IE Holes Not Microsoft's Fault, Says Bill

thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?

No thanks

[BWJones]

Gates: Understand those are cases where you are downloading third-party software.'

Hrmmmm. Downloading third party software on my Macintosh does not seem to get me into trouble in the same manner as it does on Windows........Why is that Mr. Gates? Furthermore, I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?

Moving along: Q: Might you add anti-virus/spyware protection in Windows? Gates: It's not a thing you build in. You have to offer a service......Why is that Mr. Gates? I would have thought that you would offer a secure environment as part of your product out of the box? What does that tell us about the quality of your products? After all, does not my automobile come with airbags and antilock brakes and skid control and all wheel drive? Under your logic, those features would only work if I paid a monthly premium.

You know, I kept waiting for something better to happen with Windows, but I have work to do and things to create, so I'll stick with OS X and my Macintosh. Thanks anyway.

Re:No thanks

[mibus]

It's just a matter of scale.

A pristine WinXP box will be compromised in 20 minutes (on average).

I'm still waiting for my unfirewalled 'nix box to be rooted ;)

Re:No thanks

[notthe9]

I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?

Impossible! You must be lying!

(Sorry, I realize this mihgt not be defensible, but I accidently checked the "Always Trust Microsoft" box during an install a few years ago. If only I could turn back time.)

Re:No thanks

[grcumb]

"I'm still waiting for my unfirewalled 'nix box to be rooted ;)"

Oh, it won't be rooted... again. I've tightened things up nicely, now.

P.S. Thanks for the porn!

Re:No thanks

[strider44]

Of course the simple solution is not to run under admin. I like the way that linux actually forces (well it doesn't but severly recommends) the user not to run something under admin. Then again usually for newbies spyware can be installed as easily as

Installation Instructions
1. Login as root
...

Re:No thanks

[strider44]

*sigh* having more market share is not an excuse. Just look at Apache vs. IIS and you'll see that more market share does not automatically equal more security holes.

Re:No thanks

[asadsalm]

Q: Might you add anti-virus/spyware protection in Windows?

Gates: It's not a thing you build in.

Us: But a browser is a thing you can build in ... Right?

Re:No thanks

[mikkom]

Most of the servers are unix boxes that are connected to internat and many of them don't have firewall. Simply because there are no services that need to be firewalled.

Windows instead has many "default" services that you can't turn off.

Re:No thanks

[ajd1474]

If MS included Anti-virus, serious Firewall software and whatever else you feel they should include to make it "secure", you'd be the first person up in arms claiming it to be another example of MS using their monopoly to push out competitors.

Everyone wants MS to remove things like CD-burning, Media Player, IE etc because it is anti-competitive and now you WANT THEM to build MORE APPS IN??

Also, motor companies do NOT make Airbags, ABS and skid control... they are usually made by third party companies (Bosch for example). So are you suggesting that Windows comes bundled with Norton Antivirus/Firewall, that you shouldnt get a choice, and that we should add another $50 to the cost? Sounds anti-competitive to me. Sounds like you're another /. er who trips over their own arguments in an effort to be the first to bash MS.

Re:No thanks

[aichpvee]

You're obviously very confused. The *nix box "can" be compromised, but probably won't be. The windows box "WILL" be comprimised, and in a matter of minutes.

Whether things would be reversed along with the marketshare, it's impossible to say. But there's really no way anyone can do it worse than what microsoft is doing.

Re:No thanks

63.161.169.137

Take your best shot, kiddie!

Re:No thanks

[shut_up_man]

Ah, I see - It's our fault for using those nasty third party viruses and worms. We should be sticking with the official Microsoft virus and worm family, that are, by a massive stroke of irony, totally harmless to our systems.

Apparently the upcoming version of Windows will have enhanced official viruses too, that do even less but will need significantly more powerful hardware to run.

Re:No thanks

[tuxlove]

You're not playing devil's advocate, your point is just irrelevant. The original poster's point is that there are plenty of security holes that have nothing to do with downloading third party software. You can get compromised by reading your email, visiting websites (there are dozens of known vulnerabilities) or even having your computer sitting idle on the Internet, all of which have nothing to do with downloading third party software. A firewall is moot for the first two, and irrelevant for the third, because as soon as you take away the firewall the machine's toast w/o downloading a thing. Putting a NAT router in front of Windows doesn't fix it, it just masks the problem Bill Gates says isn't there.

