"exploit security vulnerabilities already present on the system"

Why, of course it does. Windows needs to be already present on the system after all.

Suicidal Semantics? Microsoft Death Wish? SPun Tale in a Tailspin?

"Redmond, by contrast, argues the alleged bug discovered by Core only offers a mechanism to "exploit security vulnerabilities already present on the system, rather than an actual vulnerability", security blogger Ryan Nardine reports."

Crikey, that is an even worse state of affairs in Microsoft than has ever been before imagined or admitted, for it tells us that it is a Systemic Abiding Fault in a Field they are Pioneering, which it is, of course.

How much would a Systemic Abiding Fault Fix be Worth, as opposed to them having to Invent a whole new Operating System for the Windows Platform?

And another question would be can be earned with those who would see advantage in using the mechanism, which if it is not a vulnerability, would then surely be a facility?

MS response

Seems to basically say "XP Mode is a hack, we don't really advise using it unless you need to and even then you should look to stop using it as soon as is practical. Oh, and look - kittens!"

OK, so technically maybe it's not an exploit, but it sure sounds like a way of bypassing security features, which counts as an exploit against those features in my book. Whether or not it directly allows you to compromise a system, there is still functionality being bypassed that one assumes was designed to not be.

I'd be willing to bet that full on 100% of network applications which are too old and creaky to run on Windows 7 and therefore rely on XP mode are vulnerable as a very vulnerable thing, so saying "it only lets you exploit exploitable XP apps" is a bit of a null statement.

Yawn

Must be a slow news day.

MS are right. This is not a security vulnerability because the features that can be worked around are only mitigations, not barriers. Anyone who is relying on these features to maintain security must be out of their minds, not least because they don't exist on XP pre SP3 or on Mac, and only partly on linux. If anyone has ever said "oh I've found this bug in my code, but it's not exploitable on XP SP3 or later because of DEP, SafeSEH and ASLR" deserves to have their bottoms slapped.

I mean, sure, it's a bug in VPC, no doubt, but there's no need to panic. This will not cause the end of the world, or even minor earthquakes. In fact we'll probably never hear of it again.

Problem identified and solution suggested

"Redmond, by contrast, argues the alleged bug discovered by Core only offers a mechanism to "exploit security vulnerabilities already present on the system, rather than an actual vulnerability"

So is it a mechanism to "exploit security vulnerabilities already present on the system" or is it an "actual vulnerability"?

You either have security vulnerabilities already present or you don't. If you do then that's a vulnerability.

So the real problem is that MS don't know their arse from their elbow and continually write code that is about as secure as a wet paper bag. My proposed solution is to avoid windows and suggest to friends/colleagues that they do the same.