The company found a way to escalate network privileges via a smallish hole in Vista’s networking stack – a potential problem the company predicted in July 2006 – that Microsoft patched yesterday.
The news came as part of Microsoft’s monthly Patch Tuesday, during which Microsoft also separately stepped up its competition with security vendors with the launch of a new malware information web site.
Microsoft issued six security bulletins yesterday, three of them critical, two important, and one moderate. Collectively, they address 11 different vulnerabilities.
The critical vulnerabilities are to be found mainly in Excel and the .NET framework, which is installed on most up-to-date versions of Windows. Active Directory’s implementation in the last two versions of Windows Server are also subject to serious vulnerabilities.
But Symantec chose to highlight the moderate vulnerability found in Windows Firewall, which Symantec researchers discovered in February.
The vulnerability, left unpatched, gives external attackers privileges they would normally only get on the local network. It’s not heart-stoppingly scary, but could be a valuable tool when added to other attacks.
Symantec blamed Vista’s scratch-built networking stack, the parts of the operating system that deal with network protocols, for the problem, and vaguely hinted more vulnerabilities of this type could emerge in future.
Microsoft’s decision to rewrite the Windows network stack and its accompanying firewall continues to have long term security implications, Oliver Friedrichs, director of emerging technologies at Symantec said in a statement. A network stack can take decades of heavy scrutiny in order to become battle hardened.
Symantec spent much of 2006 shooting holes in the beta versions of Windows Vista, not coincidentally at the same time as Microsoft shouldered its way into Symantec’s its core antivirus market, and had previously flagged up the new stack as a potential liability.
In deciding to rewrite the stack, Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects, Symantec said in a July 2006 report. This may provide for a more stable networking stack in the long term, but stability will suffer in the short term.
Rival security companies waging marketing wars with vulnerability research is not new, but it was particularly noticeable in Symantec’s case as it coincided with its emerging rivalry with Microsoft and was almost exclusively dedicated to picking Microsoft software apart, even in beta versions.
Microsoft stepped up its own security-as-marketing campaign yesterday with the official launch of its Malware Protection Center, a fairly straightforward lift on security companies’ threat centers, containing the usual list of top threats in the wild and a virus encyclopedia.
