In order to increase security and to protect against attack, Microsoft have introduced a new driver signing requirement in Vista. By requiring that drivers are signed, Microsoft hoped that this would ensure that only drivers which were verified as being clean and compatible with Vista could be installed.

ATI duly had their drivers signed by VeriSign so that they could be installed on a Windows Vista system. Unfortunately, their was a flaw in one of the drivers. Apparently the flaw was originally intended as a shortcut in the driver that allowed ATI developers to load modules into the driver for testing. When the driver was released, either no-one thought to remove the shortcut or ATI forgot about it.

In order to close the hole, ATI will have to patch the flaw in their driver, have it signed with a new certificate, roll-out the update via Windows Update, then have the original signing authority revoke the original certificate. It’s not a straightforward process and it’s by no means foolproof either.

The Register reports that the name of the program has a major bearing on whether or not UAC asks the user to authenticate the installation. If the program is named “install.exe” for example, then Vista will require that the program have admin rights and UAC will prompt the user to cancel or allow installation. However, if the program name does not contain any references to “install”, “update” or “uninstall” then Vista will happily let it run without user intervention, even though it is the exact same program.

Microsoft responded that Vista was designed to automatically detect install, update and uninstall programs. As these types of programs generally need to write to protected areas of the registry and system files, then Vista would prompt for admin rights to be assigned to the program.

While Vista may have been designed to detect these type of programs, it seems that all it is doing is checking the program name, otherwise renaming the program would not allow the program to run without UAC prompting the user. While this type of behaviour may offer a modicum of protection, it can be sidestepped by using an innocuous file name. The big question now is how long will it take for malware authors to use this to bypass UAC and get their programs on to a Vista machine?

While it may not seem like a big deal, a recent survey found that less than 10 percent of computer users who had even heard of Vista were planning to upgrade to the new OS. Most users are happy with their computer, it does what they want, and it does it well enough that they don’t see the need to change. Microsoft’s biggest competitor to Vista may just be XP.

I tried one of the beta releases of Vista, and to be honest, I wasn’t all that impressed. Yes it’s shiny, and yes it’s designed to be more secure out of the box, but is it worth the change? Not when you consider the lack of drivers, problems that existing programs are having with Vista, and the hardware needed to run it. I got rid of my copy of Vista, and went back to XP. I may try it again after the first Service pack has been released.

Once Windows XP is no longer available from the OEM’s, then the hardware manufacturers will have no option but to improve their drivers and the software developers will have to work on full Vista compatibility.

While XP may no longer be available to buy on a new computer, it will be fully supported my Microsoft until April 2009, with security updates available until April 2014. So there’s no need to worry just yet.

It’s for reasons such as these, that upgrading to Vista should be left until after Vista Service Pack 1 is released.

Still it doesn’t surprise me. Vista was released to businesses a couple of months ago, and release candidates have been available to beta testers for several months before that, so the people who are interested in finding flaws have had plenty of time to do so.

Even though Vista was released a couple of years later than originally envisaged by Microsoft, and even though it is the latest and greatest home OS available, I won’t be rushing out to get it. Like any new product, it’s better to wait a while until the major bugs are found, patches released and rolled into a service pack.