Russinovich Says, Expect Vista Malware

Hypertwist writes "Despite all the anti-malware roadblocks built into Windows Vista, Microsoft technical fellow Mark Russinovich is lowering the security expectations, warning that viruses, password-stealing Trojans, and rootkits will continue to thrive as malware authors adapt to the new operating system. Even in a standard user world, he stressed that malware can still read all the user's data; can still hide with user-mode rootkits; and can still control which applications (anti-virus scanners) the user can access. From the article: '"We'll see malware developing its own elevation techniques," Russinovich said. He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

Actually

I'm really quite surprised by this.

Re:Actually

[SEMW]

Actually, I'm really quite surprised by this. Quite surprised by what, that programs running in user-mode can still access the current user's data and programs in their home folder? Hardly news.

(I was slightly confused by the statement that programs "can still hide with user-mode rootkits", though -- surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself? I thought the whole point of a rootkit was that it allows malicious programs to maintain root (i.e. highest privilege) access undetected, which would make "user-mode rootkit" a bit of a contradiction in terms, unless I'm misunderstanding somewhere...?)

(And whilst I'm posting, "...a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file"? If it's a prompt that will give a malicious program elevated rights when the user clicks 'allow', what part of it is fake? Surely a fake/spoofed dialogue box wouldn't *actually* be able to grant elevated rights (pretty much by definition); and the text in the *real* elevation prompts can't be changed, since they run in 'secure desktop' sandbox mode, no?)

Re:Actually

[Workaphobia]

> "Quite surprised by what, that programs running in user-mode can still access the current user's data and programs in their home folder? Hardly news."

The GP was being extremely sarcastic. I'm sure most of the people who read this summary, or even just the title, thought "Duh" and wondered why an expert like Russinovich didn't have anything more insightful to say.

> "surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself?"

Well it wouldn't be able to hide itself from the root, but I don't see why it couldn't hide itself from other limited user apps.

> "If it's a prompt that will give a malicious program elevated rights when the user clicks 'allow', what part of it is fake?"

The fake part would be the premise under which it is requesting additional rights. Maybe it's masquerading in the dialog as a service the user already has.

I like the quote from the article: "Elevations are a convenience and not a security boundary".

Re:Actually

[TheCoelacanth]

(I was slightly confused by the statement that programs "can still hide with user-mode rootkits", though -- surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself? I thought the whole point of a rootkit was that it allows malicious programs to maintain root (i.e. highest privilege) access undetected, which would make "user-mode rootkit" a bit of a contradiction in terms, unless I'm misunderstanding somewhere...?)

"User-mode" usually refers to everything other than the kernel. Nothing prevents a user-mode program from gaining root access. Though admittedly, from the context, it doesn't seem like he meant that.

Re:Actually

[lpw]

Providing a truly secure OS is antithetical to the Windoze Nature, i.e., that of an OS for dummies. Maintaining a secure system takes time, know-how, and sometimes even reading some fucking manual. But Microsoft's "operating systems" are intended for the PC, a platform where the majority of users are not willing to make that investment. Eventually, once the novelty of MS Paint wears off, a user needs to install another application in order to actually accomplish something useful on the PC. Because MS necessarily assumes that the user is a brain-dead clod, a simple scheme like the allow-or-deny elevation masquerade is necessary (and, of course, the user can be easily duped into installing malware). Anything more sophisticated, and the appeal (and usability) of Windoze to the masses suffers, because it's no longer "user friendly." After all, if grandma needs to dick around with file and process permissions, why not just install Linux? No version of Windoze will be a truly secure system until its user base becomes better educated, which is a requirement that Microsoft will never enforce to protect their bottom line.

Re:Actually

[mrsteveman1]

The real problem is the millions of users who blindly use the system without even the most basic understanding of how it works. You would not be surprised at the number of users who can't tell a real windows dialog box from a pop up on the web warning that you "need to scan your hard drive".

As long as people literally refuse to learn anything more than the bare minimum necessary to quickly read their email, nothing will change, especially with totally incompetent systems like windows vista, which is quite possibly the worst operating system I have ever used, save for some various conveniences like the segmented networking settings and file management/organization. Vista is "better than xp", but that is still horrible.

I understand that software should "just work", but at this point in Vista's case, it doesn't. You can either keep refusing to learn, or you can protect yourself. Is it worth it to blindly trust a company that has repeatedly shown they aren't deserving of trust? Or is it worth more to users to take a small amount of time to educate themselves about the system they trust to view banking records.

Re:Actually

[313373_bot]

What if Microsoft wrote a new OS, and no one bothered writing applications for it, not even malware? Despite all ineffective security and bad design decisions, the prevalence of viruses, trojans and spyware on previous Windows versions were (and are) in part due to their sizable market share. If Vista Me II isn't being attacked like old Windows, is it because it's so more secure, or is it because no one cares? Only time will tell, but I can't take of my mind the image of a mighty tree falling in the middle of a forest, with no one to hear it.

Re:Actually

[JonathanR]

No version of Windoze will be a truly secure system until its user base becomes better educated, which is a requirement that Microsoft will never enforce to protect their bottom line. By definition, the user base of Windose will always wallow in mediocrity. Microsoft needs to take responsiblity for this, if it wants to dominate the OS marketplace.

I think that MS missed their opportunity to make Vista really secure. They could have developed a brand new API, and sandboxed the old API in a virtual machine environment, to maintain backwards compatibility. Then publish decent standards for building applications, particularly with respect to file permissions, drivers etc, so developers can genuinely create robust applications that don't require administrative privileges to run. Enforce the standards by making them mandatory for using the OS installation mechanism. Enforce proper use of the correct installation mechanisms by disabling rogue installation hacks with system updates (i.e. deliberately break third party vendor's software if it's crap).

Re:Actually

> unless I'm misunderstanding somewhere...?

No, I think you're just misunderestimating Windows.

Re:Actually

[Fhqwhgadss]

surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself?

Too bad there are lazy software companies pulling this kind of shit. The developer's link to this piece of shit "patch" is listed under the headline "Convekta's products are compatible with Windows Vista !!!" (just disable the single most important security feature of the OS). I'd bet that over half of all Vista boxes will have LUA disabled within 12 months of installation. What do you have then? A new OS with the security enhancements removed and untested code running in "every user is a superuser" mode, just like XP without the 6 years of bugfixes. Don't tell me XP has limited accounts; using XP under a limited account takes more effort than using Linux ever did.

The only thing keeping the malware writers away from Vista so far is its piss-poor market penetration, not its security enhancements.

Re:Actually

[drsmithy]

By definition, the user base of Windose will always wallow in mediocrity. Microsoft needs to take responsiblity for this, if it wants to dominate the OS marketplace.

"Wants to dominate" ? What _have_ they been doing then ?

I think that MS missed their opportunity to make Vista really secure. They could have developed a brand new API, and sandboxed the old API in a virtual machine environment, to maintain backwards compatibility.

Way, way too many negative tradeoffs. 99% of software would not be native and its functionality would suffer significantly.

Then publish decent standards for building applications, particularly with respect to file permissions, drivers etc, so developers can genuinely create robust applications that don't require administrative privileges to run.

What's wrong with the current ones, that have been around for more than a decade ? Hell, what's wrong with just good old common sense and decent developer practices ?

No developer has had any excuse for releasing software that needlessly requires Administrator privileges for at least 8-9 years. None.

Enforce the standards by making them mandatory for using the OS installation mechanism. Enforce proper use of the correct installation mechanisms by disabling rogue installation hacks with system updates (i.e. deliberately break third party vendor's software if it's crap).

Oh yeah. Microsoft deliberately breaking third party software. I can just imagine how well that will go over, given the flack they cop when they _accidentally_ break some random piece of software.

Good plan you've got there, tiger. If you were lucky, you might have even managed to get all of it spoken in a product design meeting without being laughed out of the room.

This isn't the open source world where developers can just go around breaking shit willy-nilly to make end users conform to some arbitrary plan for the hell of it (despite many people here insisting to the contrary).

Re:Actually

[Oriumpor]

It needn't actually escalate right away, it need only steal the password and use it to authenticate later (or to re-use the tried and true *nix login fake prompt again to re-request after "failing" to get the right password)

Re:Actually

[someone1234]

Quite surprised that Russinovich who is now on M$ payroll criticizes Vista publically.

Re:Actually

[JonathanR]

By definition, the user base of Windose will always wallow in mediocrity. Microsoft needs to take responsiblity for this, if it wants to dominate the OS marketplace.

"Wants to dominate" ? What _have_ they been doing then ? Perhaps I should have added continue to dominate.

No developer has had any excuse for releasing software that needlessly requires Administrator privileges for at least 8-9 years. None Sure, they don't have any excuse, but MS lets them get away with it, simply because badly designed software will still work. So this changes nothing of the Windose-Malware paradigm. This attitude also does nothing to counter the risks associated with the inherently mediocre technical skills of a large user base.

This isn't the open source world where developers can just go around breaking shit willy-nilly to make end users conform to some arbitrary plan for the hell of it (despite many people here insisting to the contrary). I'm not talking about end users conforming. I'm talking about developers. And arbitrary plan attitude is a somewhat simplistic regarding an OS security model.

Eventually, the open source world will get their standards together, and gain sufficient momentum that will threaten the Windose environment. OSS (GNU/Linux) has no qualms about breaking and deprecating something old, in order to move to the "next level" in the development evolution, which will ultimately benefit the quality of the products. Why hobble future development with kludgy hacks to support legacy requirements. The legacy stuff should use the work-arounds for backward compatability. The new stuff should be "native".

Compare the progress made in last decade of developments for Windows and GNU/Linux environments. Then extrapolate that another decade.

Re:Actually

I guess you are just going to have to learn to live with the fact that most people use a computer as a tool and not a way of life. It doesn't take a small amount of time to learn how to operate a computer, that is the biggest load of baloney I have ever read. Especially windows...

I have no idea how an internal combustion engine works, yet somehow I make it to work every day. It really is ridiculous to think that people should learn how an OS works before they can type an email to grandma. For most, it isn't a matter of refusing to learn, it's a matter of spending three weeks learning the quirks of an OS, or taking a vacation or spending time with family.

It just isn't going to happen. I'm very surprised that you think it can work.

Re:Actually

[ady1]

mighty tree falling in the middle of a forest, with no one to hear it. Surely you can examine the logs later on.

Re:Actually

[drsmithy]

Sure, they don't have any excuse, but MS lets them get away with it, simply because badly designed software will still work.

That's because they don't have any practical way of stopping them. Anything that doesn't involve "force" is a waste of time, because it is easily ignored. Anything that does involve "force" is an antitrust violation.

Fundamentally, it is the application vendors who beat the drum. The operating system is the chicken of the software world - it's just there to carry the flavoursome software that the end user actually wants (which is why the "DOS ain't done 'til Lotus won't run"-esque urban myths are so laughably ridiculous to anyone who actually takes the time to think about them). If the applications vendors don't play, the OS goes nowhere - *that* is why Vista usage isn't going to pickup until the application developers get off their arses and update their software and *that* why Microsoft have gone to such lengths to make old, broken software work when it should really be walking it out behind the barn with a gun.

So this changes nothing of the Windose-Malware paradigm. This attitude also does nothing to counter the risks associated with the inherently mediocre technical skills of a large user base.

So long as computers remain capable of running arbitrary software, that risk profile will not significantly change. It simple *can't*.

I'm not talking about end users conforming. I'm talking about developers.

The principle in my comment applies identically to developers.

And arbitrary plan attitude is a somewhat simplistic regarding an OS security model.

Huh ?

Eventually, the open source world will get their standards together, and gain sufficient momentum that will threaten the Windose environment. OSS (GNU/Linux) has no qualms about breaking and deprecating something old, in order to move to the "next level" in the development evolution, which will ultimately benefit the quality of the products.

Conveniently, your second sentence does an excellent job of refuting the first and saves me the trouble.

This whole "let's just break it and start over" attitude is one of the biggest problems in the OSS community. Besides the atrocious documentation and usability levels typical to most OSS projects, it is probably one of the biggest negative influences on the takeup of OSS, across the entire software spectrum.

Why hobble future development with kludgy hacks to support legacy requirements.

Because, essentially by definition, the vast, vast majority of your user base will always fall into the category of "legacy users".

This is something Microsoft *get*. It's something they get *very well*. It's one of the primary reasons for their success, the reason they expend such incredible amounts of resources with the objective of maintaining legacy support with a high level of compatibility and usability and why Vista is such a significant release for making such a relatively large break with reagrds to this legacy support.

