Windows Is 'Insecure By Design,' Says Washington Post

Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"

Good point, muddled way of expressing it

[Raindance]

There's a large difference between "Windows is insecure by design" and "Windows was not designed to be secure or with security in mind" just as there's a significant difference between saying "Impalas are deathtraps by design" and "Impalas were not designed with safety in mind".

That said, and though the Post's article was a little muddled in general I agree with the spirit of the article in that
1). It's reprehensible that Microsoft apparently didn't have security (a broad term, but the literature to define it is out there) as a guiding design principle when they designed Windows, and
2) As a result of this, Items central to the functioning of Windows do not lend themselves to good security.

Re:Good point, muddled way of expressing it

[the+Man+in+Black]

I didn't take that phrase that way until I read your post. The writer isn't stating that Windows engineers designed the OS to be insecure, he's stating that the way Windows was designed lends itself to insecurity. Two different takes on the phrase "by design". Slightly misleading, sure, but he clarifies in the article, so it's cred by me. I particularly like the comparisons he makes with Windows, OS X, and Red Hat's default install.

Re:Good point, muddled way of expressing it

[rekkanoryo]

The problems with Windows are largely what was pointed out in the article:

• Users complain they don't trust Microsoft and don't apply Critical Updates
• XP's firewall is off by default and takes at least five steps to turn on
• XP leaves five ports open by default--three of them are 137, 138, and 139, the NetBIOS over TCP/IP ports

I have the following to say on those issues, however:

• If users don't trust that Microsoft can patch a hole, they shouldn't use Windows and shouldn't buy PCs preconfigured with Windows, no matter how crappy the software availability and quality for the alternatives
• For the XP Home software, all dialup interfaces should have the firewall on by default. XP can automatically detect broadband connections as well, so on broadband internet connections the firewall should also be on by default
• Ports 137 through 139 should be disabled by default until file sharing is turned on. And even then, those ports should be specifically closed on all internet-facing interfaces. The port that console messages are sent on should be closed to the internet-facing interfaces as well, and probably just closed period on Home since console messages are supposed to be used by administrators in domain environments

These are not the only problems with Windows, nor are these solutions I propose going to be 100% fool-proof. But most of the problem comes to users' carelessness or naivete. By turning off all the unimportant messages in XP such as

• Get a Passport
• Take a tour of Windows XP

should wait until after more important, security-related messages such as

• If you choose to use Windows Automatic Updates, your computer will automatically update itself with the latest security patches. This will ensure fewer problems and enhanced reliability while your computer is connected to the Internet. Click here to learn more.
• If this computer will be directly attached to the Internet through either a dial-up modem, a cable modem, or a DSL modem, you should enable the Internet Connection Firewall by clicking here and following the instructions. The firewall will help protect your computer from hackers and self-spreading worms on the Internet, keeping your computer working properly much longer.

It's simple steps like these that, on top of proper security considerations and testing when designing and writing the code, will help protect users and the net in general from what we suffer right now.

Re:Good point, muddled way of expressing it

[dhogaza]

Do keep in mind that at major papers like the Post reporters don't write the headlines. Just as they don't decide where their story will run (or if it will run), how big the type used for the head will be, whether or not there will be a subhead, etc.

So don't ding the reporter for the slightly misleading headline. Sounds like the reporter got it right in the part he or she wrote - the article.

Re:Good point, muddled way of expressing it

[hankaholic]

Fair enough, but many people may opt not to download updates because of their rediculous size.

Under Debian, at least, if a package is found to have a security hole, I have several options.

I can download only the affected package. Of course, since it's Debian, I can always opt to just bring the whole system up to date. If bandwidth is really a problem, I can even manually rsync an older local copy of the package against the updated version upstream.

Unfortunately, rsync isn't done by apt-get automatically, but the option to do it manually is there, as many Debian mirrors do support rsync.

The point is, though, that with Linux and the BSDs, you can find out exactly what you're downloading, and determine exactly what effect the new package will have. With XP, you might have no idea what you're getting. Spending eight hours downloading MS updates when you don't know what you're getting isn't something most people consider worthwhile, especially when it's often the case that after updating Windows, it's found that there have been refinements to the updates that just occurred, and so Windows wants to download yet more stuff, and reboot yet again!

People want to use their systems, not maintain them. As long as the MS "critical updates" take ages to download and often create the need for further updates, people will continue to ignore the "Windows updates are available" messages.

Rebooting is a lot to ask. Large downloads are a lot to ask. If I were to install all of the "important" updates available to Windows at the moment, it would require several reboots, especially since many components can't be installed at the same time. Under Debian, not even one reboot would be required, unless the kernel were updated. Under Windows, if I update Media Player, a reboot is required, and Windows won't even let me update other things at the same time!

I'm just glad I'm behind a firewall.

