Second Symantec Report Criticizes Vista Code

Security researchers at Symantec have published the second of three reports calling out potential security issues in Microsoft’s next-generation Vista operating system, this time taking a shot at several of the product’s user account control and privilege escalation features.

According to the latest report, which follows a similar missive issued by Symantec in mid-July over flaws it believes to exist in the Vista’s networking technologies, some of the very tools Microsoft is touting a security advancements in the OS may actually serve as loopholes.

Specifically, the Symantec paper details a handful of flaws it believes to exist in Vista’s UAP (User Account Protection) feature, which is meant to help companies reduce the ability of viruses to escalate their privileges on infected machines in order to further propagate themselves or inflict other damage on affected computers.

Also known as LUA (Least-Privilege User Accounts or Limited User Accounts), Symantec maintains that the system can be circumvented by outside attackers, based on several implementation flaws, allowing the possibility for someone to elevate a computer’s access privileges and take over a desktop running the OS.

Another security issue highlighted by Cupertino, Calif.-based Symantec’s report involves a new feature in Vista known as mandatory integrity control, which is also designed to help confine privilege escalation capabilities.

Despite the addition of the tools, the security company contends that attackers could still conceivably bypass the system to escalate their ability to attack computers.

The security company’s researchers have repeatedly stressed that the perceived flaws detailed in its reports are present in three publicly available beta iterations of Vista, and have conceded that Microsoft has eliminated large numbers of potential vulnerabilities with each successive release of the software.

Symantec’s researchers also said that the task of completely rewriting Windows’ sprawling code base without introducing any loopholes may be too much to expect from any vendor.

Microsoft, in Redmond, Wash., which is slated to deliver a final version of Vista sometime in January 2007, has also pointed out that the vulnerabilities critiqued by Symantec will not necessarily apply to its final product.

Throughout the company development of Vista, the software giant has applied a new process known as its SDL (Security Development Lifecycle), which requires that all of the operating system’s code is scoured for potential problems before being added into the product.

Read the full story on eWEEK.com: Second Symantec Report Criticizes Vista Code