users to receive critical updates -- Griesi said that the scanning engine fix has probably already been downloaded and installed on most affected users' machines.

Some security researchers took the Vista's-not-flawed side of the argument. "Technically, it's not a Vista vulnerability," said Amol Sarwate, manager of Qualys' vulnerability lab. "But nothing is impervious. We're not seeing [a vulnerability in Vista] at this point, but we anticipate that there will be one."

Other experts were critical of Microsoft for letting the scanning engine slip through the cracks. "This is exactly the kind of thing that you would have expected Microsoft to catch," Minoo Hamilton, a senior security researcher at patch management vendor nCircle Network Security, said Tuesday.

In fact, Alex Wheeler, one of the researchers with IBM's Internet Security Systems X-Force group credited with discovering the scanning engine bug, is noted for digging up vulnerabilities in antivirus and other security software. Among the vendors whose products Wheeler has pinned with bugs are Kaspersky Lab, McAfee, Sophos and Symantec.

Griesi rejected critics who said Microsoft's emphasis on security during development should have ensured a bug-free scanning engine, especially since similar flaws had been found in other antivirus software more than two years ago.

"Yes, [the scanning engine] was developed under Security Development Lifecycle," he said, referring to the process has Microsoft instituted in several steps since 2002 to make its software more secure. Windows Vista was the first operating system completely written under those guidelines. "But there's no software that's 100% [secure].

"I wouldn't call this an 'embarrassment,'" said Griesi when asked about how nCircle's Hamilton characterized the bug in Vista. "We beta-tested Vista more thoroughly than any other version of Windows, [but] there are always new threats."

And when the company finds bugs, as in this case, it will patch them, he said. "We're always learning."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?