Slashdot Mirror
Microsoft vs. Computer Security
ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue.
Computer security will get worse before it gets better. It's the second hardest problem in computing, coming second only to DRM; which is provely impossible to do properly.
The problem comes from many quaters: some theortical, some practical, some managerial. For example:
I could go on for quite sometime.. the point to appreciate here is that it isn't all Microsoft's fault but they could do a whole lot more. If we could just get rid of the overflows that would be a good start!
Simon
"That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC."
I would like to know where everyone heard this crap, and why they keep repeating it vebatim., because it's a bunch of bullshit. Flaws in Microsoft products have no greater danger than equivalent flaws in any other Windows application.
A remote code execution flaw in IE executes code with the users rights, and therefore gets access to what the user has access too.
A remote code execution flaw in Firefox executes code with the users rights, and therefore gets access to what the user has access too
There is no special conduit that Microsoft apps have to the windows kernel or any other windows system object.
If you browse the web using firefox while running as administrator and you get hit with an exploit that exploit will have full access to your system.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I thought most importantly users should be responsible enough not to simply click on or open anything in front of them.
.JPEG or .GIF file. It wouldn't matter which program accessed the file either - the OS would bypass the extension based MIME type and treat the file as a .WMF anyway, complete with being able to execute code, as WMF files are able to do by design. IOW, there was very little defense for an end user, unless you knew what sites had these files in advance. Users are usually the weakest link in the chain, but not always.
Ummm... the recent WMF vulerability needed no user interaction, other than visiting a web page or getting an e-mail with a "specially crafted" WMF file disguised as a
Your first bit of advice was correct - security is a process, not a product, and as such needs to be maintained and thought out in advance. I'd add "Educate users why people want into thier machine and here's how they get in" to the list too.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
NT was designed to replace VMS at DEC.
It was written to be "OS/2 v3", once Gates poached Cutler's development team.
It was grafted onto the Windows shell as a long-shot, after tensions between MS and IBM began to manifest themselves over the success of Windows 3.0, the failure of Presentation Manager and the differing visions for the future of OS/2.
Drivers for NT were still alot like drivers for VMS, from the API point-of-view.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Microsoft has a long history of secret APIs used only by their applications. I remember some sort of hubbub about this around '94 when they were taking over the office suite market.
More recently the DOJ at least accused Microsoft of using secret APIs in support of IE, Messenger, Media Player, and Outlook Express.
I don't necessarily think that you are wrong, but the situation is certainly not as cut-and-dried as you seem to think it is.
-Peter
To make a OS as robust as windows without things like this happening is hard to imagine honestly.
"Robust" is not an adjective I would ascribe to Windows.
If Macs were what windows is today, the story would be the complete opposite I assure you. You see the SAME thing in popular games as well. The most hacked games are the biggest and best, not because it is easier, but there are far more people attempting to exploit the system.
Homogeneity is weakness. Stop being so damn homogeneous (x86, Windows, the most popular software, etc.), and start being more diverse (POWER, SPARC; Linux, *BSD; good but not most popular software; etc.); otherwise, you're just bringing this upon yourselves.
I know that the herd mentality still affects humans' decisions, but please do try to balance your cognitive biases out.
Until its easy (not merely 'possible') to run limited accounts & control permissions, we're going to see major problems.
The use of limited accounts only goes so far. It will prevent a virus from doing damage to some areas of the machine; it will not prevent the creation of "zombie" DDOS networks, infection by spyware, or OS exploits. Correct me if I'm wrong, but the WMF exploit will work regardless of whether or not you're running with full or nil permissions.
DATABASE WOW WOW
Undocumented APIs that the DOJ forced MS to document: http://msdn.microsoft.com/library/default.asp?url= /library/en-us/dnapiover/html/api-overview.asp
"Microsoft teams identified a few hundred undocumented Windows interfaces or parameters that were used by one or more of the Microsoft Middleware components."