At the Black Hat USA 2008 security conference, researchers Mark Dowd at IBM and Alexander Sotirov at VMware presented their paper entitled "How to Impress Girls with Browser Memory Protection Bypasses," in which the two discuss a number of attacks against Vista's various security features. According to their work, the protection mechanisms built into Windows Vista and Windows Server 2008 that are designed to make it harder to convert software bugs into security flaws can be circumvented. Soon after the presentation, various news sites picked up the story and blew it out of proportion, saying that Vista's security was "broken and unfixable."

Here at Ars, we did our own analysis of the report and concluded that the findings were definitely unfortunate, but they were not as terrible as many made them out to be. Microsoft blogger Ed Bott, who also found the reports of Vista's security having become "useless" very unsettling, managed to get an e-mailed answer from Sotirov, as well as some answers to related questions in a short interview. Here's the crux of Sotirov's take:

The articles that describe Vista security as "broken" or "done for," with "unfixable vulnerabilities" are completely inaccurate. One of the suggestions I saw in many of the discussions was that people should just use Windows XP. In fact, in XP a lot of those protections we're bypassing don't even exist. XP is even less secure than Vista in this respect. [What] we established is that the security advantage of Vista over XP is not as great as [previously] thought. Vista is still very good at preventing vulnerabilities.

So there you have it: straight from the horse's mouth. The flaws are there, yes, but they aren't anywhere nearly as severe as sensationalist articles will claim. Furthermore, they can be fixed, and Microsoft and other software vendors are already taking the steps to do so. Sotirov also said that he doubts there is any exploit code or proof-of-concept code out in the wild, because the paper is quite new and it only presents weaknesses in the protection mechanism. "Without the presence of a vulnerability these techniques don’t really [accomplish] anything," the security researcher told Bott.

Further reading: