[ISN] Vista security overview: too little too late

From: InfoSec News (alerts@private)
Date: Wed Feb 21 2007 - 23:07:51 PST


http://www.theregister.co.uk/2007/02/20/vista_security_oversold/

By Thomas C Greene in Dublin
20th February 2007

Review: Microsoft has gone out on a limb to promote Vista not merely as 
"the most secure version of Windows ever" (every recent version is 
marketed with that tired slogan), but for the first time as an 
adequately secure version of Windows. "We've got the message and we've 
done our homework", the company says. So let's see if the reality lives 
up to the marketing hype.

As Billg likes to point out, Windows is the platform on which 90 per 
cent of the computing industry builds, and this naturally means that 
it's the platform on which 90 per cent of spyware, adware, virus, worm, 
and Trojan developers build. That translates into 90 per cent of botnet 
zombies, 90 per cent of spam relays, 90 per cent of spyware hosts, and 
90 per cent of worm propagators. In a nutshell, Windows is 
single-handedly responsible for turning the internet into the toxic 
shithole of malware that it is today.

That's not going to change any time soon, no matter how good Vista's 
security might be, but a version of Windows with truly adequate security 
and privacy features would certainly be a step in the right direction.

And indeed, there have been improvements. For one thing, IE7, at least 
on Vista, is no longer such a dangerous web browser. It may still be the 
buggiest, the most easily exploited, and the most often exploited 
browser in internet history, and probably will be forever, but it has 
become safer to use, despite its many shortcomings. This is because MS 
has finally addressed IE's single worst and most persistent security 
blunder: its deep integration with the guts of the system. Browser woes

At last, MS has, in a sense, sandboxed IE on Vista. In IE7's new 
protected mode (Vista only), which is enabled by default, IE is 
restricted from writing to locations outside the browser cache without 
the user's consent, even if the user has admin privileges. IE is 
essentially denied write access to the wider file system and to much of 
the registry. Hallelujah.

To oversimplify this, IE7 protected mode runs as a low-integrity process 
which is restricted to writing to corresponding low-integrity locations, 
where rights are minimal. A process started from such a location would 
have very low rights, as would each child process it spawns. This helps 
to reduce the impact of malware on the system overall. However, there is 
a brokering mechanism that enables users to download files to any 
location they have access to, or to install browser plugins and 
extensions, and the like. So users are still invited to make a mess of 
their systems, and no doubt many will, while Microsoft has a chance to 
shift blame away from itself.

However, IE7 on Vista does still write to parts of the registry in 
protected mode. And it appears to write to parts that MS says is won't. 
The company says that "a low integrity process, such as Internet 
Explorer in Protected Mode, can create and modify files in low integrity 
folders". We are assured that such low integrity processes "cannot gain 
write access to objects at higher integrity levels". And again, MS 
emphasises that a low integrity process "can only write to low integrity 
locations, such as the Temporary Internet Files\Low folder or the 
HKEY_CURRENT_USER\Software\LowRegistry key".

So I tested this assurance. I ran IE in protected mode, typed a URL into 
the location bar and went there. Then I opened regedit, and searched for 
a string of text from that URL.

Sadly, IE7 is still stashing typed URLs in the registry, and not in the 
...\LowRegistry location, either. I found them in 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs (if you 
want to fix this, navigate to the key in the left-hand pane of regedit 
and right click, and choose permissions. Deny permission for each 
account. That ought to delete all the entries and take care of all 
related keys in one go).

No doubt one of those brokering mechanisms decided to write to that 
location, because a URL hardly carries the risk of causing malicious 
activity. So it's "safe", at least to some. But I wasn't asked if IE 
could write anything there. It was done automatically. And this 
behaviour does carry a security risk, if, like me, you think that user 
privacy and data hygiene are at all related to computer security. 
Surely, users should not have to hack their registry merely to purge 
their browser's data traces once and for all.

Next, there is IE7's anti-phishing filter gimmick. I disabled it almost 
immediately. It's very showy and it says, "Message: We Care", but I 
found it more irritating than actually helpful. I think a lot of users 
will disable it, and trust their instincts instead. Remember, if you put 
your mouse pointer over a link, the actual URL will be displayed in the 
status bar. The link may say Bank of America, but if the actual URL is 
http://123.231.123.231/bankofamerica.com/u/0wn3d/dummy/ then it should 
be pretty clear that it's a dodgy link.

IE7 also has a handy menu for deleting your history, cookies, cache, and 
so on. This is similar to the Mickey Mouse privacy utility in Firefox. 
Remember that these data traces are not securely wiped, but merely 
deleted. They remain on your HDD until they happen to be overwritten. 
Firefox will let you delete all that stuff automatically each time you 
exit; IE won't: you have to do it manually. And remember, with IE your 
typed URLs are in the registry, where they definitely don't belong, and 
this utility won't purge them. Oh, and you have to enable User Account 
Control (UAC) for IE's protected mode to work. Not everyone is going to 
want to do that, as we will see later.

IE sorely needs cookie and image management like Mozilla's, allowing 
third-party or off-site images to be blocked, and allowing users to set 
all cookies to be deleted on exit. IE will allow you to block 
third-party cookies in the advanced section of the cookie management 
options, although the default is to allow them. There is no setting to 
block third-party images, unfortunately, which means that you can't 
avoid web bugs, or web "beacons" as marketing droids like to call them. 
IE also won't let you set cookies to be deleted on exit. IE7 will 
happily block cookies from websites that don't have a "compact privacy 
policy", a meaningless cookie policy statement that any malicious 
website could easily have. But this is something MS has been involved 
with, so they're all excited about it, even though it's rubbish. 
Unfortunately, they encourage users to depend on it, which is worse 
rubbish.

The default security settings for IE are basically sensible and I would 
change only a few, and this is the first time I've ever said that. I 
would tighten things up just a bit, disabling MetaRefresh, disabling 
"Launching programs and files in an IFRAME", disabling "websites in less 
privileged web content zone can navigate into this zone", and disabling 
Userdata Persistence. Otherwise, IE7 on Vista offers a decent compromise 
between security and usability. The privacy conscious are, as always, 
encouraged to use Mozilla for browsing instead, and leave IE in its 
default configuration, to be used solely for manual sessions with 
Windows Update.


Spambuster?

Next up, we have the successor to Outlook Express, called Windows Mail. 
I always considered Outlook Express to be hands down the worst email 
client ever devised. Windows Mail is a little better. There now are 
half-decent junk mail controls and, of course, the famous anti-phishing 
filter. Email memos are now stored as individual files instead of in a 
database file, which means they can be searched faster, and email 
contents will show up in the Windows main search, which is either very 
handy, or a privacy nightmare, depending on what you get up to with your 
email. This type of storage also makes it easier for you to nuke 
messages with a wipe utility, either by wiping free space after 
deleting, or wiping them manually if you have the patience.

However, junk mail controls are awkward. Flagging memos as spam is a 
hassle; you do this in a list above the preview pane with the right 
mouse button, and then select from a list of actions. This can be quite 
tedious if you get a lot of spam, because one can't select several 
emails for the same action. There really ought to be a junk button that 
one can use to mark memos as spam and delete them with a single click, 
as there is with Thunderbird. It would be nice if the default rule for 
such a junk button were to be blocking the sender, rather than the 
sender's domain. One can always block a troublesome domain manually if 
need be.

Interestingly, an email from Microsoft Press Pass - a mailing list of 
self-congratulatory press releases for tech journos - was automatically 
flagged as spam. I find it hard to disagree with that call.

Memos can be displayed as HTML with all the risky stuff, such as online 
images and scripts, blocked. And Windows Mail doesn't give you a hard 
time about displaying all memos as plain text, which I recommend. Or 
rather, it displays lightly formatted text; you don't get the raw text 
as you do with Kmail, so links show up as they would in HTML, with the 
actual URL hidden. Now, with IE7, such links show up in the status bar 
as the full URL when you mouse over them, but in Windows Mail they 
don't. This should be fixed, because otherwise one is stuck relying 
solely on Microsoft's anti-phishing filter gimmick.

While not security related, I will note briefly that there is no 
undelete button or Edit menu option to undo a deletion, for those of us 
who tend to delete first and ask questions later.


Click yes to continue

Data Execution Prevention (DEP) is a feature from XP SP2 that shuts down 
programs that handle memory oddly, and it is now set to full on by 
default. It works with address space layout randomisation, a new feature 
in Vista that loads some system code in unpredictable memory locations 
to defend against buffer overflow attacks. Both are very good ideas, and 
should help reduce the impact of malware to some extent.

However, DEP, when full on, may cause a number of applications to crash, 
or interfere with their installation. I'm betting that a majority of 
users will opt for the more conservative setting, and this of course 
means less defense for everyone.

User Account Control (UAC) is another good idea, because it finally, 
finally, finally allows the machine's owner to work from a standard user 
account, and still perform administrative tasks by supplying admin 
credentials as needed on a per-action basis. You know, the way Linux has 
been doing it forever.

This is one way of helping protect a multi-user system from being loaded 
with malware by users, and for ensuring that any malware on the system 
runs with reduced privileges. When you are in a user account, and you 
wish to perform an administrative task, you will be prompted for the 
required credentials. Aside from the prompt, the GUI shell will be 
disabled during this time, to help prevent certain kinds of privilege 
escalation attacks where the GUI shell or elements of it are spoofed by 
malicious software.

Of course, it only works if everyone stays out of the admin account as 
much as possible, and if everyone with an admin password knows better 
than to install a questionable program with admin privileges. And 
there's the catch: "Windows needs your permission to install this 
cleverly-disguised Trojan nifty program. Click Yes to get rooted 
continue."

So you see that, here again, MS's security strategy involves shifting 
responsibility to the user.

UAC is all well and good in theory, but here's the problem: it's never 
going to work. And the reason why it's never going to work is because MS 
still encourages the person who installs Vista (the owner presumably) to 
run their machine with admin privileges by default. I was delighted, 
when I set up Vista for the first time, to be presented with an 
opportunity to set up a "user" account. But moments later, when I saw 
that I was not invited also to create an admin account, I knew that the 
"user" account I had just set up was indeed an admin account. And so it 
was.

Until MS gets it through their thick skulls that a multi-user OS needs a 
separate admin account and a user account for the owner, and that the 
owner should be encouraged to work from a regular user account as much 
as possible, UAC will never work as intended.

In fact, UAC is the most complained-about new feature of Vista, and most 
people are disabling it as soon as possible. Why? Because MS still 
encourages the owner to set himself up as the admin, and work from that 
account. And when you're running in an admin account, UAC is nothing but 
a bother. Every time you try to take an action, and this could be as 
simple as opening something in Control Panel, UAC disables your screen 
and pops up a little dialog asking you if you really want to do what you 
just did. A pointless irritant that will cause the vast majority of 
Vista users to disable UAC, because the vast majority of Vista users 
will, unfortunately, be running as admins, thanks to MS's stubborn 
refusal to try to put everyone into a user account to the extent 
possible.

And once UAC is disabled, all of its security enhancements are lost. 
Yes, the basic idea is good, but the implementation has been completely 
bungled.


A few irritating details

The default folder view options could be improved for the security 
conscious user. One should definitely not hide file extensions, as the 
default file view has it, because it is possible to spoof icons and use 
bogus extensions that can make executables appear to be other than they 
are. Yes, UAC and DEP are supposed to help with this, but DEP will be 
set to its lower setting, and UAC will be turned off, on the vast 
majority of Vista boxes, for reasons we've already discussed. And since 
it's very likely that you will still be running your Windows box as an 
admin, if you're going to open a file with Windows Explorer, you'd 
better look to see whether or not it's an executable, because it will 
run with your privileges. So, at a minimum, the folder view should 
default to showing file extensions.

As usual, Windows enables far too many services by default. It would be 
a tremendous help if MS could somehow use its many wizards to enable 
only the services needed for each bit of hardware or software installed. 
That would take some effort on Microsoft's part, and on the part of 
device and software vendors, but the alternative so far has been to 
leave every single bell and whistle blaring. Unnecessary services waste 
RAM, and worse, those related to networking are a needless target for 
worms and other online attacks. Data hygiene

The start menu now offers the option of not storing or displaying a list 
of recently-accessed files and programs. This used to be a real 
nightmare for data hygiene. Finally, it's fixed.

Oh wait; it's not fixed. In fact, things just got a lot worse. There is 
the new "Recently Changed" directory, which will show up as one of your 
"Favourite Links" in the left-hand column of your home or user 
directory, and in Windows Explorer. And guess what: all the files you've 
been fiddling with recently will show up in it. Its contents are 
identical to the "Recent Documents" folder that Microsoft let you think 
you had shut off.

But worse, the contents of your recently-changed directory will not show 
up in main search, even if you use advanced search, and search 
"everywhere". So you might not even know it's there. And still worse, 
you can't empty this directory without deleting all of the files it 
points to. You can empty your "Recent Documents" folder, and only the 
pointers or links will be gone; you don't lose the actual files. But 
with this new gimmick, you've got an archive of all the files you've 
looked at, regardless of where you've buried them in the file system 
hierarchy in hopes of keeping prying eyes off them, and you can't empty 
it unless you want to say goodbye to the files themselves.

The worst part of this is that by offering the option to disable the 
list of recent files, MS has given users a false sense of privacy and 
security. The reality is that privacy and data hygiene are even more 
difficult than before. What a blunder.


Child safety first

Now there is some good news, finally. Vista ships with parental controls 
that are reasonably easy to implement. You can set up accounts for the 
kiddies, and prevent them using all sorts of programs, like email, chat, 
and IM, or even deny them internet access altogether if they're too 
young. One thing that I like is the ability to prevent the little porn 
fiends from downloading files via IE7. But remember, if you have any 
other browsers loaded on the system, you must disable them all 
individually via the parental controls, because download blocking only 
works with IE.

The basic setup is sensible and allows for fine-tuning depending on each 
child's level of maturity and responsibility. And parents can schedule 
regular reports on their children's internet use.

Now, parental controls and filtering are all well and good, but we 
should beware of any false sense of security they might encourage. In a 
recent Today Show interview (video), Billg dilated glowingly about 
Vista's new parental control centre; but we should remember that it's 
merely a tool, not a solution. Parental controls are not a substitute 
for adult supervision. The internet is adult space, and so it should 
remain. Nothing sends my blood pressure into aneurysm territory faster 
than talk of legislation that would make the internet safe for children. 
The internet has been created by adults for adults, and children 
venturing online simply have got to be supervised, either by a parent or 
by a mature and responsible older sibling. Filtering is not a panacea. 
Package deal

Now, for the Vista Security Centre. This has been controversial, 
involving MS in skirmishes with security software vendors who claim that 
Vista's built-in product is anti-competitive.

I'm not sure why anyone would worry. The Security Centre doesn't do very 
much except remind users, "Message: We Care". It's a little craplet with 
a stereotypical icon that looks like a shield, and it simply informs you 
of whether or not the firewall is on, whether or not you've got 
anti-virus software installed, and so on. It is integrated with an 
improved version of the malicious software removal tool, or anti-spyware 
tool, in the form of Windows Defender.

There's nothing much in Security Centre that XP SP2 doesn't have, except 
a warning that you've turned off UAC. It's something that one might wish 
to run or consult after installation, and maybe once a month thereafter. 
But it's on all the time, ready to harangue you, and it's rather 
difficult to make it go away.

It doesn't contain AV software, but a query for further information on 
virus issues will bring you to this web page, where MS recommends the 
vendors it thinks are ready to handle Vista (McAfee is notably absent). 
Nor does it have a packet filter (firewall) with many features. It's not 
too bad to configure, but third-party packet filters offer many more 
options in terms of notification and controlling individual 
applications. I noticed one exception in the default firewall 
configuration that I didn't care for, for allowing remote assistance. I 
don't think that should be allowed unless you're actually using remote 
assistance.

Windows Defender is certainly better than nothing; it monitors files for 
changes that can indicate malicious activity, and searches for known 
spyware. It is also integrated with IE7 to some extent. However, what 
constitutes spyware is a judgment call, and it's never a bad idea to use 
more than one anti-spyware/anti-adware product, in hopes that one will 
pick up what another overlooks. (And WD does seem to miss an awful lot 
of spyware.) I certainly wouldn't recommend depending solely on Windows 
Defender. But it's nice that it's there. In a nutshell

So, what have we got here? An adequately secure version of Windows, 
finally? I think not. We have got, instead, a slightly more secure 
version than XP SP2. There are good features, and there are good ideas, 
but they've been implemented badly. The old problems never go away: too 
many networking services enabled by default; too many owners running 
their boxes as admins and downloading every bit of malware they can get 
their hands on. But MS has, in a sense, shifted the responsibility onto 
users: it has addressed numerous issues where too much was going on 
automatically and with too many privileges. But this simply means that 
the owner will be the one making a mess of their Windows box.

Data hygiene is still an absolute disaster on Windows. In fact, it's 
worse than it ever was in some ways, and that's very bad indeed. Browser 
traces still in the registry, heavy and complicated indexing to improve 
search, new locations where data is being stored. It all adds up to a 
privacy nightmare. Keeping a Vista box "clean" is going to be impossible 
for all but the most knowledgeable and fastidious users.

So don't rush out to buy Vista in hopes of getting much in return 
security-wise. I do like some of the changes, at least in theory, or as 
a decent platform on which to build an adequately secure version of 
Windows one day. But that day, if it ever comes, will be well in the 
future.

-=-

Correction I'm grateful to a Reg reader who pointed out an error in a 
previous edition of this story. I had stated incorrectly that IE7 
doesn't allow blocking third-party cookies. It defaults to accepting 
them, but can be made to block them.


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Wed Feb 21 2007 - 23:22:14 PST