Incidentally, there is no need for this to "hobble future development". Long transition periods like those used by Microsoft certainly slow the rollout of new technology, but they have the distinct advantage (from a business perspective) of not alienating their userbase and destroying revenue streams.

Microsoft is a _business_. Unlike most OSS projects, which are basically glorified collections of hobbiests, there are actual _consequences_ when things go wrong. Money is lost. Customers change to other products. People get fired. Technology is shelved. Etc. This is also why, for example, NT is only available on a few different hardware platforms, whereas Linux is available on dozens; For NT to be made available on a platform, there must be viable business case and the result must be a marketable product. For Linux, there just needs to be someone sufficiently bored enough to waste their time and the kernel booting is conside

Re:Actually

[ichimunki]

it is the application vendors who beat the drum. The operating system is the chicken of the software world - it's just there to carry the flavoursome software that the end user actually wants

And these days Microsoft is the single most important application vendor out there. Microsoft Office is the only "must have" application for the average home user. And MS is doing a lot of work to make sure that ISVs and competitors are left in the dust with Office2007's totally new UI that is not part of .NET and not even available from MS as a buyable component.

What GP is missing is that Vista does break a lot of existing software with its new security model. I have been unable to get an old CD label printing program to run at all, and I can't seem to get my Handspring Visor to sync, even though all the software seems to install and run (I have seen a workaround documented, but I can't get the Visor to cooperate with a crucial step in that).

What I'm not seeing in Vista, or in any of the points Russinovich is making, is any difference from how privileges and security work in Linux. The only difference I'm aware of is that Windows does not have a central repository of just about anything it is possible to build and deploy on Windows, like Ubuntu does (for example). This means that sooner or later users will download something questionable and want to install it. But if Linux had any market share at all in the regular user space, those same kinds of questionable downloads would be available for Linux and those downloads would be equally capable of tricking the user into running it as root. I suppose the fact that none of us can audit the code to Windows is a security risk of sorts, but most Linux users probably don't audit the code to Linux, either. And even if we did, how many of us would recognize security holes when we saw them?

Re:Actually

[Tea+Shaman]

Actually, I disagree. The are big difference between a combustion engine and a computer. First of all, a combustion engine isn't as exposed as a computer. A combustion engine is self-enclosed. It is very difficult for someone to be able to connect into an engine and tamper with it. Computers on the other hand, routinely interact and accept information from other computers. Imagine what would happen if I could log onto your combustion engine over the internet, and using a special set of commands, cause it to explode, while you're driving. I'm sure that would cause people to take a lot more interest in their combustion engines. Secondly, computers are far more "functionality-rich" than combustion engines. The purpose of a combustion engine is simple: it provides power to move a vehicle. The normal range of operation can be specified pretty easily. A computer on the other hand, well, does pretty much whatever you want it to do: it can play games, it can surf the net, it can give your credit card details to a legitimate source (like paypal), or it can give it to a fraudster. It is far harder to specify what behaviour a computer should and should not be doing, and that requires knowledge from the user. Of course, the other option is to make the choice -for- the user, restricting functionality, preventing suspicious behaviour etc etc ... except people then complain that the computer doesn't do what they want it to do.

Re:Actually

[Ernesto+Alvarez]

You might not know how an internal combustion engine works, but you certainly have trained to use a car and have a license.

Even if you know almost nothing a about your car, you certainly know when something wrong is with your engine. I've seen people do things with computers that would roughly be equivalent to driving with the engine on fire. Not only people don't bother to learn the most basic things about computers, they also ignore any problems they see and keep going like nothing is happening.

Using a computer is definitely harder than using an engine, since it can do many more things. Yet people use them without even basic training or maintenance.

Re:Actually

[I'm+Don+Giovanni]

This "stealing password" scneario might be less effective in Vista. In Vista the default account runs is an "admin" account that runs with "standard" privileges, such that elevation requires merely clicking OK rather than actually entering the password (which would be required for "non-admin" accounts). So, if a user is used to merely clicking OK on UAC dlgs, then is suddenly presented with a fake dlg that requires him to enter a password, he may suspect that something is amiss.

Re:Actually

:-)
Thats very funny.

Re:Actually

[poot_rootbeer]

What if Microsoft wrote a new OS, and no one bothered writing applications for it, not even malware?

IBM would probably take custody of it after their partnership with Microsoft dissolved, and it would become the OS of choice for ATMs and financial workstations for years to come.

Re:Actually

[313373_bot]

That was true for OS/2 but remember, Vista is a single parent's child with no redeeming qualities.

Re:Actually

[313373_bot]

Ditto! :-)

Re:Actually

[MeanderingMind]

I've seen people do things with computers that would roughly be equivalent to driving with the engine on fire.

The mental images this invoked required a forceful exertion of my will to prevent me from cracking up at work.

Image #1: Person attempting to drive down highway while car is on fire, confused as to why they're having trouble seeing out the front until a cop pulls them over and throws them out of the car before it explodes.

Image #2: Person calls tech support.

TS: "Tech support, how may I help you?"
P: "I can't get my e-mail."
TS: "Your computer is turned on, correct?"
P: "I pushed the power button."
TS: "Did the loading screen appear?"
P: "No."
TS: "Alright, check your computer. Is everything plugged in?"
P: "Yes."
TS: "Including the power cord."
P: "One second."
*Faint hissing sound in the background, minor 'ow' noises as the person checks*
P: "Yes."
TS: "Are you alright sir? I thought I heard you say 'ouch' a few times."
P: "Oh it's nothing, I just nearly burned myself."
TS: "Burned yourself? Is your computer running hot?"
P: "Well, it's on fire."
TS: "It's on fire?"
P: "Yes."
TS: "Literally?"
P: "Yes."
TS: "Did you consider that this might be why your computer isn't working?"
P: "Don't patronize me! I want to speak to your manager!"

Tooooooo funny.

Re:Actually

[mstahl]

Maintaining a secure system takes time, know-how, and sometimes even reading some fucking manual.

All it takes is an operating system that doesn't have all its services and bells and whistles turned on out of the box. My mac was pretty secure the first time I booted it up.

It's not the users. It's the fact that the operating system requires so much tough love to get it set up right for the real world.

Re:Actually

[ConceptJunkie]

I think that MS missed their opportunity to make Vista really secure.

You're assuming they're in business to make a secure, usable operating system. They were once, around 1989. Now they are in business to maintain their monopoly. They're far too busy to write good software. How else can you explain the fact that they claim all these annoying kludges were to provide backwards compatibility, and the end result isn't very compatible, or secure, and, oh, by the way, they forgot to add anything new that anyone cares about?

Seriously, that was the first thing I thought of too. In fact, I bet that was the first thing everyone thought of. Given the tens of thousands of man-years that certainly must have gone into Vista, they should have been able to do just that. Heck, for all we know Microsoft Research has that very OS running quietly on a box under someone's desk somewhere in a lab, but the marketing folks will never let it see the light of day (or never realize they should).

Bill Gates and Chair-Throwing Monkey Boy are too busy making vaporous claims about technology they never plan on delivering, and scheming to kidnap Linus Torvalds, kneel on his chest and dangle spit on his face until he admits he stole Microsoft technology in the Linux kernel.

Free screensaver !!

with companies like ask.com (who run smileycentral a well know spyware site) nothing will change

just click on setup.exe and you can have this fantastic free screensaver, be the envy of your friends !

Re:Free screensaver !!

[Adambomb]

No Way!

Well, no shit

[hairykrishna]

In similar news, despite a wide variety of new content, online pornography remains disproportionately popular.

Re:Well, no shit

[seaturnip]

Actually no, it's in relative decline.

The "anti" strikes again.

"He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'"

Good thing geeks are anti-social.

Re:The "anti" strikes again.

[ImaLamer]

Silly, no real geek uses Vista.

Vista malware

[psaunders]

Russinovich Says, Expect Vista Malware Old news. Vista has been available for months now.

Smilies

[yotto]

So you're telling me I shouldn't have installed these smilies? Here, let me try a typical smiley face. :-@*&^^^ NO CARRIER

Re:Smilies

[MadnessASAP]

Thats not funny, I had a neighbor whose computer I would fix on a regular basis and she insisted on using IE6 and installing that god damn smiley tool bar. She also once fell for one of those BS anti-virus programs you see on the internet. The ones that actually fill your computer with spams, fortunately for me she moved.

And ... ?

[khasim]

So now you know that Vista can be compromised ... what are you doing about it?

Where's the clean boot disk that I can use to scan a Vista box? How do I validate all the files on it?

What is your answer to AFTER the box has been cracked?

Re:And ... ?

To be fair, Vista's ultimate solution is probably no different from any other system:

Nuke it from orbit, reinstall.

The only difference is the hope they don't deny your registration after doing that too many times.

I suppose they could have a "Boot from CD and validate" option, but, because of subsequent system changes as the user installs drivers and other legitimate software (which could still include bogus stuff), it would probably be tricky to implement except for a few key system files that don't (or shouldn't) ever change, and that would miss alot of malware. More useful would be if it were possible to create a "known good" system image, and a way to compare that to the present state of the system or to reinstall that image. I know that XP has system save points (or whatever they are called), but I'm thinking about something more comprehensive. Do they have anything like that yet?

Re:And ... ?

[SLi]

People in the Windows world seem to ignore this until it becomes painfully obvious to them, but the only guaranteed solution, and the only solution real experts would offer (which I'm really glad is understood in the Unix world!) to you if it were of any importance that the malware be completely eradicated from your computer, to an administrator or system level compromise is a full reinstall or restore from backups before the compromise. Anything less than that and there is a way the malware can evade.

I know it's painful. But it's the only way. Admin or system level compromise is not a routine matter, no matter how much some people like to portray it as such.

Re:And ... ?

[WrongSizeGlass]

What is your answer to AFTER the box has been cracked? I've found that super glue works pretty well, bu nothing is as good as blue duct tape. Blue duct tape rules.

Re:And ... ?

[SpaceLifeForm]

Rename files containing 'install' to something else.

Link

The height of stupidity from Microsoft.
Will they be able to top it?

Re:And ... ?

[QuantumG]

I love the way people say "you need to reinstall" .. as if you're going to do better building the box to be secure this time.

Re:And ... ?

[SLi]

Well, you had better, because if you don't, you'll have go through the same again. Many people learn from their mistakes, fortunately. Reasonable security even on Windows is not that hard, if you take the steps before the compromise.

Re:And ... ?

I haven't seen anyone in the Windows world who ignores that. Every security professional, Windows or Linux, that I've ever met has said exactly what you did: the only way to ensure that you've completely eliminated a root-level compromise is to reinstall from scratch and restore from a known-good backup. (The part about "known-good" backups is the tricky part, since most compromises lie dormant for weeks or months before they are activated. Simply choosing the last full backup before your box started launching DoS attacks isn't sufficient.)

The reason that most machines are "fixed" instead of rebuilt is based on something else you said:

it were of any importance that the malware be completely eradicated from your computer

Generally speaking, it's not of importance. Partially that's because hackers usually go after the low-hanging fruit, and a system that's been "fixed" and secured (more than it was before, anyway) is no longer low-hanging fruit. The hacker could perhaps get back in if he devoted any attention to the matter, but with literally millions of other boxes he could hack with no special effort at all, why bother?

The general strategy for security is to look at your server and figure out how much of a target you're going to be. Then you secure the server just enough to make it harder to crack than comparable machines. A good hacker who's targeting you in particular will still be able to get in, but nothing you can possibly do will change that anyway. And the more secure your system is, the more of a pain in the ass it is for its rightful users to access. The trick is knowing where to draw the line, and it's what separates good security professionals from bad ones. (Tip for managers who may be reading this: Good security people will get hacked sometimes, because bad security people will lock down systems to the point of utter uselessness. Their machines will be immune to compromise, but they'll also be immune to productive work.)

Re:And ... ?

[alshithead]

"I've found that super glue works pretty well, bu nothing is as good as blue duct tape. Blue duct tape rules."

Your duct tape has been hacked. Duct tape does not come in blue. The blue tape is masking tape for painting. Yes, it does stick very goodly...but by that fact alone it is not duct tape. Real duct tape is gray or silver and DOES NOT stick nearly as goodly to some surfaces.

Re:And ... ?

[zcat_NZ]

Not enough. vista looks at things other than the filename to decide if your program is an installer, and I've heard that it's infuriatingly good at recognizing them too. So if you want to take a look at some potentially interesting but non fully trusted program, setting it up in a special 'sandbox' login just to try it out is just not an option. You're just going to have to let the installer have access to your entire system, like it or not.

Re:And ... ?

[Weedlekin]

"The blue tape is masking tape for painting"

It's more likely to be electrical insulating tape. Masking tape is usually made of paper, and isn't particularly sticky because it's manufactured for easy removal after painting without leaving adhesive on the surfaces it was applied to.

Re:And ... ?

[WrongSizeGlass]

You can find blue duct tape on this new intertube place called Google. My mechanic uses some magic blue duct tape he refers to as "100 MPH tape" ... which is why I never let him tow my car.

Re:And ... ?

> Real duct tape is gray or silver and DOES NOT stick nearly as goodly to some surfaces.

Which makes it lousy for use on, of all things, ducts. It's a more-or-less deliberate mispronouncement of "Duck Tape", a trademarked brand of waterproofing tape, and pretty similar to gaffer tape (gaffer tape tends to be stickier). Gaffer tape comes in a rainbow of colors, but most commonly black.

Re:And ... ?

[alshithead]

"It's more likely to be electrical insulating tape. Masking tape is usually made of paper, and isn't particularly sticky because it's manufactured for easy removal after painting without leaving adhesive on the surfaces it was applied to."

Not to argue or anything but I was considering the fact that the comparison to duct tape implied a similar width. Also, I've used the blue masking tape with great success to hold things like 2x4's together before nailing/screwing together. Also, also, regular masking tape does a great job of sticking stuff together once a little heat is applied. If you doubt me, take some masking tape and attach it to something and put it in your car on a nice, hot day. You will have tape and/or residue on said object FOREVER. :)

Re:And ... ?

"I love the way people say "you need to reinstall" .. as if you're going to do better building the box to be secure this time."

I always imagine there's a piece of code somewhere in the process that goes:

if (rand(1,16)==1)
{
    install_correctly();
}
    else
{
    screw_it_up();
}

Re:And ... ?

[Weedlekin]

"I've used the blue masking tape with great success to hold things like 2x4's together before nailing/screwing together"

That's because, as I said, it isn't masking tape.

"Regular masking tape does a great job of sticking stuff together once a little heat is applied."

Heat (and indeed cold) changes the properties of most adhesives. There is a whole class of them called "thermosetting adhesives" that rely on this fact.

Duh!

[Cervantes]

From the "No fucking shit, sherlock" file...

Malware writers will write malware for the latest OS? And they'll try and find ways around the blocks? And in the millions of lines of code, they'll find a weakness and succeed? Holy shit, I never would have guessed!!

Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever.

Re:Duh!

Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever. Will you let us know when the typing part of your brain goes silent forever?

Re:Duh!

[Workaphobia]

> "Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever."

This was only the first in a sequence of articles, the next being "Hackers can break into unsecured wireless routers."

The Jedis are going to feel this one.

Re:Duh!

[drsmithy]

Malware writers will write malware for the latest OS? And they'll try and find ways around the blocks? And in the millions of lines of code, they'll find a weakness and succeed? Holy shit, I never would have guessed!!

The only "weakness" the majority of malware succeeds against is the weakness of the user to do whatever it asks them to so they can watch porn, get new smileys, win an ipod, etc.

Re:Why the, extra comma?

[dsanfte]

Commas represent pauses in speech. Speaking that headline, you'd pause in exactly the same place.

Duh!-Not here.

"Malware writers will write malware for the latest OS? And they'll try and find ways around the blocks? And in the millions of lines of code, they'll find a weakness and succeed? Holy shit, I never would have guessed!!"

Except when talking about Linux of course.

Hey, Russinovich

[Ranger]

Vista is Malware!

Standard plug-in joke #3:

[Black+Parrot]

In Russinovich, malware attacks Vista.

Re:Standard plug-in joke #3:

[Opportunist]

In capitalist America, Vista attacks YOU.

Is it me or is something wrong with the world when the punchline of the "in Soviet Russia" jokes is not in the "in Soviet Russia" line?

An Expected Approach

[gooman]

He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.

That is the scenario I have been envisioning since I first installed RC1. Microsoft is conditioning users to agree to about anything by having so many intrusive pop-ups. People just want to get on with their computing experience. Maybe they will read the warning a few times at first, but after a short while they just respond without reading because that is how they get to the next step. Of course malware writers will use this method, it is almost as if Microsoft has given them a gift.

Re: An Expected Approach

[Ephemeriis]

That's something that I noticed almost immediately when I installed Vista. I guess I don't know how it would be for your typical home user, but the things I was trying to do kept asking me for permission. Had to click OK to install software...had to click OK to change network settings...had to click OK to change firewall/filesharing settings when it detected a new network...had to intentionally run the command prompt with administrative rights, and then click OK to allow it... Maybe your average user wouldn't see it so much, maybe they would, but it got to the point where I wasn't even reading the warnings anymore.

By contrast, Ubuntu asks you relatively seldom. At the command prompt I'm frequently having to sudo stuff, but it just asks for your password, you don't get asked if it's OK or not. Synaptic asks for permission...a few system changes do...installing software usually does... But I got the OK prompt a dozen times a day with Vista, compared to once or twice with Ubuntu.

Macs also prompt the user for administrative operations...but again, it's far less frequent than Vista.

Re: An Expected Approach

[Durandal64]

What is the method, exactly? How does putting up a fake elevation prompt accomplish anything? If it's a fake elevation prompt, by definition, it accomplishes nothing. To get elevated privileges, you have to go through UAC, and the actual elevation interface exists on a separate desktop to prevent scripts from faking a click on the "Allow" button. So how is this "attack" any different from just presenting a random button to the user that says "CLICK ME OMG PLEEEZE CLICK ME!!!"?

Re: An Expected Approach

[NatasRevol]

The question is - can the script prompt the real UAC interface and because the user is so used to just clicking Accept to get things to work, and the rootkit is thus installed by the user?

Re: An Expected Approach

[VertigoAce]

Vista just asks me for my password. I haven't seen this cancel or allow prompt in months. When I need admin access for a task I have to type in an admin password. The kinds of tasks that require admin access in Vista seem to be more or less the same as those in Linux that require root.

Basically, the behavior you are seeing is that you are taking a shortcut and running as root all the time. Any time you actually need to be an admin it'll ask for your permission, but not require a password, since you already logged on as an admin. You really shouldn't be running in this mode. I tend to name the first account "Admin" and immediately create my own user account. I never directly log in as Admin, just like I never have a full KDE session as root.

I think the main situation where people are seeing these prompts unexpectedly is with hard drives that were configured under XP to be writable only by admins. If you don't change the permissions before using Vista, standard users won't have write access. You'll run into the same problem pretty easily under Linux (mounting a drive with every file owned by root with 0755 permissions).

Re: An Expected Approach

[gutnor]

First, I don't have Vista and I don't plan to have it.

However, I assume that in a sane environment, the user should be asked when it install software ( at least the one that register some system-wide stuff - which is pretty much everything in windows world ), change firewall/antivir settings, network config,... unless it runs in administrative mode of course

When people talk about confirmation box, I suppose they run in user mode where that makes sense to elevate a process priviledge when running 'admin' stuff. Not the best feature, but a nice user-friendly transition option for people that have been using their computer in Admin mode since they have one.

If you are still running Vista in Administrator mode by default either you or Microsoft (for not defaulting that type of installation mode) screwed up somewhere. Warning boxes in Administrative mode are little more useful for security than a sign 'don't jump' next to a cliff.

Re: An Expected Approach

[funkyloki]

The gift is that Microsoft can now "blame" the user for their weakly written OS. By making it the user's responsibility to approve/disapprove just about every freakin' thing that runs on the Vista box, they can then go back and say "Gee, too bad you got that virus/spyware/malware infection, but it's not our fault, you clicked Allow".

Instead of making a better, more secure OS, they just shifted the culpability for weak security to the user.

Re: An Expected Approach

[Daengbo]

What's kind of scary on Ubuntu is the sudo and gksudo timeout. If you invoke gksudo to gain administrative privileges one time, then you don't have to type the password in again for a few minutes. What if a piece of malware invokes a program like update-manager which asks for your password, then immediately follows up with "gksudo cp ./bash /bin/bash" and gets sudo privileges? Sounds dangerous to me, and not different from the Vista problem highlighted in TFA.

Re: An Expected Approach

[Daengbo]

Bad form replying to myself, but I realized that the user-level program could just monitor the system and wait for gksudo to be called by the user, then call it again almost immediately to install a rootkit. Much simpler and more foolproof than trying to spoof something.

Re: An Expected Approach

Y HALO THAR

Re: An Expected Approach

[Ephemeriis]

I think a good part of the problem is that many people, myself included, are still running software that requires administrative access to work properly.

Many of my son's games only run correctly when you are logged in as an administrator (under XP, not Vista). I assume that he'd need to enter a password or click OK to make them work under Vista.

Utilities like Net Stumbler require administrative rights to run properly under Vista.

One of the language training programs at a school that I support requires administrative access to run properly.

Maybe there's a good reason why these programs need administrative access, maybe not...but they need it. And under Vista you'll be prompted.

Re: An Expected Approach

[SEMW]

Maybe there's a good reason why these programs need administrative access, maybe not...but they need it. And under Vista you'll be prompted. Sorry, but that's just wrong. Pretty much everything that "needs" admin rights in XP does so because the app wants write access to either the systemwide branch of the registry (i.e. HKLM) rather than current user branch, or, more often, their own folder in \Program files rather than \appdata in the current user's home folder (ini files etc.). Neither of these will need admin privs in Vista due to file & registry virtualization, which redirects writes (and subsequent reads) to a per-user location within the users profile. For example, if an application attempts to write to C:\program files\appname\settings.ini and the user doesnt have permissions to write to that directory, the write will get redirected to C:\Users\username\AppData\Local\VirtualStore\Progr am Files\appname\.

Re: An Expected Approach

[SEMW]

By making it the user's responsibility to approve/disapprove just about every freakin' thing that runs on the Vista box, they can then go back and say "Gee, too bad you got that virus/spyware/malware infection, but it's not our fault, you clicked Allow". I've seen this comment quite a few times on Slashdot, and it continues to be completely senseless. Someone has to decide whether any particular piece of software is permitted to be installed. Either it's you, or its Microsoft. If you'd be happy for Microsoft to decide for you what programs you're allowed to install on your own computer, if you'd be happy to download and run a program only for a prompt to say "Sorry, Microsoft has forbidden the installation of this program on Windows PCs", if you'd be happy to relinquish even the semblence of having control over your own computer; best of luck to you. I'll stick with OSes that allow me the ability to take responsibility for what programs that I install on my own computer.

Re: An Expected Approach

[umeboshi]

set "timestamp_timeout" in /etc/sudoers to 0 and sudo will always ask for a password.
The NOPASSWD tag will override this for those entries in the sudoers file that contain it. Using commands that have the NOPASSWD tag will not update the timestamp, and won't require a password.

Set this and test it with:
        sudo ls && sudo ls

You should have to enter the password twice. If you are even more concerned about how sudo is used on your system, you can set the mail_always option (and related options) to get reports on who is calling what and when with sudo.

I hope this helps somewhat. I had some of the same fears that you seem to be expressing, and found this solution to be bearable, although not quite good enough.

What is missing is the ability to "sudo -k command" so that invoking sudo like this will both run the command and kill the timestamp so subsequent commands need auth. The expression "sudo command || sudo -k" creates a race condition where another process can invoke sudo while there exists a valid timestamp.
p.s. -- my sudoers file for my laptop is below, modified with a few comments.

Defaults env_reset
Defaults timestamp_timeout = 0

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL
# this line is fairly standard
umeboshi ALL=(ALL) PASSWD: ALL
# it's handy to use hibernate without auth
umeboshi bard = NOPASSWD: /usr/sbin/hibernate
# sometimes fam keeps me from umounting removable drives
umeboshi bard = NOPASSWD: /etc/init.d/fam
# these initscripts are don't run on boot
# but may be useful later, please note that these are the
# initscripts that are called, and not the underlying applications.
umeboshi bard = NOPASSWD: /etc/init.d/samba
umeboshi bard = NOPASSWD: /etc/init.d/uml-utilities
umeboshi bard = NOPASSWD: /etc/init.d/postgresql-7.4

Re: An Expected Approach

[Daengbo]

This is great information and I'll certainly look into it, but I'm concerned that the default behavior is (in my opinion) unsafe.

Really?

[adona1]

I was amazed to find out that a Windows OS will probably get malware.

That's it for today. Time to go to my home under a log. Where I've been living for the last two decades :)

Re:Really?

[alshithead]

"That's it for today. Time to go to my home under a log. Where I've been living for the last two decades :)"

Dude...you are so way behind teh times...Shouldn't you like be living under a ROCK! Living under a log has been out of date for like evar...

