A lot of hype has been made recently over the fact a Vista exploit has been found for sale on a Russian site. There has been lots of media coverage and I am sure that people will take this opportunity to once again make Microsoft a bad guy and claim that all the security effort that was put into their new OS is for nothing. Don’t get me wrong, I am happy to point out when companies do things wrong (like the *cough*Zune*cough*) but don’t take this exploit to mean Vista isn’t more secure. The exploit is local only meaning that an attacker has to already have logged into a machine to take advantage of this flaw. I think Microsoft did their best when in auditing Vista, the problem is that they still have tons and tons of legacy code, shared across many OSes that will be a source of problems for years to come. We call this problem “legacy negligence.”
Legacy negligence can best be described by having large amounts of legacy code that is maintained for backward compatibility reasons or that priority is given to adding new features and functionality instead of refining existing code. The WMF flaw is a perfect example of this, it wasn’t even a flaw, it was a long forgotten feature. Look for more of these types of bugs to popup in Microsoft products as well as other vendors like Apple and Oracle.