|
|
http://www.theregister.co.uk/2007/02/20/vista_security_oversold/
By Thomas C Greene in Dublin
20th February 2007
Review: Microsoft has gone out on a limb to promote Vista not merely as
"the most secure version of Windows ever" (every recent version is
marketed with that tired slogan), but for the first time as an
adequately secure version of Windows. "We've got the message and we've
done our homework", the company says. So let's see if the reality lives
up to the marketing hype.
As Billg likes to point out, Windows is the platform on which 90 per
cent of the computing industry builds, and this naturally means that
it's the platform on which 90 per cent of spyware, adware, virus, worm,
and Trojan developers build. That translates into 90 per cent of botnet
zombies, 90 per cent of spam relays, 90 per cent of spyware hosts, and
90 per cent of worm propagators. In a nutshell, Windows is
single-handedly responsible for turning the internet into the toxic
shithole of malware that it is today.
That's not going to change any time soon, no matter how good Vista's
security might be, but a version of Windows with truly adequate security
and privacy features would certainly be a step in the right direction.
And indeed, there have been improvements. For one thing, IE7, at least
on Vista, is no longer such a dangerous web browser. It may still be the
buggiest, the most easily exploited, and the most often exploited
browser in internet history, and probably will be forever, but it has
become safer to use, despite its many shortcomings. This is because MS
has finally addressed IE's single worst and most persistent security
blunder: its deep integration with the guts of the system. Browser woes
At last, MS has, in a sense, sandboxed IE on Vista. In IE7's new
protected mode (Vista only), which is enabled by default, IE is
restricted from writing to locations outside the browser cache without
the user's consent, even if the user has admin privileges. IE is
essentially denied write access to the wider file system and to much of
the registry. Hallelujah.
To oversimplify this, IE7 protected mode runs as a low-integrity process
which is restricted to writing to corresponding low-integrity locations,
where rights are minimal. A process started from such a location would
have very low rights, as would each child process it spawns. This helps
to reduce the impact of malware on the system overall. However, there is
a brokering mechanism that enables users to download files to any
location they have access to, or to install browser plugins and
extensions, and the like. So users are still invited to make a mess of
their systems, and no doubt many will, while Microsoft has a chance to
shift blame away from itself.
However, IE7 on Vista does still write to parts of the registry in
protected mode. And it appears to write to parts that MS says is won't.
The company says that "a low integrity process, such as Internet
Explorer in Protected Mode, can create and modify files in low integrity
folders". We are assured that such low integrity processes "cannot gain
write access to objects at higher integrity levels". And again, MS
emphasises that a low integrity process "can only write to low integrity
locations, such as the Temporary Internet Files\Low folder or the
HKEY_CURRENT_USER\Software\LowRegistry key".
So I tested this assurance. I ran IE in protected mode, typed a URL into
the location bar and went there. Then I opened regedit, and searched for
a string of text from that URL.
Sadly, IE7 is still stashing typed URLs in the registry, and not in the
...\LowRegistry location, either. I found them in
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs (if you
want to fix this, navigate to the key in the left-hand pane of regedit
and right click, and choose permissions. Deny permission for each
account. That ought to delete all the entries and take care of all
related keys in one go).
No doubt one of those brokering mechanisms decided to write to that
location, because a URL hardly carries the risk of causing malicious
activity. So it's "safe", at least to some. But I wasn't asked if IE
could write anything there. It was done automatically. And this
behaviour does carry a security risk, if, like me, you think that user
privacy and data hygiene are at all related to computer security.
Surely, users should not have to hack their registry merely to purge
their browser's data traces once and for all.
Next, there is IE7's anti-phishing filter gimmick. I disabled it almost
immediately. It's very showy and it says, "Message: We Care", but I
found it more irritating than actually helpful. I think a lot of users
will disable it, and trust their instincts instead. Remember, if you put
your mouse pointer over a link, the actual URL will be displayed in the
status bar. The link may say Bank of America, but if the actual URL is
http://123.231.123.231/bankofamerica.com/u/0wn3d/dummy/ then it should
be pretty clear that it's a dodgy link.
IE7 also has a handy menu for deleting your history, cookies, cache, and
so on. This is similar to the Mickey Mouse privacy utility in Firefox.
Remember that these data traces are not securely wiped, but merely
deleted. They remain on your HDD until they happen to be overwritten.
Firefox will let you delete all that stuff automatically each time you
exit; IE won't: you have to do it manually. And remember, with IE your
typed URLs are in the registry, where they definitely don't belong, and
this utility won't purge them. Oh, and you have to enable User Account
Control (UAC) for IE's protected mode to work. Not everyone is going to
want to do that, as we will see later.
IE sorely needs cookie and image management like Mozilla's, allowing
third-party or off-site images to be blocked, and allowing users to set
all cookies to be deleted on exit. IE will allow you to block
third-party cookies in the advanced section of the cookie management
options, although the default is to allow them. There is no setting to
block third-party images, unfortunately, which means that you can't
avoid web bugs, or web "beacons" as marketing droids like to call them.
IE also won't let you set cookies to be deleted on exit. IE7 will
happily block cookies from websites that don't have a "compact privacy
policy", a meaningless cookie policy statement that any malicious
website could easily have. But this is something MS has been involved
with, so they're all excited about it, even though it's rubbish.
Unfortunately, they encourage users to depend on it, which is worse
rubbish.
The default security settings for IE are basically sensible and I would
change only a few, and this is the first time I've ever said that. I
would tighten things up just a bit, disabling MetaRefresh, disabling
"Launching programs and files in an IFRAME", disabling "websites in less
privileged web content zone can navigate into this zone", and disabling
Userdata Persistence. Otherwise, IE7 on Vista offers a decent compromise
between security and usability. The privacy conscious are, as always,
encouraged to use Mozilla for browsing instead, and leave IE in its
default configuration, to be used solely for manual sessions with
Windows Update.
Spambuster?
Next up, we have the successor to Outlook Express, called Windows Mail.
I always considered Outlook Express to be hands down the worst email
client ever devised. Windows Mail is a little better. There now are
half-decent junk mail controls and, of course, the famous anti-phishing
filter. Email memos are now stored as individual files instead of in a
database file, which means they can be searched faster, and email
contents will show up in the Windows main search, which is either very
handy, or a privacy nightmare, depending on what you get up to with your
email. This type of storage also makes it easier for you to nuke
messages with a wipe utility, either by wiping free space after
deleting, or wiping them manually if you have the patience.
However, junk mail controls are awkward. Flagging memos as spam is a
hassle; you do this in a list above the preview pane with the right
mouse button, and then select from a list of actions. This can be quite
tedious if you get a lot of spam, because one can't select several
emails for the same action. There really ought to be a junk button that
one can use to mark memos as spam and delete them with a single click,
as there is with Thunderbird. It would be nice if the default rule for
such a junk button were to be blocking the sender, rather than the
sender's domain. One can always block a troublesome domain manually if
need be.
Interestingly, an email from Microsoft Press Pass - a mailing list of
self-congratulatory press releases for tech journos - was automatically
flagged as spam. I find it hard to disagree with that call.
Memos can be displayed as HTML with all the risky stuff, such as online
images and scripts, blocked. And Windows Mail doesn't give you a hard
time about displaying all memos as plain text, which I recommend. Or
rather, it displays lightly formatted text; you don't get the raw text
as you do with Kmail, so links show up as they would in HTML, with the
actual URL hidden. Now, with IE7, such links show up in the status bar
as the full URL when you mouse over them, but in Windows Mail they
don't. This should be fixed, because otherwise one is stuck relying
solely on Microsoft's anti-phishing filter gimmick.
While not security related, I will note briefly that there is no
undelete button or Edit menu option to undo a deletion, for those of us
who tend to delete first and ask questions later.
Click yes to continue
Data Execution Prevention (DEP) is a feature from XP SP2 that shuts down
programs that handle memory oddly, and it is now set to full on by
default. It works with address space layout randomisation, a new feature
in Vista that loads some system code in unpredictable memory locations
to defend against buffer overflow attacks. Both are very good ideas, and
should help reduce the impact of malware to some extent.
However, DEP, when full on, may cause a number of applications to crash,
or interfere with their installation. I'm betting that a majority of
users will opt for the more conservative setting, and this of course
means less defense for everyone.
User Account Control (UAC) is another good idea, because it finally,
finally, finally allows the machine's owner to work from a standard user
account, and still perform administrative tasks by supplying admin
credentials as needed on a per-action basis. You know, the way Linux has
been doing it forever.