Re:No thanks

[Atrax]

Yes, Age of Mythology requires admin rights. Good game too.

This KB article makes a passing mention of this, but doesn't tell you which games require Admin privs.

Really I think this is just bad design - they could be written to operate normally under non-admin accounts, but ren't. and it's not just games - numerous applications on windows do this for various reasons (registry access/file access etc..)

Re:No thanks

no sex *and* no porn. you poor b*stard. Divorce her and join a monastery, it'll be easier and cheaper ;)

Re:No thanks

[bickerdyke]

No no.. Bill is completly right.

All those viruses, dialers and worms comming in via email, malicious websites and so on, ARE Third party software indeed.

Or is WinXP now delivered with preinstalles Melissa-Virus?

Re:No thanks

[thepoch]

Argh I'm beginning to sound like a broken CD lately, having to always repeat myself.

It isn't only that Microsoft doesn't even try to tell people that using Admin all the time is bad. It's also the stupid developers that never test their software with non-Admin accounts. And don't even start to talk about RunAs. That's broken as well for most apps.

The only way for all this nonsense to hopefully be worked out is if Microsoft forced developers by making the default account a "User" account. Not even a "Power User" as that's pretty lame as well. Then every app out there will be forced to store their settings in the user's respective "Documents and Settings" folder. At this time, a lot of apps still store settings in either C:\Program Files\ or in HKEY_LOCAL_MACHINE. I'd rather have it in my own C:\D & S\username\Application Data folder and in HKEY_CURRENT_USER. This makes it more similar to *nix where it stores all settings in my /home/username in .files or .directories.

Double Argh. Palm is one company that does this badly. Imagine everyone having to be an Administrator just because Palm Hotsync's data to C:\Program Files\Palm\$palmname. Sheesh.

Re:No thanks

[Asprin]

For what it's worth, Ubuntu actually disables the root account by default so you have to sudo everything.

(I'm sure other distros do that too, but Ubuntu stands out in my mind because I had to wrestle with it unexpectedly over the weekend.)

Re:No thanks

[skraps]

That is a fringe example and doesn't have any effect on the main thrust of the argument. Making the boot media read-only in an effort to stop security holes is like cutting off your legs so that you won't accidentally stub your toe. You are right that Microsoft will never provide that as an option - because it doesn't make any sense for ordinary use.

Re:No thanks

[Mike+Morgan]

I thought that that would work too. I set my mom up as a restricted user under Windows 2000. After about 6 months the machine was clogged with spyware and would no longer dial.

I wrote a program to detect what directories were still writeable as the restricted user, turned out to be quite a few (even including C:\).

Re:No thanks

[DigitumDei]

What people fail to realise, is that if we had all listened to Bill in the beginning and realised that the internet was not going to get big and thus never "forced" him to destroy netscape, we wouldn't have this problem. ;)

Re:No thanks

[doob]

I'd venture to say most people who use OS X are logged in as admins.

Even if this is true (but may not be, see below) being an admin under OSX is very different than being an admin under Windows. On Windows, you have rw permissions on everything, whereas under OSX, all it means is that you are in the sudoers file. This means that in order to do anything dangerous, you still need to type in your password again to gain (temporary) root privs.

Can someone else comment on how the OSX install/add user process prompts you to set up permissions. AFAICR the user is set up as a normal user first, and you then have to explicitly go to the user manager and give them admin permissions. Very different to Windows, where you are prompted to set up an admin user as part of the install process!

Re:No thanks

[ultranova]

Unfortunately, running as a normal user won't do any good in a single-user system. After all, you have the right to access your own folders, and thus are still vulnerable to malware which installs there - you just can't pollute other users with it.

Linux isn't immune to this problem either. It was designed to sandbox users from each other, but a single normal user will find it difficult to sandbox individual processes. Any process running at my privileges can access all my files, install cron jobs to be run automatically at machine boot, etc.

A real solution is a fine-grained permission control. For example, a Web browser should be able to read it's configuration files and plugins/extensions, connect to any Internet address, and write to the bookmark file(s) and download and cache directorie(s). It shouldn't be able to do anything else. If there was an easy way to do this, even if the browser was compromised by a web site, there wouldn't be much that site could do. Especially if you could set the bookmark and configuration files to be stored as a "journaled" file, which would record the changes to it and allow returning to any given point in time. Obviously, you'd also need to move any downloaded files away from the download folder and check them with MD5/SHA1 checksums to avoid tampering (but how do you get that checksum, if you suspect your browser has been compromised ?)

I'd imagine something like this could be done with relative ease with Hurd, since one of it's design goals is to allow each user to replace parts of the operating system (even the file systems) with new parts without disturbing others. So you could install a translator to control access to your home directory or any subdirectories (but of course such translators can also be removed by programs runnign with your permissions - that's one permission that should be droppable).

An alternative way would be to allow users to build and set up "subusers" - simply add 32 bits to processes (and files) user id. The complete id would then be in the form of userid.subid. Userid.0 would have all the rights of the user, while userid.1 would be a "subuser" and have limited rights (the system would basically make userid.0 the root of his own home directory). This could also be generalized into a hierarchical authority tree, allowing individual programs to run parts of them as more restricted users (for example, a p2p-application could generate separate processes for managing file storage and network connectivity, allowing the part that touches the network to run without any access to filesystem and thus reducing the likelihood of a bug in it from causing damage).

To summarize: the traditional access controls are designed to protect users from each other. This is not enough. A single unprivileged user needs an easy way to make sandboxes for programs to run in. If the computer is a house divided with walls to different rooms for each user, then all those users need the ability to further subdivide their own rooms with more walls, and they must be able to make/remove those walls without help from the janitor (administrator).

Re:No thanks

[Darby]

Wouldn't a male cow be a hermaphrodite?

A note to all dairy farmers:

Please be very careful milking your hermaphroditic cows.

Thanks you.

Re:No thanks

[Christianfreak]

The optical version will exploit your eyes if you turn it upside-down and look into it.

Rubbish!

[Any+Web+Loco]

Those holes are what LETS third-party software install its freaking self.

Third-Party?

[Machitis]

I wasn't aware Windows Update was third-party software...?

Bill Gates lecturing about security...

is like Tony Soprano lecturing about law and order..

Re:Uhhhh...

[plover]

This one reminds me of the old Yakov Smirnov joke about a Soviet visiting America:

"Now that you're in America, if you need to get the police on the phone, just dial 911."

"That's nothing. In Soviet Russia, we don't even have to dial."

Bad programming model

[John+Hansen]

So, pray tell, how is making a horribly insecure third-party application model (DirectX) and then complaining about how people are exploiting it supposed to hold water? YOU ARE THE API DEVELOPER. IT IS YOUR RESPONSIBILITY TO ANTICIPATE POTENTIAL ABUSES.

Because if I'm reading this right, then that's exactly what Gates is doing. No wonder Microsoft's products are so shitty; they think that security is something that happens to other people.

What's that I hear dying?

[MoralHazard]

Sounds like Microsoft's Trusted Computing Initiative isn't getting as much executive support as it might've.

Remember that, Bill? When you said you were going to make all the Windows computers secure by focusing all your energies on securing your code?

Now, it's not your fault, and you won't do anything to fix it? Then why on earth did you tell everyone that you would?

Ones not made by Microsoft

Especially the ones that you get while downloading the updates.

So the thing the users keep doing wrong is hook it up to the internet.

Re:Ones not made by Microsoft

[spacecowboy420]

It's "internets". There's a whole bunch of these magical internets - and only the most powerful people in the country can use them. I am not surprised that you are only becoming familiar with the internets, after all, none of us would have known without W's slip up the other day. Aliens work through W on their internets towards their master plan of total mental slavery of the lazy thinkers.

Wake up America! They're controlling our mind through the internets!!! It's almost as bad as reefer madness!!!! Run for your lives!!!!

From TFA..

[mstefanus]

Q: What's your take on making Windows Media compatible with Apple?
Gates: We're big believers in interoperability.

BWWAAHAHHAHAHAHHAHAAAHHAAAA!!!!!!

Yes yes... ofcourse, interoperability within Microsoft products

Re:Antivirus is not a thing you "build in"

[plover]

I want to know why Bill Gates thinks it can't be built in.

I'm not talking pure heuristic detection, because a perfect heuristic detector is theoretically impossible. But why can't Microsoft build in a scanner that downloads virus definitions?

