Folks we can't be really surprised by this. In the name of speed and easy of design and efficiency. Driver makers, hardware makers, and OS vendors have had to speed up everything about how they validate and test. We can operate one of two ways.
1. Everything is checked for security before being allowed to be distributed. The checks are thorough and in depth and can find previously unknown vulnerabilities. (Nobody really does this OTHER than SOME security companies.)
2. Everything is checked for security before being allowed to be distributed. The checks are for all known vulnerabilities based on a sliding date with a 1-3 month update cycle for pulling in new vulnerabilities and retiring old. (this is pretty much anyone in the server hardware/software space that wants a good reputation. With the exception of like... intel? )
3. Things are checked and reviewed against a pre published check list of no no issues. Beyond that the compiler is verified to do specific check types and specific code options are verified. As long as things are being done with appropriate API calls all is assumed safe. (what we have today for the consumer space really.)
So we have to ask ourselves where does the problem here actually exist?
1. Microsoft took the hardware interface and Kernel interface AWAY from all of the vendors making drivers and built it into API calls. This does make it so we need far fewer reboots and such when doing updates. But it also means that if the API has a vulnerability then everything that calls that API also has the exact same vulnerability (based on this article.).
2. Vendors are using custom tools to bypass some API checks and in so doing are creating these vulnerabilities in the system?
Honestly I see number 1 being a issue in the majority of cases and 2 being a problem faced on a smaller scale by programmers who thought they were more talented than they are.
Your thoughts and ideas?