This is one way of helping protect a multi-user system from being loaded
with malware by users, and for ensuring that any malware on the system
runs with reduced privileges. When you are in a user account, and you
wish to perform an administrative task, you will be prompted for the
required credentials. Aside from the prompt, the GUI shell will be
disabled during this time, to help prevent certain kinds of privilege
escalation attacks where the GUI shell or elements of it are spoofed by
malicious software.
Of course, it only works if everyone stays out of the admin account as
much as possible, and if everyone with an admin password knows better
than to install a questionable program with admin privileges. And
there's the catch: "Windows needs your permission to install this
cleverly-disguised Trojan nifty program. Click Yes to get rooted
continue."
So you see that, here again, MS's security strategy involves shifting
responsibility to the user.
UAC is all well and good in theory, but here's the problem: it's never
going to work. And the reason why it's never going to work is because MS
still encourages the person who installs Vista (the owner presumably) to
run their machine with admin privileges by default. I was delighted,
when I set up Vista for the first time, to be presented with an
opportunity to set up a "user" account. But moments later, when I saw
that I was not invited also to create an admin account, I knew that the
"user" account I had just set up was indeed an admin account. And so it
was.
Until MS gets it through their thick skulls that a multi-user OS needs a
separate admin account and a user account for the owner, and that the
owner should be encouraged to work from a regular user account as much
as possible, UAC will never work as intended.
In fact, UAC is the most complained-about new feature of Vista, and most
people are disabling it as soon as possible. Why? Because MS still
encourages the owner to set himself up as the admin, and work from that
account. And when you're running in an admin account, UAC is nothing but
a bother. Every time you try to take an action, and this could be as
simple as opening something in Control Panel, UAC disables your screen
and pops up a little dialog asking you if you really want to do what you
just did. A pointless irritant that will cause the vast majority of
Vista users to disable UAC, because the vast majority of Vista users
will, unfortunately, be running as admins, thanks to MS's stubborn
refusal to try to put everyone into a user account to the extent
possible.
And once UAC is disabled, all of its security enhancements are lost.
Yes, the basic idea is good, but the implementation has been completely
bungled.
A few irritating details
The default folder view options could be improved for the security
conscious user. One should definitely not hide file extensions, as the
default file view has it, because it is possible to spoof icons and use
bogus extensions that can make executables appear to be other than they
are. Yes, UAC and DEP are supposed to help with this, but DEP will be
set to its lower setting, and UAC will be turned off, on the vast
majority of Vista boxes, for reasons we've already discussed. And since
it's very likely that you will still be running your Windows box as an
admin, if you're going to open a file with Windows Explorer, you'd
better look to see whether or not it's an executable, because it will
run with your privileges. So, at a minimum, the folder view should
default to showing file extensions.
As usual, Windows enables far too many services by default. It would be
a tremendous help if MS could somehow use its many wizards to enable
only the services needed for each bit of hardware or software installed.
That would take some effort on Microsoft's part, and on the part of
device and software vendors, but the alternative so far has been to
leave every single bell and whistle blaring. Unnecessary services waste
RAM, and worse, those related to networking are a needless target for
worms and other online attacks. Data hygiene
The start menu now offers the option of not storing or displaying a list
of recently-accessed files and programs. This used to be a real
nightmare for data hygiene. Finally, it's fixed.
Oh wait; it's not fixed. In fact, things just got a lot worse. There is
the new "Recently Changed" directory, which will show up as one of your
"Favourite Links" in the left-hand column of your home or user
directory, and in Windows Explorer. And guess what: all the files you've
been fiddling with recently will show up in it. Its contents are
identical to the "Recent Documents" folder that Microsoft let you think
you had shut off.
But worse, the contents of your recently-changed directory will not show
up in main search, even if you use advanced search, and search
"everywhere". So you might not even know it's there. And still worse,
you can't empty this directory without deleting all of the files it
points to. You can empty your "Recent Documents" folder, and only the
pointers or links will be gone; you don't lose the actual files. But
with this new gimmick, you've got an archive of all the files you've
looked at, regardless of where you've buried them in the file system
hierarchy in hopes of keeping prying eyes off them, and you can't empty
it unless you want to say goodbye to the files themselves.
The worst part of this is that by offering the option to disable the
list of recent files, MS has given users a false sense of privacy and
security. The reality is that privacy and data hygiene are even more
difficult than before. What a blunder.
Child safety first
Now there is some good news, finally. Vista ships with parental controls
that are reasonably easy to implement. You can set up accounts for the
kiddies, and prevent them using all sorts of programs, like email, chat,
and IM, or even deny them internet access altogether if they're too
young. One thing that I like is the ability to prevent the little porn
fiends from downloading files via IE7. But remember, if you have any
other browsers loaded on the system, you must disable them all
individually via the parental controls, because download blocking only
works with IE.
The basic setup is sensible and allows for fine-tuning depending on each
child's level of maturity and responsibility. And parents can schedule
regular reports on their children's internet use.
Now, parental controls and filtering are all well and good, but we
should beware of any false sense of security they might encourage. In a
recent Today Show interview (video), Billg dilated glowingly about
Vista's new parental control centre; but we should remember that it's
merely a tool, not a solution. Parental controls are not a substitute
for adult supervision. The internet is adult space, and so it should
remain. Nothing sends my blood pressure into aneurysm territory faster
than talk of legislation that would make the internet safe for children.
The internet has been created by adults for adults, and children
venturing online simply have got to be supervised, either by a parent or
by a mature and responsible older sibling. Filtering is not a panacea.
Package deal
Now, for the Vista Security Centre. This has been controversial,
involving MS in skirmishes with security software vendors who claim that
Vista's built-in product is anti-competitive.
I'm not sure why anyone would worry. The Security Centre doesn't do very
much except remind users, "Message: We Care". It's a little craplet with
a stereotypical icon that looks like a shield, and it simply informs you
of whether or not the firewall is on, whether or not you've got
anti-virus software installed, and so on. It is integrated with an
improved version of the malicious software removal tool, or anti-spyware
tool, in the form of Windows Defender.
There's nothing much in Security Centre that XP SP2 doesn't have, except
a warning that you've turned off UAC. It's something that one might wish
to run or consult after installation, and maybe once a month thereafter.
But it's on all the time, ready to harangue you, and it's rather
difficult to make it go away.
It doesn't contain AV software, but a query for further information on
virus issues will bring you to this web page, where MS recommends the
vendors it thinks are ready to handle Vista (McAfee is notably absent).
Nor does it have a packet filter (firewall) with many features. It's not
too bad to configure, but third-party packet filters offer many more
options in terms of notification and controlling individual
applications. I noticed one exception in the default firewall
configuration that I didn't care for, for allowing remote assistance. I
don't think that should be allowed unless you're actually using remote
assistance.
Windows Defender is certainly better than nothing; it monitors files for
changes that can indicate malicious activity, and searches for known
spyware. It is also integrated with IE7 to some extent. However, what
constitutes spyware is a judgment call, and it's never a bad idea to use
more than one anti-spyware/anti-adware product, in hopes that one will
pick up what another overlooks. (And WD does seem to miss an awful lot
of spyware.) I certainly wouldn't recommend depending solely on Windows
Defender. But it's nice that it's there. In a nutshell
So, what have we got here? An adequately secure version of Windows,
finally? I think not. We have got, instead, a slightly more secure
version than XP SP2. There are good features, and there are good ideas,
but they've been implemented badly. The old problems never go away: too
many networking services enabled by default; too many owners running
their boxes as admins and downloading every bit of malware they can get
their hands on. But MS has, in a sense, shifted the responsibility onto
users: it has addressed numerous issues where too much was going on
automatically and with too many privileges. But this simply means that
the owner will be the one making a mess of their Windows box.
Data hygiene is still an absolute disaster on Windows. In fact, it's
worse than it ever was in some ways, and that's very bad indeed. Browser
traces still in the registry, heavy and complicated indexing to improve
search, new locations where data is being stored. It all adds up to a
privacy nightmare. Keeping a Vista box "clean" is going to be impossible
for all but the most knowledgeable and fastidious users.
So don't rush out to buy Vista in hopes of getting much in return
security-wise. I do like some of the changes, at least in theory, or as
a decent platform on which to build an adequately secure version of
Windows one day. But that day, if it ever comes, will be well in the
future.
-=-
Correction I'm grateful to a Reg reader who pointed out an error in a
previous edition of this story. I had stated incorrectly that IE7
doesn't allow blocking third-party cookies. It defaults to accepting
them, but can be made to block them.
______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss