Today Symantec released two new whitepapers about security protections in Vista: Analysis of GS Protection in Windows Vista and Analysis of Address Space Layout Randomization on Windows Vista.

Although my last blog post criticized Symantec for its hyped FUD, these two papers, by the same author, definitely provide some good information and demonstrate the thorough research that Ollie Whitehouse has done on this matter. Furthermore, the author clearly states the true issues here and provides detailed research notes. Read the rest of this entry »

Ok, this issue started with an article by Symantec titled “An Example of Why UAC Prompts in Vista Can’t Always Be Trusted.”

After that, Thor (Hammer of God) posted his opinion on Bugtraq, which prompted a few other responses.

So I decided to look at the issue closer and add my own opinion. The result is that this really is a hyped issue. What really makes this issue FUD is that the Symantec posting implies this is a serious issue and never really clarifies the actual risk. Then, so many news sources picked it up without really understanding the issue at hand. What further hurts the credibility of this post is that the Symantec post is probably not completely objective on this issue due to their own future competitive products. Read the rest of this entry »

Recently a friend was complaining to me about the “screen flickering” that occurs whenever a User Account Control (UAC) prompt comes up in Vista and he wanted to know how to turn it off—not UAC, just the dimming and flickering effects. He said he already looked in the display settings and didn’t see anything there. Read the rest of this entry »

When I was a teenager in California there was private oil pier near Rincon that we liked to jump off. It was great—you’d throw your surf board off first so there was no backing out, because it was scary looking down at the dark green ocean so far below you. Once your board was in the water you had no choice but to follow it out into the emptiness below. Read the rest of this entry »

I thought I would add a bit more to my original post to clarify the problem. Half of the problem is the way Windows searches paths, and the other half is software developers who don’t quote their paths in the Registry or when calling CreateProcess. There are no built-in Windows services that have this problem and this issue has been documented for over a decade. Read the rest of this entry »

A couple years ago I mentioned in a SecurityFocus column that Windows has a problem when you put a file named “program.exe” in the system root directory. The problem is basically in how it deals with spaces in paths that don’t have quotes around them. Anyone with the permissions to create a file in the root directory could create a malicious program that could escalate their privileges. Here’s an excerpt from that article: Read the rest of this entry »

A couple years ago I thought a pond would be a nice addition to an empty space on the side of my old house. I didn’t know anything about constructing ponds at the time but I thought that actually doing it would be a good way to learn. After reading a few web articles on the subject I got out the shovel and started digging. The pond came together very quickly but it turned out I was kind of naive and bit too impatient in pond v1.0.

Read the rest of this entry »