Promised Vista security falls flat in betas

[unixronin]

We've been yearing for years now about Windows Vista, formerly called Longhorn, and how it's going to be so much more secure than previous versions of Windows and will prevent the kind of trivially-executed machine compromises that have plagued existing versions, leading to the creation by crackers of zombie botnets of tens of thousands of compromised PCs.

Symantec calls bullshit.

And no-one will be surprised to know that all the usual suspects are responsible:

"We discovered a number of implementation flaws that continued to allow a full machine compromise to occur," Matthew Conover, principal security researcher at Symantec, wrote in the report titled "Attacks against Windows Vista's Security Model."  The report was made available to Symantec customers last week and is scheduled for public release sometime before Vista ships, a Symantec representative said Monday.

Conover looked at the February preview release of Vista.  The report describes how an attacker could commandeer a Vista PC with Internet Explorer 7, the reinforced version of Microsoft's Web browser.  The final version of Vista is not expected to be broadly available until January.

The attack starts out by planting a malicious file on a Vista PC when a rigged Web site is visited.  The placing of the file involves using a specially crafted Web program called an ActiveX control, which exploits a security hole.  The report then describes how the malicious program could gain privileges and ultimately give an attacker full control of the PC.

Microsoft claims to have addressed the issues raised by Symantec.  But they've claimed a lot of things about Windows security before that have turned out to be false.

The biggest single thing Microsoft could do to improve the security of Windows is perfectly simple:  Decouple Internet Explorer from the operating system and rip the inherently insecure ActiveX out of it.  But Microsoft will never do it, because they're afraid of losing browser market share -- for a browser that they don't actually sell as a distinct product or make any money from anyway.

Comments

[ithildae.livejournal.com]

Messrs Balmer, Gates, and Co. are in a severe bind. They seem to have real competition. If they sacrifice backward compatibility, they lose application lock in, and the competition picks up market share. If they fail to implement security, they are no worse off than they are today.

The cruel fact of the situation today is that only those who understand technology really care about security. For most people and businesses, having to reinstall is factored into the cost of owning a computer.

Fraud risks to companies are covered by higher prices to all. That means the only consequence to better security is higher profit margins. Something desirable, but not necessary.

The bottom line is that Micro$loth has nothing to gain, and much to lose, by keeping promises of better security. Nothing to see here, move along...

[unixronin.livejournal.com]

The cruel fact of the situation today is that only those who understand technology really care about security. For most people and businesses, having to reinstall is factored into the cost of owning a computer.

The real cost isn't in reinstalls, nor only in fraud. It's in lost, stolen or destroyed data, man-hours spent repairing the damage, liability for disclosures of confidential information, and in people having to completely reconstruct their legal lives because their identity was stolen.

[ithildae.livejournal.com]

I agree. How has that impacted Micro$loth's bottom line? What is the impetus for change? I don't see anything significant for either answer.

Government should be the final guarantor of protections from identity theft. (Is this really me saying that?) Corporations are not properly concerned about it. However, government seems to be beholden to the major players in this fight. (Witness the stupidity in MA and the ODF "fight".)

I really feel a bit helpless in this conflict. But I absolutely do not expect Micro$loth to change it's proven behavior or tactics. They have a monopoly to lose. They will do anything to protect that. Even if that means leaving end users to the wolves.

"If you make yourselves into sheep, the wolves will eat you." -- B. Franklin

[unixronin.livejournal.com]

All sad, but true. Microsoft has gotten rich on peddling an OS that never saw a virus it didn't like.

[radarrider.livejournal.com]

With all due respect to Symantec, the Feb-CTP build is positively ancient compared with current builds. A lot has changed since then. As for decoupling IE from the OS, I think that's effectively what they're doing though I'd have to check with some contacts to be sure. Also, when it comes to ActiveX controls, the shipping version of IE7 on Vista will be handling them in a completely different way, such as where they install, what they can do, where they can and cannot put files, etc. They'll be isolated from the OS.

I'm not gonna say it will be perfect, I won't say there won't be flaws, but it *will* be much, much better than the Feb-CTP build.

[unixronin.livejournal.com]

That's good to hear. Just sandboxing ActiveX would be a big step forward.

[darthgeek.livejournal.com]

Wasn't that the entire impetus for ActiveX? Act like java without the security restrictions?

[unixronin.livejournal.com]

Well, that and "be under Microsoft's control, not Sun's" ... the good old Microsoft "Embrace and Extend Plagiarize and Pollute" standards philosophy. Microsoft wanted something that worked like Java, but which would lock people into Internet Explorer, and would do things that Java couldn't because it had access to the entire system, and feh, who needs all that stupid sandbox security stuff anyway .... after all, why SHOULDN'T untrusted content be given unrestricted access to everything on the machine? All those security restrictions get in the way of the Shiny.