Gates on Winsecurity

xandroid writes "Just a couple days after talking about free hardware, Bill Gates has sent an email to customers saying that Microsoft will continue to focus on security, titled 'A Microsoft Progress Report: Security' (MSNBC story, PC Magazine story, Google News' related stories). The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication', but says that to counter the threats, Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. He also talks about the XP Service Pack 2, and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'." Reader Zephyr_in writes "Macworld reports that the beta-release of Longhorn is likely to be postponed to early 2005 because Microsoft is concentrating first on a security-focused update (SP2) to Windows XP. Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"

Re:The REAL security problem in '04

I disagree, and, as opposed to modding you down, I will reply. I'm an intelligent, well-versed, apple user. I've been working with x86-based machines seriously since I was in 7th grade. I'm now about to graduate high school. Last year, I ""switched", as it were. I went out and found myself an old tibook. It's a good, solid, stable machine. I run linux and many versions of windows via work or at school. However, I like to come home to my Mac. Why? It just works. I putz around with pcs all the time, I am paid to do simple repairs and upgrades. Pcs are a hassle, and I spend a lot of my time working on them. I don't have to fool with my mac. It does exactly what I want, it's rock-steady, it's unix (I know this!), and most of all; It's pretty! Not all mac users are net-incompetent. Very few that I've met, in fact, are. That is a false assumption.

NX - Finally

[rdean400]

About freaking time. IBM's mainframe and midrange server architectures have been doing this for years. In OS/400, for example, the only things the processor will execute are program objects. Memory blocks marked as data cannot be executed, even in the event of a buffer overflow. The OS and hardware work together to ensure this.

Re:Protected Stack hardware requirements?

[Keeper]

You can have a software protected stack. SP2 will have components compiled with Microsoft's "latest" compiler software, which generates code to verify the stack hasn't been corrupted (Win2k3 was compiled with this too, apparently; which was why the MSBlaster worm had 2 'variations' to the buffer overflow attack -- one to attack Win2k/XP and one to attack Win2k3). As I just alluded to, depending on the layout of code in memory and where the overflow occurs, you can hack around software protections. It's a lot harder (apparently, it took the group that found the buffer overflow originally only a few days to create the attack for Win2k/XP, but a few weeks to find something that did more than DOS a Win2k3 box), and in some cases impossible, but not all cases.

The only way truely eliminate arbitrary code execution is to mark pages with data non-executable and have a processor level exception thrown when you try to execute code from a data page.

I do not believe OpenBSD has a software protected stack. However, given that OpenBSD runs on platforms which have hardware protected stacks, it does have the ability to guard against those kind of overflows. Just not on x86 hardware. Well, except maybe a version that runs on the AMD64 hardware...

Ditching ActiveX, does anyone actually use this for anything other than malware anymore?

Yes. Aside from the windows update site, there are a whole crapload of corp intranets that use ActiveX. To get rid of it would cause a lot of grief for their corporate customers. What they CAN do (and have done for Win2k3, and I suspect they'll be doing for XP SP2) is disable ActiveX components by default for non-trusted sites. You can do this today yourself if you really want, by going to the security tab in the IE->Tools->Internet Options dialog.

2. Disabling the (Outlook) preview pane by default

Why? Fix cause of the problems; don't cripple the software. In this case, images should not be downloaded by default. And hey, guess what ... the latest version of Outlook does just that.

3. Higher SSL Verbosity with IE 4

IE4? You're bitching about IE4?!? Geeze ... maybe I should start bitching about Netscape 4.0 then...

4. IE URL-bar and statusbar should go into an "extra careful verbose mode" when it encounters hexadecimal encoding ( % ). IMO, these are all obvious things that should have been changed LONG ago, why are they still defaults?

Right, it was so obvious that it took how many years for the problem to be discovered? Everything is obvious in hindsight. Nothing is obvious until it has been done.

Re:Protected Stack hardware requirements?

[CTho9305]

I do not believe OpenBSD has a software protected stack. However, given that OpenBSD runs on platforms which have hardware protected stacks, it does have the ability to guard against those kind of overflows. Just not on x86 hardware. Well, except maybe a version that runs on the AMD64 hardware...


From here:
(NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.3-current already supports it on i386, and both these processors are expected to support this change in 3.4).

You can use a little-known feature of x86 called "segments" to enforce non-executability of memory areas. It's just different from the regular paging system used to implement virtual memory, and COMPLETELY unique to x86. You can find a discussion about it here. The links in the thread have some good info.