|
Posted by Walter Dnes (delete the 'z' to on June 6, 2005, 10:23 am
If you were Registered and logged in, you could reply and use other advanced thread options
This has also been posted at http://tech_sec.blog.ca where my
musings about tech and security go.
Microsoft Windows desperately needs a browser-only browser
An open letter from a linux user to Bill Gates
==============================================
If you wonder why a linux user like me is concerned about Windows
security, let me point out that the vast majority of spam I block (and
that which I receive) comes from compromised Windows machines. Spam
amounts to a denial of service attack in many instances. Plus which,
the compromised Windows machines can be marshalled into botnets to
launch delibarate denial of service attacks. The following is not a
joke. It is intended as a constructive suggestion to solve a major
portion of Windows' security issues.
A *BROWSER*, not a *PROGRAM INSTALLER*
======================================
I was doing my weekly check for updates for my linux distro, when the
light dawned on me.
- when a linux user wants OS/software updated/patched/installed they
run emerge (Gentoo) or up2date (Redhat) or apt-get (Debian) or yast
(Suse), etc. These programs can go to a URL or IP address, get
instructions, and follow those instructions to update/modify/
reconfigure/install the OS and apps.
- when a Windows user wants OS/software updated/patched/installed they
run Windows Update, which is basically Internet Explorer. Internet
Explorer can go to a URL or IP address, get instructions, and follow
those instructions to update/modify/reconfigure the OS and apps.
So far so good.
- when a linux user wants to browse the web, they use Mozilla or
Firefox or Opera or Konqueror, etc, etc. These programs are capable
of browsing the web, and downloading files and/or rendering
graphics/sound/video as configured by the user.
- when a Windows user wants to browse the web, they use Internet
Explorer. Internet Explorer can go to a URL or IP address, get
instructions, and follow those instructions to update/modify/
reconfigure/install the OS and apps... oops.
What's wrong with this picture? That's right, Windows users are
"browsing" with an application that has the power to install programs
and reconfigure Windows. This is like giving your 12-year-old kid a
motorcycle instead of a bicycle. Yes, it'll get him from point A to
point B like a bicycle, and it's a lot faster, but it's also a lot more
dangerous.
Porn dialers, spam-spewing trojans, password/creditcard-number
sniffers, etc, are installed from rogue web sites using the the same
functionality by which updates and patches are installed from
www.microsoft.com. The "bad guys" are using the same facilities as the
"good guys". Since Outlook and Outlook Express are basically glorified
front ends for Internet Explorer, emails effectively become web pages,
and email too can update/modify/reconfigure/install the Windows OS and
apps.
The Principle of Least Privilege
================================
The reason that Mozilla/Firefox/Opera etc aren't exploited anywhere
near as much as IE is because they simply *LACK THE ABILITY TO
RE-CONFIGURE THE OS*. It is theoretically possible to compromise them,
and then try to force privilege-escalation to get root-level access.
But it's a lot more difficult than using Internet Explorer, which
already has the power designed in to re-do the entire OS and install all
sorts of applications.
Microsoft has devoted a lot of fruitless effort to authentication, i.e.
preventing "the bad guys" from using these facilities, whilst allowing
"the good guys" to use IE's powers. But "toolbars" and porn-dialers and
spam-spewing trojans keep getting installed. The answer is not
additional patches on top of patches on top of a powerfull installer
program posing as a web-browser. The real answer is a brand-new browser
for Windows that is incapable of wreaking havoc in the first place.
That's right a *WEB BROWSER* whose only function is to *BROWSE* and
display websites (including streaming media). I have no problems with
the user being able to manually download files, as long as it's manual,
not auto-download, and *NOT* accompanied by auto-install.
A natural time to make this major security correction would be with
the introduction of Longhorn. Microsoft should hard-code IE-Longhorn to
only be able to go to the Windows update site... period... end of story.
And then come up with a new de-fanged *BROWSER* (no Active-X please).
Or, if Microsoft can't do it right, don't do it at all. Include
Netscape/Mozilla/Firefox or Opera with Windows, and get the hell out of
the way.
A bad idea is a bad idea is a bad idea
======================================
One trend I'm extremely concerned about is that of other software
publishers embracing the concept of single-click-install or even
auto-install of applets whilst browsing. I'm talking about
Mozilla/Firefox Extensions and Apple's Widgets following in the
footsteps of Microsoft's Active-X controls. *WHAT WERE THEY THINKING
WHEN THEY DID THAT*?!?!? Let me re-phrase the question... *WERE THEY
THINKING WHEN THEY DID THAT*?!?!? This is an extremely bad idea from
the security point of view. It's a bad idea when Microsoft does it;
it's a bad idea when the Mozilla Foundation does it; it's a bad idea
when Apple does it. It's a bad idea... period... end of story.
Quickie installs are abuses begging to happen. If someone wants an
applet, they should download it, exit the browser, and install it. The
concept of a toolbar, or applet, or fancy cursor, or 1-900-dialer simply
appearing out of the blue when I visit a malicious website is just plain
wrong. It's my computer, and I'll decide what software gets installed
on it, dammit.
--
Walter Dnes; my email address is *ALMOST* like wzaltdnes@waltdnes.org
Delete the "z" to get my real address. If that gets blocked, follow
the instructions at the end of the 550 message.
|
|
Posted by Tony Lawrence on June 6, 2005, 7:37 am
If you were Registered and logged in, you could reply and use other advanced thread options
Walter Dnes (delete the 'z' to get my real address) wrote:
> What's wrong with this picture? That's right, Windows users are
> "browsing" with an application that has the power to install programs
> and reconfigure Windows. This is like giving your 12-year-old kid a
> motorcycle instead of a bicycle. Yes, it'll get him from point A to
> point B like a bicycle, and it's a lot faster, but it's also a lot more
> dangerous.
Microsoft is planning changes for Longhorn. Google for Least-Privilege
User Longhorn.
My suspicion is that it's not going to work. App developers are already
capable of using the procedures Microsoft wants them to embrace for
Longhorn, but very few do. I doubt that will change; the ingrained
culture is too deep. Microsoft recognizes that too, so they've put in
two things to answer that problem: AIM and PA. AIM (Application Impact
Management) intends to sandbox user run apps that want to write to
system areas by giving them a copy of what they think they are writing
to. That might work for some apps, but I bet it will break plenty of
others. PA (Protected Administrator) lets you run as an admin user, but
requires apps you run to be "blessed" or they don't inherit your
privileges. I can see problems with that too, and really suspect that's
what many users (and almost all home users) will end up running under.
I see that as the Achille's heel of what Microsoft wants to accomplish
with Longhorn.
However, I could be totally wrong. AIM might break very few apps, and
the PA mode might turn out to as safe as it is intended to be. I'm the
pessimistic sort though.. :-)
--
Tony Lawrence
Unix/Linux/Mac OS X resources: http://aplawrence.com
|
|
Posted by Moe Trin on June 6, 2005, 11:29 am
If you were Registered and logged in, you could reply and use other advanced thread options
to get my real address) wrote:
> Microsoft Windows desperately needs a browser-only browser
Huge disadvantage - that would nearly double the number of applications
a windoze user would have to "learn".
> I was doing my weekly check for updates for my linux distro, when the
>light dawned on me.
Part of that is training, and Linux (or *BSD) users are not immune from
the same problem as windoze users. Long before Gentoo existed, before
Red Hat created their Red Hat Network, we had a 'cron job' that checked
the errata web pages (there used to be one, then three) for new errata.
Another cron job would FTP into the errata server, and get a file listing
sorted by date - showing the most recent files. The new errata were mailed
to the sys-admin, and the new files were downloaded to a quarentine area.
After review of the errata and files, the updated packages were relocated
to a local update server, and a nightly cron job on all of the systems would
install the update. Relatively painless, but beyond the skill level of many
Linux/*BSD users. Windoze users wouldn't even start to understand the concept.
Microsoft knows that users are way over their skill level trying to update
a computer, and provided a mechanism to automatically check for updates,
and optionally install them. This mechanism seems to have problems, because
instead of only updating existing programs from known sources, it seems
trivial to fool into installing malware as well. This is _PROBABLY_ a user
training issue, coupled with the usual "damn the torpedos, just make it work"
philosophy - a recipe for disaster if ever there was one.
Some Linux distributions have followed this model - I think Red Hat or
Conectiva started it, and other distributions picked up on the idea and
adopted something functionally similar. The "popular" distributions are
tailoring their version of the O/S and desktop into a windoze friendly
operation, and this means automating a lot of the complex technical stuff.
If someone wants to describe that as "lowering the bar", then so be it.
This update problem is made even worse by the perceived quality control
problem that burdens Microsoft. First, they seem to take their own sweet
time to bring out updates (readers of the Bugtraq mailing list could cite
tens of thousands of cases), and when AND IF they finally do bring out an
update, users receive conflicting advice to "Update NOW" and "Don't
update until we see what all it's going to break, and if there is a work-
around for the resulting disaster". Remember the "Slammmer" (aka Sapphire)
worm that went through microsoft.com like a dose of mercury salts back in
January 2003 because no one there wanted to install an update from six months
earlier because it broke to much stuff.
There are two fundamental reasons why automating software installs is
less of a problem for Linux/*BSD. First, the users tend to be more
technically aware - and proof of this can be had by counting the readers
in this newsgroup (windoze is the dominant O/S - yet why are there so many
posters using O/S other than windoze?).
The second reason is that Linux/BSD updates as used by the ordinary user
come from just one place - the distributor (Red Hat, Mandriva, SuSE, or
whatever), RATHER THAN from the O/S distributor (Microsoft), the anti-virus
distributor, the anti-trojan distributor, the anti-spyware distributor,
and the many sites distributing those nifty tools (that contain malware)
that the users can't seem to live without. Microsoft has no idea where
you are going to be getting the updates for the after-market software that
is needed, and just let's everything happen to avoid the complaints
about the Internet being down. In short - Microsoft has painted themselves
into a corner, and don't care about the problems. After all, the sheep are
still buying the crap - so why change?
Old guy
|
|
Posted by speeder on June 6, 2005, 4:49 pm
If you were Registered and logged in, you could reply and use other advanced thread options
<snip>
> - when a Windows user wants to browse the web, they use Internet
> Explorer. Internet Explorer can go to a URL or IP address, get
> instructions, and follow those instructions to update/modify/
> reconfigure/install the OS and apps... oops.
>
> What's wrong with this picture? That's right, Windows users are
>"browsing" with an application that has the power to install programs
>and reconfigure Windows. This is like giving your 12-year-old kid a
>motorcycle instead of a bicycle. Yes, it'll get him from point A to
>point B like a bicycle, and it's a lot faster, but it's also a lot more
>dangerous.
<snip>
And if we remember when and why this happened I think it would give a
better picture on what really needs to be fixed.
It all started back when Microsoft was trying to defeat Netscape
Navigator by effectively sabotaging it under Windows. Eventually
Netscape Navigator capitulated but that wasnīt the end of the story.
An anti-trust suit followed and Microsoft was bound to loose control
of itīs browser. In a desperate move (and one we regret to this day)
it decided to fuse Internet Explorer with the OS. "Nobody is going to
take it out now", so thought MS. And the rest of the story we know too
well.
I am astonished to see that these lessons have not been learned and
Microsoft continues to venture in territory much beyond the OS kernel.
What do you think is going to happen when it launches itīs pay-for
Anti-Spyware application? Then we will really be in trouble.
Instead of developing products that compete in the functional arena,
Microsoft should concentrate on making an OS that can bind it all
together. Look at the mess it has become to safely use the Internet.
We need anti-virus, anti-trojan, anti-worm, anti-script, firewall,
process protection, registry protection, encryption, and
authentication products! And the overlaps are killing productivity.
There should be underlying structure that allows all these
applications to safely and effectively do what they do. Microsoft
should not be competing with them but rather provide the platform so
they can do it effectively.
NTFS was a good step in the right direction but we need so much more.
Please, Microsoft, concentrate on what you know how to do best and let
others take care of the rest!
|
| Similar Threads | Posted | | Re: Security Question & Suggestion: Record of Last Access & Recent Accesses | November 7, 2007, 5:25 pm |
| Re: Security Question & Suggestion: Record of Last Access & Recent Accesses | November 11, 2007, 9:46 am |
| Security Question & Suggestion: Record of Last Access & Recent Accesses | November 7, 2007, 2:05 pm |
| "Microsoft Security Update" | August 21, 2008, 8:19 am |
| Microsoft Zero Day security holes being exploited | September 22, 2006, 10:37 pm |
| Security Flaw with Digital signatures in Microsoft Outlook | February 17, 2005, 9:09 pm |
| More Microsoft updates! | August 8, 2006, 4:31 pm |
| Re: More Microsoft updates! | August 9, 2006, 6:50 pm |
| Re: Microsoft criticized for silent patches | April 21, 2006, 9:18 am |
| MicroSoft Talks Daily With Your Computer | June 7, 2006, 10:33 pm |
|
XML site map