Re:Really?

[adona1]

I'm an environmentalist, I'll only live under biodegradable objects ;)

Re:Really?

[alshithead]

"I'm an environmentalist, I'll only live under biodegradable objects ;)"

Hmm...I guess rocks are geodegradable? :)

Why is this news?

[grapeape]

Seriously, this is like one of those headlines where researchers find that depressed people are more likely to commit suicide or that water is wet. As long as there are stupid users there will be exploited computers and as long as Microsoft has the lions share of the market there will be more zombied windows boxes.

I had a bit of a disagreement with a client today over spam on her computer. She freaks out if there is more than one in her inbox. Every time I am at her machine she has webshots or smily central or whatever the "cool" spyware infested freebie of the week happens to be. She claims that she should be able to download what she wants but that I should be able to keep her system clean in spite of it. Its a no win situation, as long as she chooses to be stupid im stuck getting the blame for her problems.

Re:Why is this news?

Show her a personal information calculator where she sees what the information she throws out there is worth, and what it's SOLD for. She'll act more in her self-interest once she has an understanding of the value of the commodities involved. Unless she's not a rational actor.

Ingris Featherstrom

[photomonkey]

Download 1000+ free smiley icons for AOL, ICQ and Windows Messenger by clicking on this link and also by sending me your name, Social Security number, address, and a pair of your wife's panties (but only if she's hot).

Also, we have v1@grA and C1ALIS sof-tabs and gelcaps!!!11!!!11!

Re:Ingris Featherstrom

[stormeru]

This domain is available for sale!
You can buy it HERE.
So do you mean that I can use goatse.cx as a smiley icon?
Does this smiley looks like this? you got a point, it is a big smile.

Re:Why the, extra comma?

[vux984]

The comma isn't extra:
Proper punctuation for a sentence like this is:

Someone said, "Something that they said goes here."

A comma is supposed to precede the quote. If anything, one might ask, why the headline is missing the quotes. :)

Please install bugfix-324234.exe

Even the best operating will not stop worst user from installing something on their system intentionally if they have some type of "official" word from someone. I seen thousands of these "Please install this bugfix-xxxxx.exe" emails hitting my mail server and I seen how convincing they look with the Microsoft logo and apparently correct email contact information and almost perfect Microsoft font. Most of my shop are Macs so I don't really have to worry about this but I still sent out a email message about not installing anything from the email or web unless you have initiated contact with the vendor.
Vista doesn't stop these intentional installs of malware, the user will "okay" to everything to bypass security the malware installs.

Re:Why the, extra comma?

[dsanfte]

The comma isn't extra:

I never said it was.

Not necessarily.

[khasim]

I can boot with a LiveCD and mount the hard drive so that NONE of its files are being run.

Then I simply match each and every file on the hard drive to the package that it should have come from and validate the md5 checksum.

Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable.

Remember, in Linux, everything is a file and the boot process is very clearly defined. If something is running on your machine, you can find what it is and why it is running.

Any system that REQUIRES a complete tear down after ANY vulnerability is exploited is NOT a well designed system. There has to be a way to validate each section of the system.

Re:Not necessarily.

[SLi]

In theory, yes, you can do that. In reality though in any reasonable system quite a number of configuration files have been modified, and the users have stuff in their home directories that does not directly come from any installation CD that could be used for at least a user-level exploit (which makes a root exploit dramatically easier). In such a system it is generally quite a bit less work actually to do a reinstall and reconfiguration than combing all the files with the kind of comb you need to catch all things evil. It's like trying to find the proverbial needle in the haystack, except that the needles have been deliberately hidden and you don't know how many there are – and if you miss one, you lose.

Re:Not necessarily.

That works. You're comparing a known good install to a suspect system in such a way that you know the comparison is good. However, two points:

(1) How do you know that the CD has booted up with clean code? How do you know that the malware hasn't infiltrated the code that runs before the CD bootstrap is read? (BIOS or equivalent) Yes, the odds are very good it hasn't ... but how do you know?

(2) How much time is such a comparison going to take? Would it be quicker to just nuke and re-install?

Re:Not necessarily.

[QuantumG]

If they've owned your BIOS, reinstalling won't help.

Re:Not necessarily.

[moeinvt]

I wouldn't consider myself a Linux neophyte, but parts of that procedure flew over my head. Can you provide some details? I assume you ARE talking about Linux.

How do you "match each and every file on the hard drive to the package that it should have come"? What exactly are you comparing? How/where do you accumulate and store the checksum data? How often do you do this? After installing a new application and working for a week, it seems like individual evaluation of each file that was "unaccounted for" would be a collosal headache. Not doubting the effectiveness of your method, but I'd like to understand the details so I could try it. I might even attempt something similar for the drive containing my Windows install.

Re:Not necessarily.

[Arterion]

Remember, in Linux, everything is a file and the boot process is very clearly defined. If something is running on your machine, you can find what it is and why it is running.

Everything is clearly defined in Windows, too.

Unfortunately, average joe user isn't going to know where to look in Linux or Windows. It's not a problem that can be easily solved. You've got a long list of things that need to run on either OS, that joe user isn't going to understand the significance of. He's never going to be able to pick through a big list and know what to let run and what to deny, even if it were painfully simple to access such a list.

but but....

but...but.....

vista is supposed to be completely secure.......

feelings of betrayal over buying a whole new PC to run this POS OS are setting in. Allow or deny?

Unix-style permissions are not enough.

[earthbound+kid]

People sometimes talk like strong enforcement of Unix-style permissions is sufficient to provide local security. I find that argument totally unconvincing. Yes, it's nice to have the confidence that with modern OSes like Linux, OS X, and (probably) Vista I won't end up like the old Windows where you have to reformat a disk to try to clear the deeply dug in roots of some spyware crap from the system, but there's still the pretty damn big issue of all my data. Namely, having to reinstall the OS would be a pain, and I'm glad I don't have to waste an hour doing it, but losing all my data (documents, photos, music, and to a lesser extent application preferences) would be devastating. The data on my PowerBook is my life, and the reassurance that at least I don't have to reinstall OS X would be cold comfort at best. True, I do make a monthly backup onto an external drive that is normally unplugged (and thus out of range of rm *ing attacks), but probably most users don't follow this practice. Besides, a subtler virus could just silently corrupt my data over a period of months, so that I don't notice what's going on until my backups are no longer any good!

There is a solution to the problem, but it requires a deep rooted change in how things are done. What I propose is that we shift from permissions by user to permissions by application. Right now, any app that my user launches can erase any of my files. That's ridiculous! Much more logical would be allowing me to decide which subset of my files each app can user and how. So, for example, I would let FireFox write downloads to my desktop and its preferences and caches to subfolders of the Library, but I wouldn't want it to be able to erase any of my other files under any circumstances. In fact, most of the time I don't even want FireFox to be able to read my local files, but I'd be willing to put in a password to let it do on a time limited basis so during uploads and the like.

Basically, what I'm proposing amounts to sandboxing every app. This may seem harsh, but why not do it? What's the advantage of letting any app destroy any of my files? Make them at least beg me for permission first, I say!

So, that's what's on my wishlist for the future of OS level security.

Re:Unix-style permissions are not enough.

[DaleGlass]

One word: SELinux

It's not new either. And it does what you want it to do. However, it's a royal pain in the ass to configure, because you need to figure out what every application should be able to do. It's definitely not something for a newbie, and probably it will be long before such a thing is usable by normal people.

Also, I doubt it'll work well for Windows. For Linux sure, distributions would just have to provide the SELinux security settings for the packages. But for Windows? Who provides the list of things the application should be able to do? It can't be the author, as all the malware would just ship rules allowing them to mess with whatever they need.

Re:Unix-style permissions are not enough.

sounds kind of like what is called "capability based" program security http://www.skyhunter.com/marcs/capabilityIntro/ind ex.html

Re:Unix-style permissions are not enough.

Look up the OLPC Project ;)

Re:Unix-style permissions are not enough.

[kisielk]

Malware writers are not interested in corrupting your data, what do they have to gain from that? Maybe a small minority who just want to mess with people would actually bother. Real malware is created with the intent of taking over your machine silently and then using it as a zombie to distribute spam, that's where the money is after all.

Re:Unix-style permissions are not enough.

[MikeSlashSlash]

Sandboxing = Software Virtualization. I think Altiris SVS may do what you want.

http://juice.altiris.com/node/86

Unfortunately(?), they are now part of Symantec.
http://www.altiris.com/Company/PressReleases/2007/ 04112007a.aspx

Re:Unix-style permissions are not enough.

[bonefry]

Unix-style permissions are not the most sophisticated security you can have, but they get the job done.
Over the years a lot of security mechanism have been proposed, but the high complexity of working with them have put people off.
For example you can set security policies in both .NET and Java applications, so that the virtual machine can stop you from accessing resources that aren't needed ... but nobody is using this facility.
I did set up a security manager for a Java application that was supposed to behave like a server, and with connectivity to the outside world through a socket comes great responsability ... and it was a pain to setup, and I'll probably won't do it again ;)

In any case, on Linux you have a viable solution with SE Linux (installed by default in Fedora) and AppArmor (installed by default in SUSE).
I think those will answer your needs, try them.

Re:Unix-style permissions are not enough.

[Jackmn]

but losing all my data (documents, photos, music, and to a lesser extent application preferences) would be devastating.

Why not add a root cron job to periodically copy your personal files to a directory that your normal user account doesn't have access to?

Re:Unix-style permissions are not enough.

[blind+biker]

This would be most feasable if applications would be self-contained in one directory, like they used to in the old DOS days, or like it is with most BeOS applications. Spreading around thousands of files on your system, be it configuration, save files or libraries, is, in my view, not a good idea.

Yes, I also happen to think static linking is superior to dynamic, expecially nowadays that diskspace is really not a problem anymore.

Re:Unix-style permissions are not enough.

[99BottlesOfBeerInMyF]

What I propose is that we shift from permissions by user to permissions by application.

If you're in a hurry to add this functionality, it is freely available from the port of TrustedBSD to OS X which you can get here. It is still pretty difficult for everyday use, however, because applications are not designed to accommodate it very well. In other news Apple had posted mention on an application signing framework and a mandatory access control framework on their public facing developer pages for leopard, but it was pulled with no explanation at the end of 2006. Keep your fingers crossed as this may be coming to OS X a lot sooner than you had anticipated.

Re:Unix-style permissions are not enough.

[99BottlesOfBeerInMyF]

Malware writers are not interested in corrupting your data, what do they have to gain from that?

Actually, while malware writers may not be interested in specifically corrupting data they do have motivation to mess with it. There has been malware that mined use machines for online account info and credit card numbers. There has been malware that deleted chunks of data and used disk space for temporary data storage of illicit materials. There has been a lot of malware that hides among data, making your data unsafe. There has been an enormous number of malware infections that unintentionally destroy data.

Restricting access of applications to data by default makes a lot of sense in my opinion. For example, there is no reason the OS cannot determine if a user is manually opening a file with a piece of software, or if the software is doing it without going through the file selection API. If the latter, why should a random executable have access to my address book, or my credit card receipts, or even my work files?

Re:Unix-style permissions are not enough.

Yes, I also happen to think static linking is superior to dynamic, expecially nowadays that diskspace is really not a problem anymore. Yes, well, too bad main memory and processor cache still are. Assuming an average of 5Mb of extra size from statically linked libraries per executable and also assuming 50 different executables running at the same time on average, you managed to waste some 200Mb due to static linking. And think this is a low estimate (just libc is already ~3Mb and my FC6 system had 106 different executables in use according to the process listing).

Expect ??!?!!?

[unity100]

Rather make it "look forward to".

see, you cant cram in crapload of control mechanisms (DRM and other shit) that can affect operation of entire computer (and permission wise, at even hardware level too !) and then expect it to be only as vulnerable as previous oses (or any os, in fact) that did not contain that much shit in them.

malware producers, virus makers are going to exploit the hell out of the mechanisms microsoft put in vista.

User Mode Rootkits?

[WiseWeasel]

From the summary:
"malware... can still hide with user-mode rootkits"

Did that strike anyone else as odd? User mode rootkits... wouldn't that be "userkits", or just trojans/viruses/malware? If it doesn't have root access, I don't think you can call it a rootkit.

Re:User Mode Rootkits?

[SLi]

You are right. They should call it something else if it doesn't compromise the entire system. That makes it a relatively isolated incident securitywise (not that it wouldn't be serious if they have compromised all your passwords, which I hope are different from your administrator password, bank account logins and credit card numbers).

Re:User Mode Rootkits?