Virtually all of the viruses of the last five years or so have been Microsoft viruses. (Boot sector viruses are soo last millenium, and everybody's BIOS already detects those.) Not "PC" viruses, not "MS-DOS" viruses, but specifically "Microsoft Windows" viruses. Since they seem to be at the forefront of providing the virus delivery systems, why do I have to pay someone else (like Symantec) to protect me from them? Why isn't patching these defects included in the purchase price of this obviously defective product?

Re:Blame Game

[ladybugfi]

See the quote: "More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change."

Money is no replacement for clue.

What Bill means

[roman_mir]

What Gates is saying is that Windows does not come with native viruses installed, you have to download them from other places. Well, I sure hope they see that they are missing a market opportunity here. Longhorn better come with its own, native viruses.

Re:Easy to assign blame

[plover]

Then you should use Portable Firefox on a flash drive at school. Jack in the thumb drive. Run PortableFirefox. You get to bring your own bookmarks and cookies with you, and leave nothing like log files behind. And 32MB drives are available for about $10.00 (check the clearance bins at places like Micro Center or wherever.)

Gibberish

[gruntled]

The purpose of Internet Explorer is to download third party files (by viewing Web pages). Mr Gates's claim that vulnerabilites exist because of such downloads is therefore nonsensical; it's like saying we could end deaths due to automobile accidents by banning automobiles. Yeah, there's a certain logic to that, but it sort of misses the point. To take a recent, ongoing example: A malevolent Web page can use an image file to compromise a Windows system. This vulnerability is not created by users who have somehow previously contaiminated the local environment; it's a part of the system's design. The OS was originally built to offer features over security, and maintaining backward compatability rather than fixing those issues would make it more difficult to coax existing users into upgrading (and would also make it easier for existing users to consider alternatives rather than upgrading). I lost two years of my life covering the antitrust trial, listening to this guy and his minions cheerfully perjure themselves, and he just can't seem to stop making it up.

Re:Antivirus is not a thing you "build in"

[grcumb]

"If OSX were #1 I'm sure the attacks would be just a fast and furious."

Amen, brother! That's why I tossed out that POS Apache web server and got me a brand new IIS. I mean what with all the security holes that come from being the number one piece of software and all, I just KNOW that IIS will never be a problem.

And besides, look at the name: Ah Pah Chee. Get it? It's a Patchy web server. It's gotta suck!

[Disclaimer. The above is one man's poor attempt at humour. If, while moderating, you find that this does not satisfy your personal criteria for 'funny', return this post in its original packaging to the sender and you will be receive a full refund.]

Catch 22!

[Advocadus+Diaboli]

Q: Speaking of security, Internet Explorer has had well-publicized holes ...
Gates: Understand those are cases where you are downloading third-party software.
...
Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans.

So if I get this right the problem with security is that I download third party software and Mr. Gates thinks that it can be solved by third party service (which means probably downloading third party anti-virus software). Now I clearly understand why the problem is never solved...

The user's fault? We can fix that!

[outanowhere]

Blame it on the user.

Again.

As usual.

As always.

Microsoft and especially Mr. Gates have both blamed the user for DOS and windows bugs, et cetera, ad nauseum, since the beginning.

It's one of the things that really encouraged me to dump windows. Being told personally, to one's face, by Microsoft and Mr. Gates that the problems with DOS and windows is my fault made it very easy to walk away from the huge investment in microsoft stuff.

Since the user is at fault, the user can fix it--like I did: dump microsoft.

Catch 22

[The+Real+Nem]

It is kind of a catch 22. If Windows had built in anti-virus software no one would buy 3rd party anti-virus software and Microsoft would gain a monopoly in the market. They would get their asses sued and everyone would complain that they have a monopoly or they have created an unfair environment. We've seen it before. If Windows doesn't have built in anti-virus software everyone complains they don't.

And even if Windows did have built in anti-virus software, can you honestly tell me, given their track record, that you would feel secure with it? If everyone used Windows built in anti-virus software wouldn't it be just that much easier to exploit and cause even more damage.

Re:infomechanics

[arkanes]

There's no such thing as "bit rot" per se - things like fragmentation can cause a gradual decrease in performance, but not failure. The term is used in software development because of the way old parts of source code don't get looked at and updated and touched.

