17 March 2007

Microsoft security "guru" wants Vista bugs rated less serious

"Michael Howard, a senior security program manager in Microsoft's security engineering group, said that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Because Vista includes security techniques and technologies that Windows XP lacks, the MSRC should reconsider how it ranks Vista when a vulnerability affects both Microsoft's new operating system and its predecessor, Windows XP, he said.

Analysts and outside Microsoft security professionals took the MSRC's side -- and blasted Howard's idea.

"[Windows] either has the vulnerability or it doesn't," said Marc Maiffret, eEye Digital Security's CTO. "Vista has some additional Band-Aids, but most of those Band-Aids are broken. Hopefully, [Microsoft] isn't so careless that they'll downgrade Vista vulnerabilities.

"A remote-code execution exploit still remains a remote-code execution exploit," said Johannes Ullrich, chief research officer at the SANS Institute."

Click on the link below for the full article:


No comments: