Windows Vista networking security

probe

Many of the networking security flaws in Windows 95 and 98 are re-appearing in Microsoft Windows Vista.

According to security expert Steve Gibson (not an “anti-Microsoft” person by any means) many elements of the networking stack in Windows 2000 and subsequent appear to have been stolen from the open source community (issue can’t be proven, except perhaps by discovery process in court if/when open source community decided to sue). If this is true, so much for the word “genuine” (as in GWA) and software piracy so often trotted out by this company!

Quote:

Steve: And it’s interesting because there were rumours at the time of Windows 2000’s release about where did Microsoft get that stack. Because, you know, there was 95 and 98 and NT, and then Windows 2000. Well, Windows 2000 really did appear to be a different networking stack than Microsoft had. But it just – it was born fully mature. It was, I mean, it was a really good networking stack from day one. And you just don’t get that. I mean, all of the security problems that have been solved years and years ago were, like, already fixed in this stack. And there were rumours that Microsoft lifted it from one of the open source BSDs.

Leo: Oh, boy.

Steve: That that’s where it came from. And I can’t remember where it was NetBSD or OpenBSD. I don’t think it was FreeBSD. But, you know, there was a strong suspicion, just based on the behaviour. You know how there are network fingerprinting tools, or OS fingerprinting tools, that will send a bunch of specially crafted packets at a machine. And based on really subtle differences in the way it responds, they’re able to determine what kind of operating system is at the other end.

Unquote


Vista has a completely new networking stack which appears to have been written from the ground up. Laden with vulnerabilities. One wonders if the decision to go for new was primarily driven by legal advice – rather than software engineering concerns? The open source lot could probably go after them for $zillions if they could prove a case.

The full story > http://media.grc.com/sn/SN-051-lq.mp3

probe

Martyr

Steve: And it’s interesting because there were rumours at the time of Windows 2000’s release about where did Microsoft get that stack. Because, you know, there was 95 and 98 and NT, and then Windows 2000. Well, Windows 2000 really did appear to be a different networking stack than Microsoft had. But it just – it was born fully mature. It was, I mean, it was a really good networking stack from day one. And you just don’t get that. I mean, all of the security problems that have been solved years and years ago were, like, already fixed in this stack. And there were rumours that Microsoft lifted it from one of the open source BSDs.

i remember hearing about the tcp/ip stack in win2k being based on FreeBSD..& i'm really surprised that they would have created completely new code for Vista.

perhaps any vulns in vista will be patched before release next year?

ecksor

probe wrote:

Vista has a completely new networking stack which appears to have been written from the ground up. Laden with vulnerabilities. One wonders if the decision to go for new was primarily driven by legal advice – rather than software engineering concerns? The open source lot could probably go after them for $zillions if they could prove a case.

Reading anything on grc.com is a waste of brainfuel.

Anyway, the BSD license is very very open. Saying that Microsoft using BSD code is "stealing" is nonsense. I don't believe there are any potential legal consequences from using BSD licensed code in a commercial application.

The problem is that "the open source lot" is too broad a term. I think the GPL license (associated with Linux) would present problems, but then the BSD people would say that the Linux people aren't really that "open" in their definition of "open source".

Incidentally, there have been security problems with the BSD networking stack (FreeBSD at least) since Microsoft are alleged to have used their code, so he seems a bit confused in his assessment there too.

NutJob

Reading anything on grc.com is a waste of brainfuel.

Youd be better off on security focus as Gibson is a flim flam artist.
Though to his credit hes a good programmer.


Ogh and yes the network stack will have bugs its just too complex not to have them. But fingeres crossed the fussers get the overflows before release.

Cake Fiend

I thought it had been a long time since we had heard Steve Gibson frothing at the mouth about something!