Slashdot Mirror
Windows Vista still Rife with Insecure Code
osxpetition writes "As noted in a News.com article, Symantec researchers have been testing the latest Microsoft Windows Vista build (Beta 2), and have found that the code is 'complete with new corner cases and defects' in the networking component. Symantec describes how Microsoft scrapped the old networking stack code from Windows XP in favour of newer, rewritten code. 'Microsoft has removed a large body of tried and tested code and replaced it with freshly written code.' Since January 2002, Microsoft has put a stronger emphasis on protecting PCs by attempting to implement stable, secure code into Windows XP and their new operating system. This latest report from Symantec brings attention to Microsoft's trustworthy computing campaign, and shows how it will be a long way before it is ready for the mainstream."
It is still beta, right?
The opposite of progress is congress
They figured out that the old network stack was starting to get too secure and not something they could live with! Not wanting to break the trend of security problems they went ahead and rewrote the code from scratch
have a solution that will "protect" you.
This may not be a bad thing.
I am much happier with well laid out, structured and simple code that has X rate of defects than well polished over the years, old, cruddy and complex with X rate of defects because with the former:
Fixes will be faster.
Fixes will be easier/cheaper.
Fixes will be possible!
Bug fixes will have less chance of introducing new bugs.
Given time we can then be sure that we will end up with... err well polished over the years, old, cruddy and complex. But it probably won't be as bad as if the process never happened in the first place.
Think of the Children; Sleep with your Sister
You mean there's still hope for Sun Microsystems?
How dare they! Just when I know all the exploits in the old code, they make me go and have to discover all new bugs in their new code. Being a hacker is hard some days...
If this signature is witty enough, maybe somebody will like me.
Since you didn't provide any useful context to your question, allow me. From here:
OK, so Symantec makes money selling products that patch up problems with Windows OSes. Microsoft trying to put them out of a job. I'm not saying Vista is really achieving this goal, but what sort of report did you expect from Symantec? "Wow, this Vista really makes our products unnecssary"!
FUD. At least they learned Microsoft's greatest marketing strategy.
-Ryan C.
Isn't it to Semantecs best interest to generate demand for their product by creating uncertainty when it comes to OS security. They did this to linux too...
Granted Microsoft may be using new code, but that doesn't necessarily mean it's more insecure than the current network stack.
Let's see what the non-beta software looks like, and see what a independent lab reports.
Bill
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Shatter attack are a configuration error, not a OS issue. They are roughly similar to running xterm as root on Unix and then complaining that users can execute root commands.
0 9/14/466175.aspx
But apparently Vista has entirely removed the idea of an "interactive service", so they won't work. Info here: http://blogs.msdn.com/larryosterman/archive/2005/
Whenever I hear the word 'Innovation', I reach for my pistol.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I had never heard of such a thing before (actually, initially I thought you were just punning on Windows + 'shattering', har har).
It would seem that Vista allegedly fixes the design flaw that allows for the attack, by not running system services in the same session as the user. At least, that seems to be what the Wikipedia article on the topic is suggesting.
The key to shatter attacks is that Windows allows processes running in the same session to pass messages between each other, the result of which is that via code injection, any process can escalate up to the level of the highest process also running in its session. MS is quoted in the article as saying "[This is not] a flaw in Windows. In reality, the flaw lies in the specific, highly privileged service. By design, all services within the interactive desktop are peers, and can levy requests upon each other. As a result, all services in the interactive desktop effectively have privileges commensurate with the most highly privileged service there." (Which is amusingly doublespeak-ish; they're saying "this isn't a design flaw, we designed it that way!")
This blog post by a member of the IE7 team would confirm that they've at least tried to address this in Vista (but of course that's what you'd expect them to say). It says: "User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages."
Yet another nice legacy "feature" from the single-user-OS days.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The stuff in the taskbar usually runs under your account; the problem is that the Network DDE service always runs as system and owns a transparent window on the desktop that can be passed arbitrary params by any other app on the same desktop - such as that nifty little hack you wrote...
Global warming is a cube.
- Improved graphics (more complete icon set, fancier installation and login graphics, nicer titlebar look on non-3D capable systems)
- More stability in general (some blue screen bugs I've reported have gone away with later versions)
- More gadgets in the sidebar
- A bit faster for file copies, file searches work a lot better -- file searching wasn't working at all at one point
So... I'm still skeptical of their early 2007 predicted time frame, but it's definitely been getting more polished over the months.Considering that they even have legislation to require wiretappable telecom infrastructure, I wouldn't be surprised.
In fact, I think it's the only way to explain how many security bugs are in Windows. Don't buy the excuse of it taking a lot of resources -- Microsoft has a *LOT* of resources including billions of dollars in the bank; and the OpenBSD group have a near perfect track record with a better performing OS with a budget thousands of times smaller than what Microsoft pays as dividends to shareholders.
If they wanted to fix their security problems, they could and OpenBSD is proof of that. The fact that instead they pay out dividents to shareholders (which is what a company does when it can't think of a better use for the money) means that they have some reason not to want to fix the problems.
Clearly it's not a marketing decision - it's bad press every time another one of these backdoors is exposed -- and it's not a feature corporate customeres want -- so it most likely is a policy decision with governments.
Jeez man, paranoid much? You really think Microsoft could care less about most of these countries? They won't respect their court rulings, but they allow not just one, but multiple, back doors to be programmed in? And why would they do that? What is Microsoft getting out of the deal?
DA GUBBERMINT WANTS MAH TEEFS!!! RUUUN!
Remember kids, tin foil doesn't work, so use LeadHat.
How is a shatter attack a configuration error? Any application can send a windowing message to any other.
The security model is built on "window stations" -- If you put a privileged window into an unprivileged window station, then you have made a configuration error. Period.
The author of the paper stated that *nix/X11 is just as vulnerable to these types of attacks, BTW, so *nix is just as irrevocably mis-designed as Windows. The only difference is that *nix programmers are smart enough not to write interactive software that runs as root.
Whenever I hear the word 'Innovation', I reach for my pistol.
Oh man! I can't even begin to think of a joke worthy of that setup...
> hey won't respect their court rulings, but they allow not just one, but
> multiple, back doors to be programmed in? And why would they do that? What
> is Microsoft getting out of the deal?
(dons tinfoil hat)
A free ride on the court rulings?
This "shatter attack" has been known about and acknolwedge for MANY YEARS. (Long before the 2002 paper cited in this thread.) Every once in a while people will bring it up as proof that Windows has design flaws.
This was a design decision with known trade-offs. Attaching security tokens to window messages would result in MAJOR overhead that would, even on today's beefy hardware, kill performance. Having to do a permissions check every time the mouse is moved is not feasible.
So Microsoft decided that they would rely on "best practices" information as apposed to enforced security in the OS to prevent "shatter attacks". The best practices are pretty simple: If your service/application is running with elevated permissions (such as SYSTEM), do not display a GUI on a desktop owned by a lower privledged user.
There have been examples of applications, in particular some poorly written anti-virus applications, that liked to display GUIs to the user despite the fact they were running as SYSTEM. For the most part, however, very few major applications exist today that have this issue.
Applications that run with high privs that need to display a GUI typically launch their GUI with the privs of the user, or display the GUI on a secure desktop. (Like Winlogon.exe.)
This is really a non-issue and hasn't been for a very long time. Please, ignore the FUD.
Curiously, both have dominant but benevolent personalities in charge...
:-)
That's the nicest thing I've ever heard anyone say about Theo!
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
Because it would break a lot of apps. Vista has been set as somewhat of a milestone in the "This *will* break some compatability" aspect, with new permissions, directory structure etc. etc. it's a good point for MSFT to put the foot down and say "Follow these procedures or your app won't work."
Whether they will or not is yet to be seen.
How many people can read hex if only you and dead people can read hex?
Microsoft has put a signifigant amount of work into creating USER/GDI messaging passing barriers between the new Vista integrity levels. This feature is called UIPI and mostly works in the betas.
BTW, almost no Microsoft written applications are still vulnerable to shatter attacks on XP. This is mostly an issue that still hits ISVs because they don't understand the problem.
This isn't Beta code, this is a public beta, the current name for what was originally called "Gamma". Aka, the stuff right before release.
This isn't a problem if the problem you find is a minor thing where if you click on a button it crashes only if you have a ATI card that was made in June 2005.
This is a problem if the majority of code, that has been rewritten from near scratch has major flaws that would take another full rewrite to get rid of (or years of critical updates). Vista is supposed to be the reinvention of Microsoft security, however this isn't secure. This isn't a "we're still adding features" problem this is a critical flaw at the core of the system.
The reason why it isn't considered a security flaw is that you can only send messages to windows that are in your current desktop session -- ie: you can't gain privleges that that user doesn't already have. Or put another way, whatever you sent via window messages could have been done in the calling process.
You idiot. You do not rewrite a whole networking stack in the time between beta and release. The whole "it's only beta!" excuse only holds up for fixing trivial mistakes, not poor design concepts.
Please THINK before you post.
To be fair, the original design of NT networking was focused on IPX and NetBEUI. The bandwidth was 10 Mbit. If you routed in several steps, you didn't expect minimal latencies. You were also supposed to kind of trust the traffic on the network (no SYN attacks or stuff like that.) IPv6 on current Windows versions still has "it will kind of work" status. You don't start with MS-DOS and end up with XP. You end up with Me. Rewriting something because the old version is broken is highly unwise. Rewriting something because the old version is unappropriate for what you currently use it for might make sense. I remember the JWZ article and he talks about all the hidden assumptions you've found through hard work and how those are an essential value in the current codebase. If enough of those assumptions are not true anymore, it can make sense to rewrite something.
In fact, I think it's the only way to explain how many security bugs are in Windows.
I think you perhaps need to take some lessons in critical thinking. This is the equivelent of saying, "The only reason auto-manufactuers put problems into cars so they have to recall them is because the government makes them, which is why Japanese cars are better than American cars."