Re:Good point, muddled way of expressing it

[1010011010]

Well, he could have mentioned a true "Insecure by Design" flaw in Windows: the fact that Windows determines that a file is executable based on its *name*. If a file ends in .exe, .vbs, .bat, .scr, or one of lots of other extensions, Windows assumes it's executable and will load and run it when the user clicks on it. Or a "shell" command references it, etc.

On Unix and unix-like systems, one has to explicitly mark a file as executable before ths OS will try to run it, and it's even possible to deny the "execute" permission to an entire filesystem (for instance, users' read-write home directories).

In a sense, it's true

The old DOS/Windows had security as a pretty secondary concern, it was just about getting things to run and not crash a lot of the time. NT/2K/XP is much imrpoved, but it still suffers from this legacy. For example, it's still difficult to run users in non-Admin roles because some applications expect the user to have full Admin rights. Only when most of these applications are update will the ability to use real user security settings become practical.

Re:95% a target perhaps?

what about web server worms? apache is much more used than iis, but this didn't help iis...

Re:Ummm...

[Li0n]

indeed...

I've had to patch and put up to date almost a dozen systems in my free time these weeks. Not seeing one penny for that since they all belong to friends and family... :/

That aside from the bozos at work that got hit and the flood of questions along the lines of "my computer keeps rebooting on me everytime I connect to the Internet... what can it be?..."

And people wonder why techies are grumpy...

Obligatory Question and

Obligatory Response:

The argument sort of breaks down when you talk about webservers, with Apache solidly in front with % usage, yet it's the smaller-target MS offering that is the one hit with exploits.

There's something more fundamental about the differences in security -- yes, MS is a bigger target, but that doesn't mean that it can't also happen to be the easiest target (and it is).

MS Bashing

[mOoZik]

This is a bit unfair. Microsoft identified the problem and offered updates long before the worm hit the streets. Microsoft cares about the security of Windows, but it was the stupidity of the users which led to the compromise of their systems. If a Linux hole is found, nearly ever user would update to fix the change, because the average user of Linux knows what putting it off may entail. The average Windows user does not have the same computer knowledge, and hence, Microsoft gets the blame. Just another MS bashing is what it is!

Re:Ummm...

[aussersterne]

Not only for that reason.

I don't have Windows anywhere and haven't for several years now. I don't run Outlook. But it turns out that at least one of the current batch of worms spoofs email addresses.

So all week I've been getting email messages from postmaster@ saying "...your message to so-and-so will not be delivered because it contained the SoBig worm, we advise you to download a security update from..." I wrote a couple of them and got two responses from mail admins saying essentially "Yes, we know it spoofs your email, sorry there's nothing we can do, please understand that we're under tons of pressure on our end, everyone is infected, this worm sucks, you have it easy, you run Linux, stop complaining!"

Anyway, people are receiving messages marked "from" my email address and are getting infected with a worm as a result. Obviously one or several people (editors, management, etc.) that have me in their Outlook address books have become infected and now the worm is spreading from their machines and spoofing my email address as the source. I totally resent this and actually worry about my liability.

Do I now have to trademark my own email address or something and then include a disclaimer in my email saying "This email address is my trademark, you are not allowed to add me to your address book in any way"?

The crap Windows security model has certainly affected me, a non-Windows user.

Re:95% a target perhaps?

[justsomebody]

Funny, you say that. That excuse is getting to its old age.

But it makes a great difference (on Windows) right in a moment after you:
step1) Disable Internet Connection to Explorer and Outlook (almost no one virus can connect to internet to download it's other part or upgrade, because they mostly use ActiveX download object)
step2) Start using Mozilla or Opera or even better Thunderbird and Firebird (in this step you disable IFrame and OCX viruses)
step3) Teach users not to open .pif and .vbs (Here you stop user interaction for virus to be downloaded)

Problem with Windows is not 95%, but IE and Outlook are made as centerpart of the system, thus allowed to any action no matter how stupid it is.

Based on that: YES, Windows is insecure in its roots.

Someone Who Gets It

[MBCook]

Everything I've heard on TV and Radio that's been more than just "There is a new virus" that has an attitude that I just can't stand. A thing I heard on NPR put it perfectly. Basically the attitude is that this is the way the computer industry is, and maybe they should do something about it.

Computer industry? WHAT COMPUTER INDUSTRY? The VAST majority of these big viruses exploit who's products? All togerther now: MICROSOFT. This isn't Apple's fault, Macromedia's fault, iD's fault, or anyone else. These things are almost all MICROSOFT's. Finally someone in the media seems to get it.

Re:MOD PARENT UP, more..

[SoftwareJanitor]

Where you are wrong, and the Washington Post is correct is that Windows doesn't have to be intentionally flawed to be 'flawed by design'. Something can be flawed by design as far as security goes just in neglecting to design a proper security model to begin with. Windows is flawed because it wasn't designed to be secure from the beginning, and newer versions, even those written after Microsoft started to become more aware of the need for security, have been hamstrung by their need to retain backwards compatibility with older versions and for software written for older versions which in many cases just won't install and/or run correctly on a properly locked down installation of Windows. Whether Microsoft intentionally designed in security flaws isn't what matters, what matters is Windows, as it is currently designed and implemented has some inherent design flaws which make it less secure than it needs to be. Among them are the fact that so much Windows software relies on being able to write to system directories (to add DLLs, etc) to be installed, which leads most people to allow too many users to be able to access too many files. Another is the fact that Microsoft built in scripting which allows too much access to low-level functionality (in other words, it doesn't run everything in a restricted sandbox) into just about everything, including the email clients and office software most Windows users depend on. Another is the fact that executability is based on file extension and not by permissions, if it wasn't, then people wouldn't be able to accidently execute malicious downloads so easily. This problem is compounded by the fact that by default most Windows facilities and software likes to hide the file extension.

The Washington Post article is not a troll or flamebait, it is a very necessary wake up call to the average Joe Windows users. If more of them had patched their systems and used mail clients other than Outlook or Outlook Express as you have, then these viruses/worms wouldn't be such a big problem. Without the mainstream press letting these people know, they will not get the message.

Re:Quick linux security test.

[Negative+Response]

I just did it and the result is:

zsh: permission denied: /dev/mem

You know, being funny aside, you just demonstrated one excellent point: Users should have enough rights to have work done, but not so much to easily screw up the system. Don't use root privilege in vain!

Re:Ummm...

[nikal]

If you digitally signed all of your electronic communication then you could effectively get rid of this worry. People who trusted your key would know immediately that this was a spoof.

Re:Ummm...

[Li0n]

They cease to be liable the moment you click "I Agree"

Worse: insecure ON PURPOSE to allow macros etc

[Doug+Merritt]

Windows is flawed because it wasn't designed to be secure from the beginning

True, but far worse: Microsoft quite intentionally continues to make Windows and Office etc insecure on PURPOSE, as a side effect of offering full programmability of email, Excel, etc.

There wouldn't be any email viruses nor spreadsheet viruses nor Word document viruses if these apps were lobotomized -- if they could not be programmed.

But Microsoft continually makes the business decision that adding the power of programmability to every app is much more important than the resulting insecurity.

The vast majority of Linux apps do not allow that kind of programmability -- even when extension languages like Guile/elisp/etc are available in Unix apps, programs aren't automatically and blindly run whenever some hapless user receives email or views a spreadsheet or whatever.

Conversely, whenever that kind of programmability is added to Unix apps, if it is triggerable just by receiving/viewing a file, then Unix viruses will become far more rampant. (A small saving grace is that the Unix viruses mostly, but not always, will run as some user rather than as root, but this is really only a small issue.)

This should be a wake-up call to teams like Gnumeric; just yesterday on Slashdot Gnumeric was criticized for not supporting every single MS Excel feature, and Jody Goldberg replied that hopefully it would include those by next year. But any Unix app that is 100% compatible with a MS app will be virus prone!

Quote from a poster on that story:

Worksheet functions are great, but a lot of Excel's draw comes from its embedded VBA. Companies that rely on workbooks with embedded VBA probably wont be willing to switch to Gnumeric until it has support for VBA, or something very similar.

Mmm-hmm, and there goes security.

(Story link: Gnumeric Now Supports All Excel Worksheet Functions )

The really sad thing is that the marketplace clearly agrees with Microsoft about this tradeoff: corporate and personal users are far more concerned with having the power of macros/Visual Basic/etc built in to everything than with even basic security.

The main problem with windows is the users..

[Ramion]

Today I sat down at my computer when I got a MSN message from a friend. That friend is complete noob with computers and now he had a problem.

This is pretty much what was said:
Friend: Hey. I got a problem with my computer. It has shut itself two times today, without me doing something. What do you think is wrong? I heard something about a virus.

Me: Yeah there is a few major virus's flowing around the net right now. Have you patched your system?

Friend: Patched ? ?

Me: Yeah. You know downloaded updates for windows.

Friend: No..

Me: Oh well. Here is a link to a virus scanner try and run that first. .... After awhile, me trying to explain him how to scan for viruses. Yeah! It found a virus named blaster and I THINK he got it removed...

Me: Good now to update your system. .... I, after awhile, get him pointed to the windows update and the patch for blaster. Again I think he got it installed ....

Me: So, Now I suggest you update your system with patches from windows update.

Friend: Why? What should I waste time download all that? What good does it do me ?

Me: Well... It secures your system, give you updates to windows programs and IE and new drivers. You know. Makes it upto date.

Friend: But how do I do it ? .... I try to explain him how to use windowsupdate but is almost giving up since he just dont get he just gotta press scan for updates and then install updates. Well in the end he gives up and says he dont care ....

And there is the entire windows Security problem. Users that just come to their computer to surf abit and download a few programs like kazaa or emule just dont feel the need for updates. And they end up spreding the viruses to the entire net. Oh.. And it dont help that MS dont allow pirate versions of windows to be updated fully. I can see why it would in sense suck for them to give free updates to people that havent payed for the system. But people dont get updates when its all blocked. Which in end leads to viruses like this to run wild.

Perhaps I'm doing something wrong...

[ScottGant]

I'm not an XP lover, but it's the OS that's on my computer. It just is. I play games and run Photoshop and other programs...so I use XP because my favorite programs all run on this OS on fairly cheap hardware.

Now, I may be doing something wrong here, but I've NEVER had a virus. I've never had a problem with a worm or anything really. XP hasn't even crashed on me before....ever. I've had programs hang up or crash...but the OS itself hasn't crashed.

And this has been the same on the 2 different machines that I've run XP on.

But yet, I always hear about everyone raking XP and Windows across the coals all the time. Yet I've never ever experienced nor do I know anyone anyone that's ever had major problems with XP. Oh, I know people out there have problems...but it's just that I personally have never known any.

Why is that? Now, as I said, I'm not an XP zealot at all. I could take it or leave it. But after reading here on Slashdot the evils of Windows and XP it would seem that my machine should have burst into flames months ago, yet it's going on day after day, never turned off, always hooked to the net...and chugging right along.

And I'm not really doing anything special. I keep up with all the updates to XP...which takes about 2 minutes out of my week. And I have basic Norton Antivirus running. I have Seti@home running when I'm away from the machine and I do a disk clean up and defragment maybe once a month or so.

So again, I must be doing something wrong (or right) to where XP doesn't give me one iota of problem.

I'm not praising XP...at least I don't mean to be praising it. You only see people bashing Windows, never praising it. To praise it would mean being thrown out of geekdom. So I think if XP or NT is working for you, you keep your mouth shut or just talk about how great Linux is.

I guess your mileage may vary.

Re:JRTFA

[abirdman]

Right on. My experience was the same. I was immunized from BLASTER on July 17th according to the log from MS Update. It's very hip and au courant to ignore MS Updates, because they're a pain, and their Service Packs don't have a great reputation. But updating early and often has kept me out of trouble.

When I started getting Sobig emails on Tuesday, I even took the time to call two of my friends (who subscribe to some of the same lists I do) to warn them not to trust emails with attachments. I had to explain the whole concept to them, but they got it. I got 40 the first day, 20 the second and only a handful since. And I had no desire to open any of them.

The biggest threat that Windows poses is that from users who are totally clueless... they turn on their machine thinking it's some kind of "email machine" and nothing else. Not a clue there are threats or risks out there. And no indication from Windows, or Outlook, or IE that anything they do could be unsafe. Windows update works, at least this time it did. They're not going to get more saavy, so there's no harm in telling people to use windows update.

Tell your friends:
1. Don't preview email
2. Delete email you don't know or trust
3. Don't open attachments if they're not absolutely known and expected
3. Update early and often

The article is right, Windows is dangerous. MS isn't going to tell the consumer, because that would threaten their (considerable) cash flow.

I'll shut up now.

Re:Ummm...

[ball-lightning]

MS is at fault, the root of it, to be sure.

It's kind of funny, but I didn't have any problems with either of those viruses in any of my three WinXP machines. Maybe it was the common sense (Sobig) or the fact all my machines were updated (MS Blaster)or the common sense that 300 e-mails with the same attachment from people I don't know might, just might be a virus. This is not to mention of course the firewall, pestpatrol, and Norton Antivirus. Now, you might say, "well hey, my linux box had none of that, wasn't patched, no firewall, nothin!" but think for a few seconds. These viruses were programed for windows, not linux/any other os. Of course your non-windows computer was not infected, because the virus/worm was not made for it. So before you get on your high horse, remmember it can happen if someone bothers to write it.

Re:Ummm...

[Cederic]

>> this virus wasnt particularly microsofts fault

If you're talking Sobig.F then yes, it is definitely Microsoft's fault.

In the early 1990s, people got laughed at (or gently educated) if they suggested 'I got that virus through email'. It just didn't happen.

Then MS turn up with their inherently insecure 'Automatically run stuff that's emailed to you' email client, actually build it into the OS (thus ensuring greater take-up than would otherwise have been achieved) and email viruses became commonplace.

The only way this virus wasn't Microsoft's fault is that they didn't write it themselves. The environment it runs in, that enabled it, is entirely and absolutely due to insecure design by MS.

~Cederic