There is a very simple way to avoid exploitation while using Windows Update.
If on broadband (Cable modem or DSL), buy a hardware firewall. Most Internet sharing devices have built-in firewalls that act as one-way doors to the Internet. You can go out to the net, but people on the net can't get back in. For less than $100.00 (Canadian, one time) you can get better protection than any "software firewall" can provide, and without renewing subscription costs. Even for a single computer, it's well worth the investment.
If on dial-up, turn on the built-in Internet Connection Firewall on your dial-up connection. Windows XP as first released comes with a silent firewall program already installed. Make sure you turn it on! Sadly, AOL dial-up users can't use it.
(Yes, I read the PDF file that describes how XP SP1 doesn't have a firewall turned on by default. If I sell you a lock and you don't lock it before someone steals your stuff, you can't sue me for selling you a defective lock!)
Use Windows Update Only until it says it's done. Don't do any production work, don't check e-mail, don't surf any other web sites, until Windows Update tells you that you don't need any more critical updates.
That's it, really. Get behind some kind of firewall and patch your system first. After that, start using the tools included in Windows XP, such as Automatic Updates, to let the system keep itself updated.
Other routine precauctions include: Use the hardware firewall at all times, create a Limited User account for yourself and do your production work there, stick with applications and devices Designed for Windows XP, and (as The Register is fond of saying) wear a regulation tinfoil hat.
I get a 1.000 batting average with my favorite anti-spyware prevention (not detection) tool:
Limited User.
And when not working as a Limited User, I turn off scripting and other stuff, and add "*.microsoft.com" to Trusted Sites so I can use Windows Update and Office Update.
Windows XP and Windows 2000 can catch 100% of all spyware all by themselves. If you let them. Spyware (or other software) doesn't install as a limited user.
Not like Palm that requires full admin access for every user to use Palm Desktop, at least PocketPC works as a limited user without mucking with the system.
"By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page..."
So if you're silly enough to surf with will administrator access, you can let someone else take over your machine. No mention if the exploits work as limited users... probably because they don't.
No mention of flaws in background services, but even if there were, what effect would they have with the firewall turned on?
Sounds like a simple enough fix to me: Create a limited user account for yourself and do your work there.
Another Challenge: Actually Design for Windows XP!
on
EA Games: The Human Story
·
· Score: 2, Interesting
As opposed to "designing for whatever the current version of Windows is with total disregard for best current practices."
As in, testing with fast user switching (even if it's just exiting after finding it's running already as another user), testing with Limited User access (XP and 2K!), testing with families in mind whose parents don't want their kids destroying the family computer, testing whatever lame and innefective copy protection schemes to make sure they work with all of the above.
It's the end of 2004, guys! Why does The Sims 2 not work with limited user access? Just because of your ineffective copy protection scheme? You should challenge Safedisc or whoever you use to fix their broken system, to work on XP for limited users.
2004 saw the release of many popular games that required the user to use Windows XP or Windows 2000 as an administrator user. The reasons for this vary wildly from "bad design" (laziness, lack of testing) to "bad design" (copy protection) to "bad design" (anti-cheat software) and "bad design" (everything in between). We're talking as recent as The Sims 2 released only this year, or Jedi Knight: Jedi Academy.
I'm a professional security consultant and my clients (including home clients) use their computers as limited users to protect against spyware and viruses before the fact. It pains me to explain to a client that they can't play the latest games they want to play without turning off all of the safety features their operating system provides for free. And it isn't hard to design for security either; I modified Quake II in two weeks off-and-on to work.
After four years of Windows 2000 and two years of Windows XP, why are we not seeing games that support the safety features included in these modern operating systems? Does City of Heroes even work properly with them turned on?
If their software package requires Win2K or XP to run, does it run with Limited User support? And without any goofy preinstall-for-each-user nonsense? Does the Hotsync manager work with fast user switching? Last I checked, their software kit wouldn't work with either.
I've read a few posts saying they face similar problems. I'm going to brag, boast and strut some more but only to the extent that I can help you, the IT department in your company, stop these things before the fact.
Please read my journal for theory (limited users, current and patched versions of MS Office, etc). Please ask me directly for experience in this (making misbehaving apps work, recommending alternative apps, etc). I get paid to do this for a living, but I can help you keep your costs down by teaching you what I know. Do consider it. The website is http://www.pan-am.ca/ and you'll find a phone number and a contact address there.
Proven on two medium-sized networks I maintain for clients. No spyware in two years and I don't even bother with up-to-the-minute patches. Just patch for serious problems or when a service pack comes out.
Limited User accounts also provide the best AV on Windows, second only to MS Office SP3 and later which block bad e-mail attachments, bad macros, etc by default.
Finally, stand-alone NAT routers that act as firewalls keep worms out.
Worried that your software won't work as a limited user? Harass the vendor. Go to their competition. Loosen up security on individual files and folders (hence, suggesting XP Pro instead of XP Home). Test, test, and test some more. You'll save hundreds if not thousands on annual AV subscriptions and catch new threats before the AV vendors (and Spybot / Ad-Aware) can.
At least current and supported versions of Windows have this. Even home users with XP Home can use this powerful safety guard built into Windows since Win2K effortlessly. It's all the other software vendors, who write apps not designed for current versions of Windows, I'm worried about!
Two words: Limited Users. Two more words: Hardware Firewall.
I know, -1 redundant, -1 overrated, -1 troll. Guess what, folks? They work.
These things combined stop every virus, worm, trojan, spy ware, key logger, etc etc etc on company networks. Add to that attachment blocking in Outlook and macro blocking in Word and Excel, all included since MS Office 2000, and I don't waste client time dealing with garbage from the net.
id Software does this to considerably positive effect. They released the source to everything related to Quake II and earlier they were allowed to.
They won't profit from those products again, but they can entice would-be licensees with demonstrations of past experience, and then wow them with current stuff (Q3A, DOOM3) and charge larger amounts for that.
1. Give away older stuff 2. Sell licenses to current stuff 3. Profit!!!
"ACPI is an open standard, but unfortunately, vendors' closed source BIOS implementations for the last few years are written against the Microsoft ACPI parser, bugs and all."
Actually, I've had to work with some cheap machines whose ACPI BIOSes caused too many error records to appear on XP SP1's Event Log. Things like: "This register is not responding correctly," etc, and then XP disables that particular functionality (ie: a "suspend" button). And no firmware updates were available or they failed just as badly.
At least XP manages to deal with it. By comparison, Win2K bluescreens on the same machine if I try to use an ACPI HAL - I have to force-select a Standard PC HAL on installation to use the thing. Win98 works, but only because of the reasons you described.
When I had to upgrade a Linksys router, I ended up doing it through IE rather than their supplied Windows applet. There was a prompt for a filename (apparently you can still HTTP POST entire files) and after submitting a binary image, the router happily updated its own firmware.
I don't remember if it needed javascript or not, but I remember having to add the router's private IP to Trusted Sites to make some of its functionality work (mostly because Scripting was disabled in the Internet zone, but hey.) If all it needs is javascript to do a firmware update via a browser, surely it would work with Opera or Mozilla on Linux.
I've deployed MS Office 2000 and XP (2002) routinely in multi-user and secure environments. I never have to grant any user "temporary admin" access to start using any Office app, including Word.
HOWEVER, there is one annoyance I've had to work around. Depending on the network's group/system policies, restricted users might not have CD-ROM access (!) enough to do the inital setup for their profile from the Office CD-ROMs.
The fix was to create an administrative installation on one of the servers and install it to the stations from a share (I use "\\server\office2k$" and deliberately hid the share with the "$"). I also granted Read and Execute permissions to regular users. That way, when a new user starts to use an Office app, the first time setup occurs from the network share and works just fine as a restricted user. This network share seems to work very quickly even over a DSL WAN connection (320 kbps) without taking an absurdly long time to finish.
Office 2003 goes a step further and puts the first-time setup and repair files on the local hard drive, foregoing the CD-ROM or network share access requirement for a first time use. You can remove those to save disk space (about 290 MB) if you have a network share as described above.
I consult for travel agencies who have to deal with "software as a service" daily. One such application is a "thin client" to some web fare searching service.
Hm, come to think of it, all of the apps I've bounced for lack of security were thin clients.
But when a web service does an update, my agents have to re-log on because the old cookies don't work, and they forget passwords. They have to figure out where the web app developers moved their buttons, which new keystrokes they have to use, what airlines no longer work with the service (because they unsubscrbed in disgust)...
And I have to explain to these agents that I have no control over it and I can't fix it. All I know is connectivity to their site works and I've made sure the web browser's up to date.
Oh, and I really love the sites that "require IE5 or Netscape 4" and won't work with IE6 or Netscape 7.1 because they're using some undocumented Javascript features that aren't supported in newer browsers. Or their old programming tricks that "kinda worked" in older browsers but don't work in newer ones for security reasons.
The US Government and its various agencies have to be one of Microsoft's biggest group of clients! I believe they'll let them run XP without registering or "activating," and give them special product keys for the purpose, just to keep their business.
Or if they really insist on running Win2K until 2010, then I should be happy because that means I won't have to upgrade for another six years! MS will have to keep supporting it.:-)
Windows game authors are the laziest when it comes to designing for security... ok, they're second only to travel software companies.
My vote for Best Mod would be the one that lets me play UT without requiring Power User or Administrator access on XP or Win2K. That way I could set up an internet cafe / LAN party place without having to worry if the customers wreck the machines.
I mean come on. If I can fix Quake II, then the makers of UT can fix UT. Or a talented mod author can.
"Microsoft can use the software and capabilities they already have to allow badly behaved software to run "
I'll bet you'd be surprised what they already do to get "badly behaved" software to run - allowing mutliple versions of the same DLL to coexist, loading the "right one" for the "right program," for example. That's an XP SP2 feature that's supposed to end "DLL Hell."
"DLL Hell" is no one's fault except the developers whose software depends on "undocumented" or "broken" features.
How about memory protection? An ancient capability intended to stop broken programs from breaking other programs. "A software fix in hardware, punishing good code because bad code exists," was the explanation I remember. Amigas could multitask without memory protection, and more efficiently, I recall. No one in the Amiga community let bad code go unpunished.
I'm trying to fix broken behaviour here, not create workarounds to let broken behaviour continue.
No, this is a fault of the game authors. Windows supports gaming technologies for Limited Users just fine. See Pan-Am's testing page for an example.
One thing common of all those Microsoft games, was that Microsoft didn't develop them - they contracted a third party to do it. Check the credits and splash screens to see for yourself. OK, with the exception of Flight Simulator, and even that was done by someone else at one point. Fault Microsoft for not enforcing their own rules on their contractors, but fault the contractors too!
So, what do you think will happen if it can be proven that the copy-protection methods the Content lobbies (RIAA/MPAA/BSA) are using are a threat to Homeland Security?
heh, beautiful. I've been looking for a good excuse to tell clients not to use Intuit Quickbooks - that thing requires Power User access just for its copy protection scheme. "It's a terrorist threat by Intuit to force you to compute insecurely!"
Their competition, Simply Accounting, works just fine as a limited user.
And DirectX, OpenGL work fine as a Restricted User. See Pan-Am's testing page for an example.
Slashdot Mirror
(Shamelesly copied from my writeup at everything2.com: http://www.everything2.com/index.pl?node_id=167965 9)
There is a very simple way to avoid exploitation while using Windows Update.
If on broadband (Cable modem or DSL), buy a hardware firewall.
Most Internet sharing devices have built-in firewalls that act as one-way doors to the Internet. You can go out to the net, but people on the net can't get back in. For less than $100.00 (Canadian, one time) you can get better protection than any "software firewall" can provide, and without renewing subscription costs. Even for a single computer, it's well worth the investment.
If on dial-up, turn on the built-in Internet Connection Firewall on your dial-up connection.
Windows XP as first released comes with a silent firewall program already installed. Make sure you turn it on! Sadly, AOL dial-up users can't use it.
(Yes, I read the PDF file that describes how XP SP1 doesn't have a firewall turned on by default. If I sell you a lock and you don't lock it before someone steals your stuff, you can't sue me for selling you a defective lock!)
Use Windows Update Only until it says it's done.
Don't do any production work, don't check e-mail, don't surf any other web sites, until Windows Update tells you that you don't need any more critical updates.
That's it, really. Get behind some kind of firewall and patch your system first. After that, start using the tools included in Windows XP, such as Automatic Updates, to let the system keep itself updated.
Other routine precauctions include: Use the hardware firewall at all times, create a Limited User account for yourself and do your production work there, stick with applications and devices Designed for Windows XP, and (as The Register is fond of saying) wear a regulation tinfoil hat.
I get a 1.000 batting average with my favorite anti-spyware prevention (not detection) tool:
Limited User.
And when not working as a Limited User, I turn off scripting and other stuff, and add "*.microsoft.com" to Trusted Sites so I can use Windows Update and Office Update.
Windows XP and Windows 2000 can catch 100% of all spyware all by themselves. If you let them. Spyware (or other software) doesn't install as a limited user.
Not like Palm that requires full admin access for every user to use Palm Desktop, at least PocketPC works as a limited user without mucking with the system.
"By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page..."
So if you're silly enough to surf with will administrator access, you can let someone else take over your machine. No mention if the exploits work as limited users... probably because they don't.
No mention of flaws in background services, but even if there were, what effect would they have with the firewall turned on?
Sounds like a simple enough fix to me: Create a limited user account for yourself and do your work there.
As opposed to "designing for whatever the current version of Windows is with total disregard for best current practices."
As in, testing with fast user switching (even if it's just exiting after finding it's running already as another user), testing with Limited User access (XP and 2K!), testing with families in mind whose parents don't want their kids destroying the family computer, testing whatever lame and innefective copy protection schemes to make sure they work with all of the above.
It's the end of 2004, guys! Why does The Sims 2 not work with limited user access? Just because of your ineffective copy protection scheme? You should challenge Safedisc or whoever you use to fix their broken system, to work on XP for limited users.
I'm a professional security consultant and my clients (including home clients) use their computers as limited users to protect against spyware and viruses before the fact. It pains me to explain to a client that they can't play the latest games they want to play without turning off all of the safety features their operating system provides for free. And it isn't hard to design for security either; I modified Quake II in two weeks off-and-on to work.
After four years of Windows 2000 and two years of Windows XP, why are we not seeing games that support the safety features included in these modern operating systems? Does City of Heroes even work properly with them turned on?
If their software package requires Win2K or XP to run, does it run with Limited User support? And without any goofy preinstall-for-each-user nonsense? Does the Hotsync manager work with fast user switching? Last I checked, their software kit wouldn't work with either.
I've read a few posts saying they face similar problems. I'm going to brag, boast and strut some more but only to the extent that I can help you, the IT department in your company, stop these things before the fact.
Please read my journal for theory (limited users, current and patched versions of MS Office, etc). Please ask me directly for experience in this (making misbehaving apps work, recommending alternative apps, etc). I get paid to do this for a living, but I can help you keep your costs down by teaching you what I know. Do consider it. The website is http://www.pan-am.ca/ and you'll find a phone number and a contact address there.
Proven on two medium-sized networks I maintain for clients. No spyware in two years and I don't even bother with up-to-the-minute patches. Just patch for serious problems or when a service pack comes out.
Limited User accounts also provide the best AV on Windows, second only to MS Office SP3 and later which block bad e-mail attachments, bad macros, etc by default.
Finally, stand-alone NAT routers that act as firewalls keep worms out.
Worried that your software won't work as a limited user? Harass the vendor. Go to their competition. Loosen up security on individual files and folders (hence, suggesting XP Pro instead of XP Home). Test, test, and test some more. You'll save hundreds if not thousands on annual AV subscriptions and catch new threats before the AV vendors (and Spybot / Ad-Aware) can.
It's called "The Limited User."
At least current and supported versions of Windows have this. Even home users with XP Home can use this powerful safety guard built into Windows since Win2K effortlessly. It's all the other software vendors, who write apps not designed for current versions of Windows, I'm worried about!
http://www.pan-am.ca/newsletter/
Wasn't iLoveYou the worst virus ever? Or Stages? Or Melissa? Or Nimda? Or the "Good Times" virus? This one will fall into obscurity, too.
At least in the eyes of my clients.
Two words: Limited Users.
Two more words: Hardware Firewall.
I know, -1 redundant, -1 overrated, -1 troll. Guess what, folks? They work.
These things combined stop every virus, worm, trojan, spy ware, key logger, etc etc etc on company networks. Add to that attachment blocking in Outlook and macro blocking in Word and Excel, all included since MS Office 2000, and I don't waste client time dealing with garbage from the net.
id Software does this to considerably positive effect. They released the source to everything related to Quake II and earlier they were allowed to.
They won't profit from those products again, but they can entice would-be licensees with demonstrations of past experience, and then wow them with current stuff (Q3A, DOOM3) and charge larger amounts for that.
1. Give away older stuff
2. Sell licenses to current stuff
3. Profit!!!
"ACPI is an open standard, but unfortunately, vendors' closed source BIOS implementations for the last few years are written against the Microsoft ACPI parser, bugs and all."
Actually, I've had to work with some cheap machines whose ACPI BIOSes caused too many error records to appear on XP SP1's Event Log. Things like: "This register is not responding correctly," etc, and then XP disables that particular functionality (ie: a "suspend" button). And no firmware updates were available or they failed just as badly.
At least XP manages to deal with it. By comparison, Win2K bluescreens on the same machine if I try to use an ACPI HAL - I have to force-select a Standard PC HAL on installation to use the thing. Win98 works, but only because of the reasons you described.
When I had to upgrade a Linksys router, I ended up doing it through IE rather than their supplied Windows applet. There was a prompt for a filename (apparently you can still HTTP POST entire files) and after submitting a binary image, the router happily updated its own firmware.
I don't remember if it needed javascript or not, but I remember having to add the router's private IP to Trusted Sites to make some of its functionality work (mostly because Scripting was disabled in the Internet zone, but hey.) If all it needs is javascript to do a firmware update via a browser, surely it would work with Opera or Mozilla on Linux.
OpenOffice still has problems with limited users and multiple users on XP. And AbiWord last I read requires Administrator access on Win2K to run.
Have these been fixed? And without any voodoo installation that each user has to perform MANUALLY in order to use the thing?
I've deployed MS Office 2000 and XP (2002) routinely in multi-user and secure environments. I never have to grant any user "temporary admin" access to start using any Office app, including Word.
HOWEVER, there is one annoyance I've had to work around. Depending on the network's group/system policies, restricted users might not have CD-ROM access (!) enough to do the inital setup for their profile from the Office CD-ROMs.
The fix was to create an administrative installation on one of the servers and install it to the stations from a share (I use "\\server\office2k$" and deliberately hid the share with the "$"). I also granted Read and Execute permissions to regular users. That way, when a new user starts to use an Office app, the first time setup occurs from the network share and works just fine as a restricted user. This network share seems to work very quickly even over a DSL WAN connection (320 kbps) without taking an absurdly long time to finish.
Office 2003 goes a step further and puts the first-time setup and repair files on the local hard drive, foregoing the CD-ROM or network share access requirement for a first time use. You can remove those to save disk space (about 290 MB) if you have a network share as described above.
I consult for travel agencies who have to deal with "software as a service" daily. One such application is a "thin client" to some web fare searching service.
Hm, come to think of it, all of the apps I've bounced for lack of security were thin clients.
But when a web service does an update, my agents have to re-log on because the old cookies don't work, and they forget passwords. They have to figure out where the web app developers moved their buttons, which new keystrokes they have to use, what airlines no longer work with the service (because they unsubscrbed in disgust)...
And I have to explain to these agents that I have no control over it and I can't fix it. All I know is connectivity to their site works and I've made sure the web browser's up to date.
Oh, and I really love the sites that "require IE5 or Netscape 4" and won't work with IE6 or Netscape 7.1 because they're using some undocumented Javascript features that aren't supported in newer browsers. Or their old programming tricks that "kinda worked" in older browsers but don't work in newer ones for security reasons.
The US Government and its various agencies have to be one of Microsoft's biggest group of clients! I believe they'll let them run XP without registering or "activating," and give them special product keys for the purpose, just to keep their business.
:-)
Or if they really insist on running Win2K until 2010, then I should be happy because that means I won't have to upgrade for another six years! MS will have to keep supporting it.
There are home usage benefits thae come from designing for security as well. What if I don't want my niece installing Kazza on my living room PC?
The Internet Cafe is but one example where designing for security has benefits.
My vote for Best Mod would be the one that lets me play UT without requiring Power User or Administrator access on XP or Win2K. That way I could set up an internet cafe / LAN party place without having to worry if the customers wreck the machines.
I mean come on. If I can fix Quake II, then the makers of UT can fix UT. Or a talented mod author can.
"The number of different *NIXs makes it tedious to create viable exploits."
Not to mention tedious to create viable applications.
"Microsoft can use the software and capabilities they already have to allow badly behaved software to run "
I'll bet you'd be surprised what they already do to get "badly behaved" software to run - allowing mutliple versions of the same DLL to coexist, loading the "right one" for the "right program," for example. That's an XP SP2 feature that's supposed to end "DLL Hell."
"DLL Hell" is no one's fault except the developers whose software depends on "undocumented" or "broken" features.
How about memory protection? An ancient capability intended to stop broken programs from breaking other programs. "A software fix in hardware, punishing good code because bad code exists," was the explanation I remember. Amigas could multitask without memory protection, and more efficiently, I recall. No one in the Amiga community let bad code go unpunished.
I'm trying to fix broken behaviour here, not create workarounds to let broken behaviour continue.
No, this is a fault of the game authors. Windows supports gaming technologies for Limited Users just fine. See Pan-Am's testing page for an example.
One thing common of all those Microsoft games, was that Microsoft didn't develop them - they contracted a third party to do it. Check the credits and splash screens to see for yourself. OK, with the exception of Flight Simulator, and even that was done by someone else at one point. Fault Microsoft for not enforcing their own rules on their contractors, but fault the contractors too!
heh, beautiful. I've been looking for a good excuse to tell clients not to use Intuit Quickbooks - that thing requires Power User access just for its copy protection scheme. "It's a terrorist threat by Intuit to force you to compute insecurely!"
Their competition, Simply Accounting, works just fine as a limited user.
And DirectX, OpenGL work fine as a Restricted User. See Pan-Am's testing page for an example.