Large monolithioc systems are inherently more complex that smaller componant built systems. (Although those have problems too along the boundary interfaces.) Auto-makers put lots of time and money into making a car that A) doesn't fall apart and B) doesn't require a multi-billion dollar recall effort. Microsoft puts lots of time and money into trying to make their software more secure.
On the whole, I'd say the auto companies do a better job. :-) Thowing money at a problem very rarely solves the problem. The need to have an understanding of the problem, and how to fix the underlying problem is vital. I think that is where Microsoft fails. The systems they have in place (from what I hear) are more frustrating to the engineers than helpful.
I also have problems believing MS engineers are really motivated these days. Many of Microsoft's security issues have stemmed from their own code interactions which they implemented as deliberate features. Many more have been from sloppy programming (such as buffer overruns).
Trying to blame MS security issues on government mandated back doors smacks of plain political diatribe with a nice glossy veneer of ignorance on the top to give it a nice sheen.
I am not a resource! I am a free man!
There are a myriad companies that Microsoft has bought, then put to good use. Some were then thrown off a cliff (like McAfee does/did with Network General and OilChange) while others made them smarter. They need the brains. And they need a new authentication methodology, a new networking stack, and a new registry protection mechanism not made of tissue paper. That doesn't mean they'll get it. So many people have blown up Vista (yes, I know it's not RC+ yet) that Microsoft must be rattled to their very core (yes, Bill-- you, you crummy half-assed programmer) before they'll believe their customers. It's a classic case of Sales Department Rules (Ballmer) and everything else drools. Hit the sales department in the wallet, and things change. Look for a big change from Microsoft soon when they report that XP sales are down and that Windows 2003 server's recent sales peak has now hit the skids, and the X360's are costing a fortune. Mark these words.
---- Teach Peace. It's Cheaper Than War.
From the October 2000 MSDN magazine, "Windows Sockets 2.0: Write Scalable Winsock Apps Using Completion Ports" Ironically, it's TDI that's being replaced for something more sockets-like.
I think this is yet another example of Microsoft not understanding code that was previously written by someone no longer available, causing the new developers to misunderstand the original design, who then feel the only option is a rewrite. I've yet to hear any technical comparisons between TDI and "Next Generation TCP/IP", showing how the TDI architecture could never do those things. I bet TDI can support these new features with some new code, but it just wouldn't be as glamorus that way.
To adapt an old saying about LISP and UNIX, "Those who fail to understand NT are doomed to reimplement it. Poorly"
My critical thinking skills tell me that this is a false analogy because the government has no incentive to make automobile manufacturers issue recalls, and really the attorneys and enforcement and regulations involved would make this nothing but an expense for the government. When consumer protection laws are enforced, the governmental officials involved can at least claim that they are doing this to benefit the public, even when doing so does further someone's personal agenda.
The situation as described by the A.C. is where the government requires backdoors so that its own governmental snoops (law enforcement and possibly more shady, less accountable organizations) can easily access systems that would otherwise be difficult to access due to security protections. This directly benefits the government because it makes their legitimate law enforcement job easier and it also makes less legitimate ventures (potential data mining, eavesdropping, etc) much easier and has the nice side-effect of eliminating some of the need to do old-fashioned police work. This scenario certainly does not benefit the users of Microsoft software and so the intent shown is nothing like your analogy. If this is actually happening, then this is a very dangerous precedent for two reasons: One, if the government can use such a backdoor, so can anyone else who learns of it; two, the job of law enforcement was not intended to be easy and efforts to make it an easy job immediately preceded the rise of most totalitarian states that existed during the 20th century (at the risk of invoking Godwin's Law, Nazi Germany and the USSR did not take place due to powerless and ill-informed police forces).
Further, when speaking about Windows you are dealing with proprietary, closed-source software. You and I simply do not know with 100% certainty whether or not there actually is such a backdoor in any of the Windows code, nor do we know what agreements Microsoft has made with which governments. What you can know is that we are in an era where privacy is on the decline and law enforcement powers are increasing, and being able to easily access over 90% of all desktop computer systems does fit the stated purpose of programs that we do know about, such as the NSA wiretap program. To say that we already know about every possible threat to privacy and that the statists who desire this kind of surveillance are now satisfied and will not be seeking further powers is a lofty claim indeed. Study history and you will observe that the USA has a bad case of "it can't happen here" regarding foreseeable abuses of power.
Also, unmotivated programmers and undocumented backdoors are not mutually exclusive. It is possible that they both contribute to the sad state of security in Microsoft's code. It is also possible that neither are true and that some third factor (such as program design being dominated by marketing and forcing otherwise good programmers to work within these parameters) can explain the lack of security. But to observe that the possible existence of unmotived programmers could explain the situation and then claim that this is a valid reason to dismiss other arguments out-of-hand does not fit the spirit of critical thinking that you mentioned earlier.
But it does indicate that maybe, just maybe, you live in the USA and are in denial about the direction towards which it is headed.
It is a miracle that curiosity survives formal education. - Einstein