[QuantumG]

"rootkit" is often, stupidly, used as a term for what the old school virus writers call "stealth".. intercepting api calls and falsifying the result to hide something.

they usually only do directory stealth.. the most trivial form..

although I suppose there have been a few rootkits that did full stealth.. actually hiding modifications that have been made to a file.

Full stealth comes in two forms:

* remove info to be hidden on open / replace info to be hidden on close; or
* direct updates of the buffers returned from each read.

Obviously "redirection stealth", as the second form is called, is only good for files that are opened read only. It also happens to be the more efficient, and more difficult to get right form. As such, most viruses tend to only do the first.

The hardest part about using stealth in a virus is to decide when it should be turned on and when it should be turned off. Ideally, you only want to turn it off when the user is performing an operation that is part of an infection vector. For example, when they are putting exes into an archive you definitely don't want stealth active.. otherwise the virus won't get copied into the archive. But when they're running their virus scanner, you definitely want stealth to be active.

Of course, none of this is relevant to "root kits" .. the stealth is always active, unless you know how to manually turn it off.

Re:User Mode Rootkits?

[Megane]

That makes it a relatively isolated incident securitywise (not that it wouldn't be serious if they have compromised all your passwords, which I hope are different from your administrator password, bank account logins and credit card numbers).

The hell with that, all most of them want to do is use your box as a zombie spam/DoS mule. You don't need root (or its Windows equivalent) to do that.

Re:User Mode Rootkits?

[baeksu]

From the summary: "malware... can still hide with user-mode rootkits" Did that strike anyone else as odd? User mode rootkits... wouldn't that be "userkits", or just trojans/viruses/malware? If it doesn't have root access, I don't think you can call it a rootkit

I think he is making a distinction between the kernelspace and userspace. Vista has some new-fangled kernel patch protection thingie (tm), which should prevent unauthorized (unsigned I presume) changes in the kernel.

Userspace has no such protection, outside of UAC and whatever Microsoft has decided to throw in there. So it presents a softer target for rootkits. I agree with you, though, a userspace rootkit sounds more like a trojan/virus. Maybe he just likes to word "rootkit" better.

Re:User Mode Rootkits?

[nuzak]

> Did that strike anyone else as odd? User mode rootkits... wouldn't that be "userkits"

Most of what root does is still in usermode. Rootkits should be called "kernelkits", but they get their name from the fact that a) it's usually a set of scripts (a "kit") to attempt to escalate normal user privs to root, and b) root is the only one that can touch the kernel in order to install malware modules and drivers.

The wisdom of a single god-user that can touch things it never should have to, such as kernel modules, even for most admin tasks that never need such access, is a ripe topic for discussion. It's also something that Linux will probably never really fix in the mainstream kernel.

Social engineering

[Matt+Perry]

He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

Your computer is broadcasting an IP address! Click here to download the fix!

Re:Social engineering

[vertigoCiel]

Pssssh. Just try to hack me. My IP adresss is 127.0.0.1.

pfffft..

[Jose]

malware tends to only be available for popular OS's! I am sure that Vista will remain safe from such attacks.

Read what I had posted, okay?

[khasim]

In reality though in any reasonable system quite a number of configuration files have been modified, and the users have stuff in their home directories that does not directly come from any installation CD that could be used for at least a user-level exploit (which makes a root exploit dramatically easier).

I had already addressed that.

I had said:
"Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable."

Again, you should be able to automatically validate the system files, then you manually check the others. Those others include the config files, user files and so on.

In such a system it is generally quite a bit less work actually to do a reinstall and reconfiguration than combing all the files with the kind of comb you need to catch all things evil.

If that were correct than your newly installed box would be cracked as soon as those user files were restored.

And, yes, they will need to be restored.

So, in EITHER case those files will have to checked for "all things evil".

But in my scenario, the box is validated FASTER and you can identify the files that were added/replaced.

More importantly, you can validate whether the box WAS compromised.

It's like trying to find the proverbial needle in the haystack, except that the needles have been deliberately hidden and you don't know how many there are - and if you miss one, you lose.

I take it that you don't work on Linux boxes much.

There are a finite number of files on the box. And EVERYTHING is a file.

The more of them that you can automatically validate, the smaller the number of files that you have to search through. This isn't magic. It's something called "Computer Science".

In your scenario, you rebuild the box, restore the users' files ... and you've just been compromised again.

Re:Read what I had posted, okay?

[Watson+Ladd]

That's not computer science. That's systems administration. And not everything is a file in Unix. Everything is a file in Plan 9. Although automatic validation will not fix the problem of misconfiguration. If you have been 0wnd, you should see what you forgot to patch, and what configuration mistakes you made.

Re:Read what I had posted, okay?

And not everything is a file in Unix.

Like what?

Re:Read what I had posted, okay?

[Daengbo]

In my opinion, you have just highlighted the strength of the average package system in Linux vs. the binary patch system some people would like to go to. Making a hash comparison is easy in the first case but either more difficult by a magnitude or just impossible, depending on how the patch is done, I guess.

As much as moving to a binary patch system would save bandwidth, I find the .deb, .rpm, and .tgz packages to have significant strengths.

Re:Read what I had posted, okay?

Berkeley sockets?

Re:Why the, extra comma?

[Petrushka]

Oh, that's easy: because it takes a lot longer to type " ... &quot; than it takes to type " ... " into the <title> tag. (Though that's still not as long as it took me to type this comment.)

In other news..

[renegadesx]

Expect Vista exploits!!! OMG!

So, why weren't they saying this BEFORE release?

[dpbsmith]

Funny how it's all happy-talk before release, and it's only afterwards that they start to "lower expectations."

Remind me again, what was supposed to be so good about Vista? Oh, yeah, all the stuff like WinFS that somehow never happened.

And when people pointed that out, the answer was "but the really important thing is security, which Vista does have."

But the website said to answer yes

[noidentity]

I was trying to print some online coupons recently and special software had to be installed. On the installation instructions, it said to run the intstaller than answer "yes" to the question it asked (obviously whether it should be allowed to modify system files). What's the use of OS security if users regularly install software which requires admin access? (due to some kind of Digital Restrictions Management scheme of course)

Re:But the website said to answer yes

What kind of software is needed to print coupons?

I know you are using this as an example, but it sounds like something that you have actually done. Is this in reference to some "special" coupons that can only be printed by certain people, so in effect is a DRM sort of thing, which I am assuming from your mention of DRM.

I'm trying to think of a reason for special software to print coupons on a standard printer (Not a label type printer). I'm trying to think of a person who has successfully printed a few documents before, who would see a need for special software.

If this is a true example, can you give the name of this coupon vendor, as this kind of practice needs to stop. Make their practices public and let's see what happens to them.

Re:But the website said to answer yes

[noidentity]

It's real: http://www.coupons.com/

They probably need digital restrictions to make it harder to print fraudulent coupons, since the store wouldn't find that out until they sent them in, and it would be hard to trace who printed the coupon. Think of it as sort of like having ATM/credit card processing software running on your machine.

yeah, but look who's saying it!

[ummit]

Yeah, yeah, obvious as hell, but the surprise here -- and it's a pretty huge one -- is that someone from Microsoft is saying this. What's up with that?

Re:yeah, but look who's saying it!

[evilviper]

Don't worry. He's just new there. He'll become utterly detached from reality soon enough.

Security through obscurity

[EmbeddedJanitor]

Well, to hack/infect/trojan a Vista system you first have to find one. Considering the high switchback rate to XP that's going to be harder than previously expected.

In other news...

[renegadesx]

Water is clear! What a shock I didn't see that one comming!

chroot?.

[kybred]

Basically, what I'm proposing amounts to sandboxing every app. This may seem harsh, but why not do it? What's the advantage of letting any app destroy any of my files? Make them at least beg me for permission first, I say!

Could you set up any app that you wanted to protect your files from with a 'chroot' wrapper? Not really sure if that would work, just asking.

The real role of WinFS

[EmbeddedJanitor]

WinFS and precursors have been promised in all versions of Windows since the early 1990s (except probablyy ME). It seems that WinFS has two main functions

A) A teaser. A compelling "new age in computing" to get some hype going.

B) A feature to cut when projects run late.

Likely, WinFS will make 20 years old without ever shipping.

Re:The real role of WinFS

[inviolet]

WinFS and precursors have been promised in all versions of Windows since the early 1990s (except probablyy ME). [...]

I'm guessing that Duke Nukem Forever is dependent on some unique feature of the WinFS filesystem...

Flash BIOS exploits

[jmorris42]

> If they've owned your BIOS, reinstalling won't help.

Something I'm suprised doesn't actually happen more often.

But even if it ever does, I'm as ready as I can be for it. I write protect the BIOS whereever possible and it is usually possible.

I really like the Gigabyte DualBios feature as well, for a belt & suspenders approach. You can't write the BIOS without keyboard intervention during POST and even IF you screw up or opt to enable writes (I guess the Windoze folk prefer the GUI update util) you can still reboot, hit a hotkey and with a few keystrokes get back to a known good BIOS.

A lot of other reputable hardware makers at least give you a BIOS rescue mode of some sort. Just enough smarts in in a protected space for Hold a key / move a jumper and it blindly flashes from a floppy. Prefer those vendors, for sooner or later somebody IS going to make a serious run at BIOS. Of course we tend to ignore the OTHER flashable parts, most optical drives and even some HD drives. Yet to see a drive with a flash write protect jumper.

Re:Flash BIOS exploits

[QuantumG]

Hmm.. wonder if you could flash a CD-ROM drive to run arbitary code on start-up.. presumably yes.

Re:Flash BIOS exploits

[Joe+The+Dragon]

It's better to flash a video card or other pci-e / pci card as they can have there roms loaded before the os stars up

malware controlling apps

[zobier]

Um, if malware can control what apps can do/run then why can't anti-malware or in fact the system itself control what the malware can do/run? In So...

Just a dare, or a double-dog dare?

[bl8n8r]

And, how would that be pronounced in Russian? Where Vista infects you.. er, I mean where you infect Vista.. er..
http://blogs.zdnet.com/Apple/?p=422

Why You're Wrong

[DeadManCoding]

Let's put this simple. You're right, permissions by user isn't enough. But if we set permissions by app, eventually, Windows users will become accustomed to clicking "Accept" to every app permission that occurs, creating the same state we're in now. Do I read all of the XP pop-ups? Yes, I do, as well as all my Spybot pop-ups, as I don't want a randow BHO installed on my system. Does everyone read those pop-ups? Hell no!!! And that's the reason why I have to clean out my girlfriend's computer on a monthly basis. I can't expect her and children to read every pop-up and understand what's going on. As any sysadmin knows, it comes down to the average user. We can try to educate them as much as possible, but until they do learn, we have to have some permissions-based system so that we can try to keep average users out of their computer enough to stop zombied boxen from happening everywhere. Am I trying to educate my girlfriend? Yes, but it's not a simple process.

Re:Why You're Wrong

[Corporate+Troll]

I can't expect her and children to read every pop-up and understand what's going on.

Now, my question is this: Why is she running Administrator at all? My wife runs as Limited user (just as my father, my mother, my brother and my sister, and some other family I manage computers for) Now, I do realise that it take quite some work to set up a computer in such a way that all applications run under Limited User. It is however not impossible because it usually only implies setting the right file permissions of said applications (cacls.exe is your friend on XP Home) and if that doesn't work, it becomes a bit harder because you have to say the right permissions in the registry.

I have exactly two applications that I haven't managed to run under Limited user and both were games. One is a game called "Children of the Nile" and the other is "Microsoft Train Simulator". The last one probably because I haven't yet taken the time to look into the issue.

If you set it up right, then there is not a problem for them to use the applications you installed for them. Of course, they cannot install applications themselves, but that is actually a good thing. Converting them fully to Firefox/Thunderbird (instead of IE/Outlook Express) also brings an extra level of security.

Re:Why You're Wrong

[99BottlesOfBeerInMyF]

Why is she running Administrator at all? My wife runs as Limited user (just as my father, my mother, my brother and my sister, and some other family I manage computers for) Now, I do realise that it take quite some work to set up a computer in such a way that all applications run under Limited User.

Holy crap! You actually waste time sorting out permissions to get everything running for a normal user under WinXP? Even most corporate places I've worked with centrally managed installations give up on that eventually and give a significant number of users admin rights. What an enormous waste of effort.

Of course, they cannot install applications themselves, but that is actually a good thing.

It is a good thing that your wife can't install applications? Do you let her wear shoes? This is why my mother has a Mac. She can run as a regular user and install applications and I've spent about an hour worth of work doing support for her over the last 5 years (much of which involved asking "did you accidentally kick the power cord out... well plug it back in.")

Re:Why You're Wrong

[Corporate+Troll]

Why is it a waste of time, when it saves me time in the long run? The parent poster said he had to reinstall or clean his wifes machine every two months! That is a waste of time. Why, I don't even remember when I installed my wifes PC... It's that long ago. Pretty much zero maintenance.

Yes, it's a good thing my wife cannot install anything. That way I protect her from herself. She doesn't know that those smilies advertised are in fact spyware. So, she has to ask me and I can explain why this is not a good idea. I don't understand what this has to do with shoes...

Re:Why You're Wrong

[99BottlesOfBeerInMyF]

Why is it a waste of time, when it saves me time in the long run? The parent poster said he had to reinstall or clean his wifes machine every two months!

Because both of those are huge wastes of time made necessary by MS's design choices. Compared to doing no work and getting the same result because software runs and installs fine as a regular user, spending a lot of time to manually investigate, edit, and test the permissions for each application seems like a waste to me.

Yes, it's a good thing my wife cannot install anything. That way I protect her from herself. She doesn't know that those smilies advertised are in fact spyware.

It is sad that the state of computing has gotten to such a bad state on some platforms that a normal adult can't install and run software without a great likelihood of being compromised. Don't you think it would be better if she could install whatever she wanted in her own account, but that it was sufficiently limited to keep it from being useful to a malware writer? Don't you think it would be better yet if she could run all the malware she wanted but that it would be sandboxed by default?

Re:Why You're Wrong

[Corporate+Troll]

Well, I did not choose that computer. It was there before me, I just made it acceptable again. Back then I had an Apple iBook and she loved it. Alas it died of Logic Board failure and it was a pain to get my data out of it because there were no other Mac users I knew. It was around the announcement that they would switch to Intel, so buying a new one was out of the question.... putting me back in the PC world, where I have remained for cheapness sake.

As for installing applications: even if she had a Mac or even a Linux machine, it is clear that she still can be tricked in installing something bad for her. This has not anything to do with being "Adult". What it means is that it is not her area of expertise. To get back to your shoes example: she can compare there, but in software she cannot. Mainly also because software companies present their product as "the one and only". In a shoe shop, the other manufacturers shoes are next to the one she is evaluating. If you're on a website, you do not have this luxury.

So, no, normal users should not be installing applications without being informed and they are not informed mainly because it is not their area expertise. That's why system administrators have a job (and the ones you know seem to be lousy at it, because pretty much all corporate desktops that I have touched were locked down hard! That said, I work mainly in the financial sector). Evidently, a normal user has no way of hiring a (good) system administrator so we got the status quo: people administering machines without the required knowledge.

And, no, running malware, even sandboxed (meaning, it can't damage your system, nor send data over the network, which usually makes the software non-functional), for the simple reason that you should not support or even promote malware applications. That's a principle thing, not a technical limitation.

Oh, and finally, I quote you "Because both of those are huge wastes of time made necessary by MS's design choices.". That is a false statement. True windows 9x had no security and that was BAD(tm). However the NT line has had security in mind from the beginning. What really happened is that the application writers didn't bother to write software to run on machines that had user separation and probably didn't understand the system in the first place. So, even today, software is being developed that only runs as Administrator. Often completely unneeded!

Sure, Microsoft made the bad decision that the first user created was Administrator (but so does Mac OS X) thus implicitly keeping compatibility with the 9x line. That, however was no design decision. It was purely made from Marketing point of view because existing software wouldn't work anymore. This in turn didn't encourage software developers to code carefully for running Software without Admin rights. Vicious circle and all...

True, Microsoft has some responsibility, but *we*, the software developers are equally responsible.

Re:Why You're Wrong

[99BottlesOfBeerInMyF]

As for installing applications: even if she had a Mac or even a Linux machine, it is clear that she still can be tricked in installing something bad for her.

Anyone can be tricked into installing something bad if someone puts enough effort into it. No one has time to exhaustively audit all the code they install for backdoors. It could be in your OS security update. The point is, on other OS's she is highly unlikely to ever be tricked into installing something "bad" because there is so little of it out there and if it were to become more common both Linux developers and Apple developers have a direct motivation for introducing ways to stop it, while MS has no such motivation.

So, no, normal users should not be installing applications without being informed and they are not informed mainly because it is not their area expertise.

It shouldn't have to be an area of expertise. Is installing a game in your Playstation an area of expertise that should also be limited to professionals? Of course not. The point is you shouldn't have to be an expert to use a computer safely and that includes installing software.

And, no, running malware, even sandboxed (meaning, it can't damage your system, nor send data over the network, which usually makes the software non-functional), for the simple reason that you should not support or even promote malware applications. That's a principle thing, not a technical limitation.

Umm, if the malware operators aren't gaining any benefit, how does it support them? The point is to greatly increase functionality for the user who wants to run arbitrary software easily and safely, but is not "expert" enough to be able to tell which of the 10 applications he or she wants to install are malicious.

Oh, and finally, I quote you "Because both of those are huge wastes of time made necessary by MS's design choices.". That is a false statement.

MS has clearly failed to adapt their OS to deal with the current malware environment. That is a design choice.

True windows 9x had no security and that was BAD(tm). However the NT line has had security in mind from the beginning.

The NT core includes some great security framework, but most of it is not implemented at all in any version of Windows and it certainly is not brought to the average user in such a way as to make it of any real benefit.

What really happened is that the application writers didn't bother to write software to run on machines that had user separation and probably didn't understand the system in the first place.

Why would they? They wrote for the default user settings in Windows, which are settings MS chose. If MS wanted them to write for limited users they would have created a limited user by default and made that the account users logged into by default.

So, even today, software is being developed that only runs as Administrator. Often completely unneeded!

You're talking about user level privileges, which are a step in the right direction (largely a finished step in Vista) but they are decades out of date as a sufficient security mechanism for today. MS is just now starting to motivate application developers to write for limited user accounts when 5 years ago they should have been motivating them to write for ACL limited application spaces with self-contained application bundles and official services for common network access like software registration. MS is still 10 years behind the security curve and they are the only ones who really need improvements in order for the average user to not be bothered by malware. They should be the leading edge in this area, but since they have no motivation because they are a monopoly, they ignore it as less profitable.

Sure, Microsoft made the bad decision that the first user created was Administrator (but so does Mac OS X) thus implicitly keepi

Re:Why You're Wrong

[Foolhardy]

The NT core includes some great security framework, but most of it is not implemented at all in any version of Windows and it certainly is not brought to the average user in such a way as to make it of any real benefit.

What's not implemented, specifically? Although I agree that the interfaces to many security features are substandard.

You're talking about user level privileges, which are a step in the right direction (largely a finished step in Vista) but they are decades out of date as a sufficient security mechanism for today. MS is just now starting to motivate application developers to write for limited user accounts when 5 years ago they should have been motivating them to write for ACL limited application spaces with self-contained application bundles [...]

Windows NT 3.1, released in 1993, had full separation of user privileges. There were three classes of users by default (Administrators, Users and Guests), and new classes could be created with delegated rights and privileges. Tools that aren't specifically for administration have always been required to work properly with standard user privileges to obtain the "Designed for Windows NT" (or 2000 or XP...) logo. Microsoft can't force ISVs to write software that works properly with the security system, but Microsoft has been urging them to do so since the beginning. Microsoft's own software has been pretty good about following those requirements (except for the games department.) I remember specifically running Office 97 on Windows NT 3.51 as a limited user without issue.

It's always been possible to install stand-alone applications to a directory. Standard convention suggests you share common libraries with other programs that may use them, but they can always be put in the application's own directory instead. Since Windows 2000, the only supported method of installation is the Windows Installer, which indeed supports installation as a limited user for programs that support it (not many, I'm afraid).

This is not exactly a one to one comparison, since administrators on the different systems have different levels of privilege. Running as admin in OS X is still unlikely to ever result in you getting malware, even if you install pretty much anything you have any interest in with no research. That is not the case with Windows.

Is that because there is precious little malware developed specifically for OSX? If an administrative user were to give consent to installing a piece of malware on OSX, what technical barriers would prevent it from having free reign on the machine that don't exist on Windows? If it's in, it's in, be it root access on a unix or Administrators on Windows. (Yes, I know that an OSX admin != root, but an admin can certainly sudo malware to root, given the user's consent.) On Windows, I can try installing anything I want without admin access and not worry about infecting the machine or other user accounts. It's the same on other OSes with user privilege separation.

It was purely made from Marketing point of view because existing software wouldn't work anymore.

This is a solvable problem (mostly solved in Vista via a virtual registry). I'd argue letting the marketing department make design decisions is one of MS's biggest problems.

The virtual registry views and other API hacks like it are called compatibility shims, and there are indeed a lot of them to work around buggy and incorrect application behavior. It's hard to write them, and not all app behaviors can be fixed by a shim (e.g. games that insist on installing a kernel module for copy protection purposes). There is A LOT of software out there, and Microsoft can't (and shouldn't need to) fix it all. Even so, I'm not aware of any OS that goes to the lengths that Windows does in trying to make it all work all the time. If Microsoft makes too big a break, people will simply be instructed by the ISV to

Re:Why You're Wrong

[99BottlesOfBeerInMyF]

What's not implemented, specifically?

Well, fine grained ACLs like the one they apply to IE, come to mind. A well defined userspace is easily supported by the kernel, for another, but is still iffy as their current implementation in Vista.

Windows NT 3.1, released in 1993, had full separation of user privileges.

Yeah, that's great, but because it was not the default setup for a normal user account to be created, they were rarely used and thus lots of things did not work when they did. Theoretically, several current Linux distros ship with SELinux, but that does not protect them from having their user data hosed by a trojan because it is not yet applied by default to applications.

Microsoft can't force ISVs to write software that works properly with the security system, but Microsoft has been urging them to do so since the beginning. Microsoft's own software has been pretty good about following those requirements (except for the games department.)

Your opinion on this differs a lot form mine. If MS has been pushing it, why have so many of MS's own applications failed as a single user? You mention games, but there are several functions of MSOffice 2003 (mostly VB) that do not work unless you're an admin, and that is MS's fault. They did far too little and it was obvious they were not serious about it.

Since Windows 2000, the only supported method of installation is the Windows Installer, which indeed supports installation as a limited user for programs that support it (not many, I'm afraid).

Yeah it supports it, but it is practically not easy to do and not something MS encourages through their default user account settings.

Is that because there is precious little malware developed specifically for OSX? If an administrative user were to give consent to installing a piece of malware on OSX, what technical barriers would prevent it from having free reign on the machine that don't exist on Windows?

There are a lot fewer malware programs in circulation and there are some technical hurdles it needs to get through that would not present if a user was logged in a root (which is not even something a normal user could probably figure out how to accomplish since the account is locked out by default. More importantly, however, every OS that is not Windows has something in common. They have to give users what they want. If malware starts compromising machines, they have to adapt their OS to stop it or they lose money. MS is the only company this does not apply to and hence they will probably have serious malware problems for the foreseeable future. There are OS's with less security than Windows and OS's with a lot more security that Windows but all of them have an appropriate level of security to keep their users happy, except Windows.

On Windows, I can try installing anything I want without admin access and not worry about infecting the machine or other user accounts.

Umm, you might want to rethink that assumption. I don't think I've ever known a time when there was not at least one public, unpatched local escalation in Windows. MS has never taken these seriously. I'm hoping when enough Vista users appear that will change, but I don't have a lot of hope.

I don't think you understand the concept of ACLs. A discretionary access control list (which controls who has what access rights to an object) is part of a security descriptor, which controls the access a process has to an object. They're traditionally organized by user and object, not application.

You're the one who seems confused. DACLs are not the only kind of ACL. I was referring to MACLs (Mandatory Access Control Lists). They are widely implemented in security minded *NIX OS's.

Microsoft cannot force developers to follow those requirements-- if they did, people would really scream bloody murder.

MS

Re:Why You're Wrong

[Foolhardy]

Well, fine grained ACLs like the one they apply to IE, come to mind. A well defined userspace is easily supported by the kernel, for another, but is still iffy as their current implementation in Vista.

If you're referring to protected mode IE, it's implemented with restricted tokens and a mandatory integrity label, not an ACL. Both mechanisms are available to 3rd party developers since they were introduced (in 2000 and Vista, respectively). They were not dangling parts of the security model prior to their introduction. They are not necessary parts to a working multiuser security model. What necessary (to be useful and secure) parts of the NT security model are unimplemented or missing? How about in NT 3.1? Surely you can come up with more examples to the claim that "most of it is not implemented at all in any version of Windows" (emphasis mine).

Yeah, that's great, but because it was not the default setup for a normal user account to be created, they were rarely used and thus lots of things did not work when they did.

Actually, it was more because the 9x series had no security and very weak multi-user capabilities that sloppy programming in those regards just worked on the much more popular 9xes and gained momentum. At the time, almost all ISVs couldn't care less if the software ran properly on NT, let alone with LUA. The people who actually used NT at the time understood and used LUA. They just didn't have enough clout to insist on better quality software for the platform, unlike the Linux and OSX communities. The popular related OSes were the 9xes with no security, and users that didn't care. For that matter, most ISVs and users still don't care.

... there are several functions of MSOffice 2003 (mostly VB) that do not work unless you're an admin, and that is MS's fault.

I'm not aware of this issue, but if it's true, then you're absolutely right that Microsoft isn't following their own rules.

Still, I'm not aware of anything, aside from momentum in bad practices by ISVs, that makes writing software that correctly follows the standards of LUA and multiple users any harder on Windows than any other platform. Windows has about as much good software (that follows the OS design properly) as any other platform (most cross-platform apps fall into this category), but Windows also has a LOT more crappy software, which drags the average down.

There are a lot fewer malware programs in circulation and there are some technical hurdles it needs to get through that would not present if a user was logged in a root (which is not even something a normal user could probably figure out how to accomplish since the account is locked out by default.

Yeah, the app can ask the user for his password. If the user is, as I said before, giving the malware full consent, he will have no compunction sudoing the malware to root with a password prompt dialog. On my machine, I'd specifically have to select the malware for Run As... and select an admin user, with password. Is there some other hurdle I'm missing?

Umm, you might want to rethink that assumption. I don't think I've ever known a time when there was not at least one public, unpatched local escalation in Windows.

Ok, what's the one right now then? There have been some in the past, but not more than other desktop OSes AFAIK. Certainly not a state of constant publicly known vulnerability. Also, of the malware I've tested in a VM, not one has even attempted to escalate locally (or succeeded). They all assumed they would be run as an admin, and failed in strange ways when they were not.

More importantly, however, every OS that is not Windows has something in common. They have to give users what they want. If malware starts compromising machines, they have to adapt their OS to stop it or they lose money.

It's true that Microsoft is in a unique position not to care,

Re:Why You're Wrong

[99BottlesOfBeerInMyF]

They were not dangling parts of the security model prior to their introduction. They are not necessary parts to a working multiuser security model.

They are a necessary part of a functional security model, given the current malware environment.

Surely you can come up with more examples to the claim that "most of it is not implemented at all in any version of Windows" (emphasis mine).

I already gave you several examples, but you don't seem to understand the difference between, it is possible to configure a system to use this feature, and this feature is in use by default, encouraged and brought to the end user in a way that makes sense and solves the problem. UAC, for example, theoretically addresses user level access controls for applications, but realistically is presented by a UI that completely ignores what is needed to make it functional. As a result, it has little real benefit.

For that matter, most ISVs and users still don't care.

Users care about results, even when they don't understand the mechanisms. Windows users want better security and protection from malware and the results on their computers. They are not, however, experts to be demanding some feature they don't understand. It is MS's job to provide them with something that will work, except it doesn't make MS enough money so they aren't going to do so.

Still, I'm not aware of anything, aside from momentum in bad practices by ISVs, that makes writing software that correctly follows the standards of LUA and multiple users any harder on Windows than any other platform.

Existing toolsets and off the shelf components (installers and registration software for example) often are a hurdle. Mostly though, it is just that people develop for the defaults and MS provided the wrong ones.

Windows also has a LOT more crappy software, which drags the average down.

How much of that crappy software is developed with tools from MS that could encourage or discourage the proper methodology?

If the user is, as I said before, giving the malware full consent, he will have no compunction sudoing the malware to root with a password prompt dialog.

Actually this is a hurdle as it provides users with information to determine the difference between data and executables, which is often confused by Windows users. It also provides specific information on the type of access requested, which at least provides some info for more clueful users. There are also differences in teh scope of what can be done from these graphical "su" type prompts. Don't get me wrong, however, OS X security is insufficient to deal with the level of malware currently attacking Windows. It is, however, appropriate for the level of malware attacking OS X and there is every indication that it will stay that way regardless of the level of malware attacking OS X, because Apple has direct, financial motivation to keep it that way. MS's security problems are rooted in their monopoly, which provides them with no motivation to respond to customer problems like security.

Ok, what's the one right now then? There have been some in the past, but not more than other desktop OSes AFAIK. . Certainly not a state of constant publicly known vulnerability.

You go to Google and type in "Vista unpatched escalation" among the top 10 results is sure enough CVE-2007-0843 an unpatched local escalation. As I said, I don't think this method for finding an unpatched local escalation in Windows has ever failed me. Most people don't even pay attention to these because if they are in security they know it and if they're not MS rates these as unimportant security vulnerabilities. While these same types of holes occasionally get news for other platforms, the news would have to report them every week to keep up with Windows, so it becomes a non-story. Until the advent of Vista, everyone was administrators

Re:Why You're Wrong

[Foolhardy]

UAC, for example, theoretically addresses user level access controls for applications, but realistically is presented by a UI that completely ignores what is needed to make it functional.

My point is that user access control has always been implemented in the NT line of Windows. The new features are for convenience, to make it easier to safely run low and high privilege processes side by side, for executables to tag what mode they should be run in, and a more automated interface. The back-end of UAC, the ability to run processes with different privilege levels even if based on the same user account, has always been present. The interface to it hasn't always been so great, but that's been fixed since 2000. You don't need pretty elevation dialogs or low and high privilege windows side by side-- you can use separate logons for that purpose, something that's always been supported.

Users care about results, even when they don't understand the mechanisms.

I agree completely. Unfortunately, there's no magic technological way for users who are willing to install anything and follow arbitrary instructions in the name of watching a funny video to have a secure system, short of a TCPA enforced whitelist of approved applications. User expectations in this regard are unreasonable. One must understand the system to use it properly and safely.

That said, I agree that UAC isn't implemented well. It'll just program users to click OK even more often then they already do, assuming that they don't just turn it off. There must be a better way of implementing it than Microsoft chose.

How much of that crappy software is developed with tools from MS that could encourage or discourage the proper methodology?

MS has always recommended that people follow proper multiuser security design. The "Designed for Windows NT" logo program has existed ever since the first release, IIRC. App developers have abused various parts of the OS in all kinds of gross and weird ways, and I can't think of any part of the docs or toolset that would encourage that kind of abuse, except perhaps that MS seems to have made a mistake in trusting the ISVs to be competent and to care about little things (like security). I've got an old .HLP describing the Win32 API circa 1995, and it's filled with information about the difference between user and machine resources, user and admin privileges, and securing objects. Unfortunately, it's safe to ignore the lot when programming for Win95 (safe in the sense that the programs will run on 95 but not NT), so that's what most ISVs have learned to do. It's easier.

The only reason that XP (and more importantly, most OEMs that preinstall XP) default to giving the user an admin account is for compatibility with all the 9x apps that don't follow the most basic tenants of multiuser programming. Microsoft (and the OEMs that went along with it) must have feared some kind of backlash from giving users standard accounts. Why else would they have done it?

You go to Google and type in "Vista unpatched escalation" among the top 10 results is sure enough CVE-2007-0843 an unpatched local escalation.

From CVE-2007-0843

The ReadDirectoryChangesW API function on Microsoft Windows 2000, XP, 2003, and Vista does not check permissions for child objects, which allows local users to bypass permissions by opening a directory with LIST (READ) access and using ReadDirectoryChangesW to monitor changes of files that do not have LIST permissions, which can be leveraged to determine filenames, access times, and other sensitive information.

This is by design, and it's been known about for a long time. Directory data belongs to the directory, not to the child files. Directory data includes a few pieces of metadata about files, including timestamps. Files do not have a list permission; the permission bit used for list children with a directory is the

Re:Why You're Wrong

[99BottlesOfBeerInMyF]

No design can protect people from their own stupidity and willingness to follow malicious instructions they don't understand.

I'm afraid I don't have time to address you post in its entirety, but I would like to address this common theme you seem to harp on, as well as half of the so called security industry. Users follow instructions they don't understand and click OK to weird technobabble, and run software they don't know they can trust, because that is what they have to do with the current shitty OS designs to perform common tasks. OS's in general and Windows in particular are not designed to let users do what they want securely.

Security is not about finding someone to blame or finding a way you can blame the user when they are compromised. Rotating passwords a user needs to change every day result in users who write them on post it notes. This is a flaw in the security in that it failed to take the human element into account and blaming the users does not make it any more secure. MS has outrageously poor security in this regard because they never consider the human element and apparently think shifting the blame to the user constitutes security. Please stop buying into the false premise that the user is at fault when the OS gives them a bunch of bad and incomprehensible choices and they make the wrong one.

I'm puzzled.

[Tibor+the+Hun]

How can just clicking on "Allow" escalate priviledges? Wouldn't you need to enter a password of some sort to prove that you do have admin permissions?

Re:I'm puzzled.

[figleaf]

In Vista, if you are a standard user then you have to enter a password.
If you are an admin you get a prompt to allow priv escalation.

Meh

a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

That's completely unnecessary. I tested vista for an hour last week, and after the fourth prompt (fifteen minutes in), I was already clicking allow blindly. Sure, if it was my real system I'd have been more careful, but your average user wouldn't be.

Uuuuhh? I thought...

[ukemike]

Gee whiz, I thought that Vista itself was the malware?

Slightly OT: A Question

[TheVelvetFlamebait]

I wasn't following Vista while it was still called Longhorn. What other features were we expecting that was cut apart from WinFS? And what was meant to be so great about them?

Re:Slightly OT: A Question

[99BottlesOfBeerInMyF]

What other features were we expecting that was cut apart from WinFS? And what was meant to be so great about them?

On feature which did not make it was a usable shell environment, codenamed "monad." MS claimed it would make using a shell on Windows as functional as bash on Linux and had a long list of things bash did, but that was really, really hard on Windows. When they delayed the feature all the publications of what Windows was lacking also disappeared. They now claim it will be included in a service pack.

Other cut features I can think of include ubiquitous use of .NET bringing the core of Windows up to date (dropped for everything but a few parts of Vista), UNIX application layer (dropped), NFS 3 and 4 support (dropped), and full IPv6 support (questionable). I'm sure there were a lot more random features I don't recall that also went away. In fact, about the only area where nothing was dropped was DRM where I suspect the focuses a lot of their resources.

Not surprising, but....

[adachan]

I have yet to be convinced that Vista itself isn't actually malware. Here is my reasoning:

1. Usually malware comes bundled with something that I am interested in actually using. I was kind of interested in trying the aero interface of Vista, so I installed it. After doing that I noticed weird things with my computer (lockups, hard drives failing to read and write) -- a sure sign of malware.

2. After installing Vista, my system tends to be slower. This is a clear indication of malware being on my system.

2. Strange windows keep popping up telling me messages I am not interested in. This tends to happen also when malware is installed on a computer.

There are several other issues, but these are the main ones. I looked at some websites describing malware, and according to security experts, these are key factors indicating that its highly likely I have some malware on my computer. I think I will have to get rid of Vista becasue not only will it eventually allow for malware to run inside of it, in fact, it IS malware!!!

Re:Not surprising, but....

2. After installing Vista, my system tends to be slower. This is a clear indication of malware being on my system.

2. Strange windows keep popping up telling me messages I am not interested in. This tends to happen also when malware is installed on a computer.

The "increment" instruction also appears to be broken.

Re:Not surprising, but....

[Macthorpe]

Taking your comment at face value:

1. Did you check your drivers? Try booting another OS and see if you get the same problem. In other words, instead of just crying into your pillow at night, try and fix it. You're on Slashdot, you're supposed to be a geek for crying out loud.

2. Yes, we're all aware that Vista requires higher system requirements than XP or Linux to run smoothly. Whoop-de-do. However, they're not as high as people pretend and Vista works well on my ex-boyfriend's 3 year old Sempron.

2 (again). If you're not interested in the messages you can turn them off. Why not try it?

I think my TV must be malware. When I switch it on, it keeps showing messages I don't want between things I do want, it came bundled with the house that I live in and when it's on everyone else seems to stop dead to watch it. Those all match up with things I read ON THE INTERNENETS about malware so it must be malware!!11!

Seriously.

I don't know how your comment managed 'Insightful' when it's just plain 'Redundant'. We all know - the majority of Slashdot doesn't like Vista. Just reciting it over and over again in the hope of being modded up is not an intelligent debate. It's just a real pity that it works.

Re:Not surprising, but....

[adachan]

I actually posted this in the hopes of making someone laugh. The post was made in a completely joking manner. I do feel it is funny that it is modded as insightful, but oh well. Anyway, in regards to some of your comments:

My system is an AthlonFX-60, 4 Gigs of PC4200, Geforce 8800GTS, Sound Blaster Audigy 2 Platinum Pro, Asus A8N-SLI Premium, and the boot drive is a WD Raptor 74Gig. I had the newest drivers for all these items listed above, barring the hard drive.

Vista ran ok on it. I could play Doom3 at the same 1280X1024 resolution with >100fps at all times. I didnt test other games, other than Quake 3 which also ran at 120fps. Both of these games performed at the same level as under XP, which I have on another Raptor 74Gig.

My main issue with Vista is that a larger than reported number of programs I use have incompatibility issues. Not major issues, mind you, but issues when compounded on programs with other small issues that made me annoyed.

The other thing, is that even with a fresh install, with only the single hard drive, and the other hardware I described above (with the newest drivers), I still experienced random lockups.

The minor incompatibilities compounded with the lockups are what prompted me to make the comment. It is the lockups and the programs not working properly when compared to the performance under XP SP2 that made me think of the operating system being malware.

To reiterate, I made the comment in fun, hoping to make someone laugh. I agree that its not quite insightful, but to say that Vista is indeed ready for mass consumption is just not right. Vista needs alot of work. I can see what Microsoft was going for, but the early release of an unfinished product is clearly the result of pressure from shareholders, and I am sure the actual developers would have rather waited another year to get it right, rather than be compared to Windows ME.

Re:Not surprising, but....

[Macthorpe]

My apologies for misreading :)

As a gamer, though, I have experienced close to zero issues with Vista - running dual screen monitors causes some ill will with old games but I haven't found any major issues that couldn't be solved by either turning that off or running in compatibility mode.

separate your partitions?

[CaptainNerdCave]

after reformatting a couple of times to fix windows installs... didn't you start creating a partition to install windows to and a partition for everything else? actually, with windows, one could easily keep control of much of the system by restricting the write permission to only the things that need to be written by that user.

i don't remember about home (never had multiple users on my xp home machine), but i know pro offers a variety of security features that i have only started experimenting with recently.

Re:ATTN: SWITCHEURS!

Trying to come up with a lunix variant of this popular copypasta, with not much luck. Any help please?

A funny little story...

I just got back from rebuilding the wireless network of some friends. Which was something of a surprise, I'd mearly expected to setup a new laptop and add it to their network. They'd just got another laptop a month before, a MacBook, which the owner had setup himself. Apparently he followed the instructions in the Mac, which at the time I'd thought was pretty impressive considering I'd set up WPA, the works, reuired the MAC address be entered into a whitelist, etc. Anyway apparently the instructions that come with the mac are hit the reset button to restore the router to factory defaults and run it wide open. Haha. That's a great first line of defense. So I decided this was all my fault. I set them up securely, but they didn't understand security. The what, how and why of it. The way to care for and nurture it. Now they don't necessarily understand it all finely, this will be an ongoing project. But they know what I did, and how to use it. How to let it serve them. If it's just a meaningless ritual, it can't last, and it can't be robust. Maybe Flint and Lady J were right....

Well, I for one

[Almahtar]

will do absolutely nothing about it. On purpose. When people get fed up enough with Windows that fair market conditions are restored I will consider helping out. In the mean time I'm more interested in letting Windows enjoy the just failure that its unethically-boosted success has brought it. No, I'm not going to play a part in cracking it- but if it can't defend itself despite the billions of dollars it has to put towards the cause, perhaps it's time for things to change and a new "king of the hill" should take throne. I won't defend it as long as it's used to unfairly dominate the market.

Insecure, yes...

[Almahtar]

But as it's been said time and again here in slashdot comments, what this DOES do is absolve Microsoft of all responsibility. "You have malware problems? Shouldn't have clicked 'allow'."

SE-Linux

[Almahtar]

I was under the impression that this is what SE-Linux was doing. I fully expect to be wrong here, because I just heard it from one person. I'd like to know though. Anyone?

Wow

[TheCreeep]

Vista Malware? That's like the next step after Vista Ultimate, right?

Re:Wow

[gertin]

Actually I think it was the internal codename for Vista Ultimate.

System-protected malware?

[octogen]

The real fun will start if someone manages to let the operating system protect a malware's subjects and objects (processes, files, registry keys, etc.) by using its digital restrictions management or code signature features.

Re:System-protected malware?

[SEMW]

The real fun will start if someone manages to let the operating system protect a malware's subjects and objects (processes, files, registry keys, etc.) by using its digital restrictions management or code signature features. If someone manages to crack a standard implementation of public key AES encryption, which is basically what code signing is, we're going to have a hell of a lot more problems than more malware...

Vista raises the bar. The possibility remains

[Opportunist]

The additional layers of "security" (I'd rather call them "more red tape") in Vista certainly make it more difficult (well, rather "less easy") to infect it. But still far from impossible.

Given the amount of "allow or deny" request the average user gets during his life with Vista, he is no longer able to make a qualified decision. Take any kind of "personal firewall" and let it go to berserk levels. A request for pretty much anything when you install something.

So the average malware will not come along as some kind of invoice (the ever popular .pdf.exe files), it will come as a "critical MS fix" that you're supposed to install. People will click it and will allow elevated privileges because they actually expect a system fix to ask for it.

Or malware will come bundled with games or other applications that the user should definitly "check out". As long as you trick the user into believing he is installing something, he will not even wonder why you're asking him for more privileges. Or you need a "special reader" to enjoy that porn flick you were just sent via mail.

The social engineering portion of the attack will have to become more sophisticated, but that doesn't end it. As long as the user is unable to make a decision whether the rights the application wants are really warranted, the security is fake. And he cannot make that decision. First of all, the information given in those "allow or deny" dialoges is too hazy (Application x wants to get privilege $obscure_description) for the average user to understand. Second, there are too many such requests (so the user sooner or later just wants them GONE, to hell with security I want to WORK with my machine!), people actually start to ignore them and allow everything.

Why they start to click allow rather than deny is also easy to explain, it's the same effect that we have with "learning" personal firewalls. The user will soon "learn" that clicking deny means that an application will not do what it's supposed to do. So he will usually click "accept" when facing an unknown problem, since accept usually means that the application works as intended. Just like they click allow on their personal firewalls when some obscure program wants to get out, 'cause they learned that they once clicked deny for some obscure Windows task they didn't know either and suddenly "the internet" didn't work anymore.

Actually, the problem is even deeper.

[master_p]

The fundamental error of operating system designers is the concept of a filesystem. Computers should not have filesystems, but they should have databases. As every DB programmer knows, in these systems, users do not have an all-or-nothing clearance to use the database: they can only use the part that they need to do their job. Not only DB systems make finding and querying files much much easier, you also get a better security system for free.

Another approach is to use a software ring system like the 80x86 processors have: each application should belong in a ring, and outer rings can not access data of inner rings. By running networked applications on an outer ring, user files can not be compromised.

Re: Get you're wishlist now, almost

[Ox0065]

This is not a wish list. The problems are with the things you want to do with a computer that's so locked down. There are a number of different options for achieving this now. GRE & SE Linux spring to mind. Unfortunately you will have to use a hardened compiler profile to make it worthwhile. Its designed more for servers though... ...Running a full desktop environment and expecting your computer to be secure... ...doesn't really add up, when you get down to it. Think less is more. Like your i-pod! (^-^)
I imagine from:

The data on my PowerBook is my life and

I do make a monthly backup that you'll want nice accelerated graphics. At present that probably means binary drivers, that wont load into your hardened kernel or X...

To get the effect you are REALLY looking for, you don't need sandboxing. You could have a play with ACL based permissions. Running apps with set gid could help, but could also be a catastrophic security hole (depending upon how you do it) & is more obfuscation than barrier within the context of your intentions.

Also, I think that the first time you move a folder with a range of file types, you'll spit the dummy big time.
Also, if you're really just worried about $rm -rf ./* put a file called -i in your home|users folder. ie. $touch ./-i

Why You're Also Wrong

[99BottlesOfBeerInMyF]

You're right, permissions by user isn't enough. But if we set permissions by app, eventually, Windows users will become accustomed to clicking "Accept" to every app permission that occurs, creating the same state we're in now.

You're right that just adding application level privileges isn't enough either, but no one said we have to only add application level privileges and not the rest of what is needed to make them useful as well. First, the UI needs to be fixed to eliminate all the current, spurious pop-ups. Then you need to build in good default settings. Right now users are clueless about firewall configuration, and yet many machines ship with one running out of the box without being prompted all the time. This is the result of reasonable defaults.

As I see moving to application level privileges is the only way to mitigate trojans. Such a system requires three parts:

• application level access controls to actually regulate the system
• a trust/functionality determination mechanism
• a well crafted UI that integrates it into the system

The basic problem is users don't know what legitimate software should be able to touch. So, change the format of applications to include an ACL in every one. Next, verify the source of the application with a certificate. Next, check that application against intelligence provided by verification services. These could be pay services that have blacklists (like current anti-virus), but they should also include simple verification services that run software and make sure it never tries to exceed the included ACL, or to provide ACLs for legacy software. This could include input from an open source project. This could include intel provided by the OS vendor. The user will, of course, need to be able to add and remove these as well as determine how much they trust each source.

Once that is done, the system can determine without user intervention what the vast majority of all software can and can't do without having to bug the user. Exceptions would be unsigned or invalidly signed software (most of which would be malware) or when some software tries to exceed its authority (due to a bug or because the process was hijacked by a buffer overflow or the like). User will want to deny almost all of this.

Given a trust level and ACL for each app, the OS can further restrict it using an ACL for the trust level. A well crafted UI is still needed to present those few queries that do happen in a usable way, without conditioning people (unique button names that are actions, not OK/Cancel).

All of this takes a significant change in the way desktop OS's currently operate, but it is pretty much the minimum that is required to really solve the malware problem.

Re: Get you're wishlist now, almost

[99BottlesOfBeerInMyF]

Running a full desktop environment and expecting your computer to be secure... ...doesn't really add up, when you get down to it.

Is that you Mr. Gates?

At present that probably means binary drivers, that wont load into your hardened kernel or X...

Most desktop users are concerned about malware and trojans and the like. They are less concerned about commercially supported applications and binaries which they have a more reasonable expectation of. A reasonable person might be willing to trust a binary driver from HP in order to get their Webcam working, while that same user might not be willing to trust SpaceBlast45.exe with their machine's security just to play a game. The goal of a reasonable security system is to allow the user to do the latter while still being able to run the executable if it behaves properly.

Wait a minute....

[bobbocanfly]

....is it not in the news today that hardly anyone is using (or at least buying) Vista, so it makes absolutely no difference whether there is lots of malware that can get around its security system?

Duck, Mark - INCOMING CHAIR!!

I'm really quite surprised by this.

Yeah, me too. Who'd have ever thought someone at Microsoft would be truthful. Are Mark's days there numbered?

So, CLEARLY, M$ Vista is worth the extra costs

Could this be the first public nail in Vista's coffin of failure?

Hey, I can dream...

Sockets?

Well, how are you supposed to work them as an attack vector?

Admittedly this is where "it" isn't a file, but there's not a lot you can change maliciously, is there.

Why bother?

[matt+me]

With 243 copies purchased in China, Vista really has security by obscurity, if by no other means.

Re:Why bother?

[oloron]

those 243 copies probably translate to 243,000 installed pcs, thats why

Vista raises the bar... in the wrong place.

[argent]

Even if they implemented full mandatory access control (MAC) and made Vista a B2 or better OS, and ran each application in its own trust domain, this would still not prevent an exploited copy of Internet Explorer from:

1. Attacking other computers on the local network.
2. Attacking websites.
3. Sending spam.
4. Stealing website passwords.
5. Stealing credit card numbers and other personal information.
6. Piggybacking money transfers on your banking website.
7. Infecting downloaded applications and files as they pass through.

Microsoft needs to work on the fundamental security of the browser. They can start by backing out of the browser-desktop merge... it'll take a while, they have 10 years worth of applications that depend on this broken design... and eliminating ActiveX and "insecurity zones".

Hey!

That's in SOVIET Russinovich, you insensitive clod!

Expect?

[The+Cisco+Kid]

As far as I know, MS has already released malware known as Vista.

Jesus...

[Lord+Flipper]

talk about 'going out on a limb'.... this Russinovich sounds pretty rad. is it always like this on Tuesdays?