Simply put - the "maintenance" that we refer to with software, and that's being compared to cars above is in fact no such thing. Every patch and update that's issued is to correct a _mistake_ in the software - not something that gradually failed because of wear. Cars need regular maintaining because they're physical objects in a physical environment and the stresses and imperfections of that environment cause real physical damage that needs to be repaired. Software "maintenance" is actually incremental development - it's correct mistakes that are in the original.

All that said, software (at least most of it) is far, far more complex than your typical car, and has had far less time to mature. The physical limits that a car operates in are well defined and well understood, and the vehicles are designed with that in mind. There are well known and well understood physical requirements and those requirements are easily tested. Software lives in a very different environment with a very different level of contstraint and a very different level of user expectation.

Try Microsoft?

[chriseyre2000]

Why don't they offer the option of never trust Microsoft?

I'm sorry, what!?

[rincebrain]

Last Q/A in the article:
Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?

Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.
[Italics and bolded sentence my own markup]

So let me get this straight, Mr. Gates. You have thousands of people working just on Internet Explorer, and yet...a thousand or two thousand people working on Mozilla have bested you?

Nothing is going to change, indeed, Mr. Gates. You're going to keep spewing the same old story, ignoring obvious holes in your own logic (third-party software is to blame for all security problems, true...but that doesn't mean your software should allow third-party software to install itself without the user doing a thing), denying any obvious falsehoods in your own statements (" We feel like we are pioneering an experience that to us is a clear thing most households will want." - Gates, regarding Windows Media Center PCs...I'm sorry, I didn't know you pioneered multicasting from a set-top box...I presume Linksys is paying you licensing fees for their video broadcast device, to name one alternative?), and hoping people will be stupid enough to follow it.

The saddest part of the above discourse is, Gates is probably right. People are, until told otherwise, going to keep using bug-ridden products, until they are shown that there are alternatives...I know many users who have never clicked Windows Update in their lives, and not because they've never used Windows.

I could be wrong, but I'm sensing a downward spiral, when M$ can announce things such as they did in their article, and not get negative feedback from the interviewer. Just my $0.05.

Critical assesment vs Belief

[quinkin]

It seems to me that social gullibilty has nothing to do with detection of a lie - instead it stems from the belief of an assertion with no critical evaluation. Critical analysis over unquestioning belief is a much maligned concept in most education systems.

Our children are being indoctrinated from a very early age to believe what authority figures (parents, teachers, the tv, etc.) tell them. Should we be surprised when a concept ingrained for 10+ years during the most formative childhood years translates to an easily misled populace?

Do not believe anyone. Do not believe politicians, scientists, priests, your parents, the police, and please don't believe the mass media.

Teach your children to think, not believe.

Q.

Sweetest Revenge: Linux Media Centers

[randalx]

Gates: What the consumer wants is pretty clear: a single remote control that lets them navigate photos, music, videos, TV in a very rich way. They want to see that on any screen in the house and then have a great portable device where they can take that stuff wherever they want anytime. The full realization of that dream is still years away, but we've taken a dramatic step in delivering that with Media Center.

I think it'd be great if we could beat Microsoft to the punch by offering all of this and more using Linux and open formats (not WMA Bill!). It seems like there is already a lot of work in the area going on (MythTV, Freevo, Mister House, VLC) but is any of this ready to be easily set up by the average Joe? Is there any work being done to put all the pieces together. Perhaps a modded distribution geared specifically to creating and setting up a Media Center type environment. Not only could a Linux based solution put anything from MS to shame it could also force Movies/TV/Music industries to support open formats if the Linux Media Center becomes the dominant player.

Am I dreaming or can the open source community take the lead here?

Different Alexa

[CharlesDonHall]

That's not the Alexa toolbar; it's a Microsoft "feature". If you click on "Tools/Find Related Links" in Internet Explorer, it does a search via the Alexa website. (And brings up a sidebar which gives you the option of downloading the Alexa spyware.)

So in a sense it's harmless; it's just a built-in web search. But it's generally considered to be spyware because of Alexa's reputation.

It probably got installed when you did the Internet Explorer update. I think you get it out-of-the-box when you install XP.

More information here: http://www.imilly.com/alexa.htm

Cows and bulls

[Frobean]

Q: What's the difference between a cow and a bull?

A: The bull smiles when you milk him...