29. March 2008 12:35
I'm sure many of you have heard of the PWN to OWN contest... or maybe not. The basic premise is that three laptops running in a default but fully patched configuration, each with a different OS (Mac OS, Vista, Ubuntu), are connected to a network. Hackers then attempt to takeover these machines remotely. If they succeed, they keep the laptop and win $10,000 for their efforts.
The rules for the contest are that the exploit must take advantage of a 0-day exploit (one that is unknown to the general security community and to the software vendors), and it must be used to read a file on the disk. They are a bit light on the details, but one has to assume that the file is readable by the user logged into the machine at the time of the hack. This point becomes very important later in my post.
I spent much of yesterday e-mailing my favorite Mac fanboys and gleefully telling them that the Mac had been hacked first. While none of the laptops could be compromised remotely without user action, the people running the contest allowed for "luring" attacks where users on the laptops were encouraged to open e-mails, visit web sites, etc.
The Mac was brought down by Safari, Apple's web browser, which is the default and most popular web browser on the Mac.
I awoke this morning to find that the Vista machine was next to fall. This was surprising, as I was pretty confident that Vista would survive all the attempts against it... partly because I didn't read the full contest rules. Apparently, popular 3rd party apps were happily installed on the machine.
While I don't have the details of the hack (because they didn't provide them), I have to assume that it was a 3rd party app that allow for the Vista machine to be compromised. Why? Well, because the details given of the hack point all fingers at Firefox.
(UPDATE: This might not be true, see updates at the end of the post.)
Technically, it was Flash that allowed the Vista machine to be compromised. Some unknown exploit in Flash (probably a buffer overflow) allowed the hacker to read the file in question. But wait... IE 7 on Vista has a great feature called Protected Mode. Protected Mode basically boils down to IE running as an extremely low-rights users. If there is a bug in IE, or a bug in a plugin (like flash) running within IE, it will only have the privileges of that low rights user. In other words, it can't do basically anything, much less read one of the user's files.
The announcement that the Vista machine was compromised specifically stated that it was a bug in Flash that was exploited. In order for this to be possible, and for it to have taken place while the user was running IE, they must also have had a 0-day privilege elevation exploit for Windows. Since they didn't say that (and I'm sure they would have, if it was the case), we must conclude that Flash was not running in IE.
So what was it running it? Well, the 2nd most popular browser on Windows is Firefox. Firefox has no protected mode, so any exploits in it, or in any of the plugins that it runs, would have the rights of the logged in user. The fact that it was Firefox is incidental, as it could have been any other browser (aside from IE). Indeed, the fact it was a browser at all is also incidental. Virtually all applications that a user runs are run with the security privileges of that user. The only exceptions to this are managed frameworks (Java, .NET), and IE 7 on Vista.
So how, exactly, does this say anything about Vista security? In the case of the Mac, it was the default browser (written by Apple) that allowed the compromise. On Vista, it was almost certainly a 3rd party browser that is decidedly less secure than the default browser. The exact same hack could have occurred on any OS in exactly the same way.
Indeed, Protected Mode is unique to IE on Vista. It is a security innovation that does not exist on any other OS or any other browser. Microsoft identified IE has the primary attack vector for Windows, and invented a new security technology to defend against those attacks, even without knowing what they were going to be. It is a huge advantage to Vista... and one that apparently was handicapped, intentionally or not, to allow for Vista to be taken down before Ubuntu.
The goal of this contest was not to see which OS or vendor was more secure. (Although one can comfortably conclude that Apple got its butt handed to it.) So in that sense, the contest was a success. But many people will now conclude that Ubuntu is more secure than Vista, and this conclusion is absolutely not supported by what happened.
Update (3/29/2008 1:20 PM): A commenter on Slashdot suggests that Flash actually subverts Protected Mode by using its own brokering process. This allows the low-rights Flash plugin to make calls to a user-rights service which then performs user-level actions such as writing to files. If this is true, it makes me incredibly mad at Adobe. Instead of playing by the rules, they subverted them, and thereby exposed people to potential danger. If I could uninstall Flash, I would... but thanks to their virtual monopoly on a lot of web content, that's really not an option.
Update (3/29/2008 1:35 PM): The Slashdot commenter helpfully provided me with a blog post by the IE team in which commenters discuss ways to circumvent Protected Mode. One of them is indeed Flash, which uses the aforementioned brokering process. So now we're left with two distinct possibilities: either Firefox or some other non-Protected Mode browser was used, or there is an exploit in the brokering functionality of Flash. I think either is completely plausible. Regardless, I think my points still stand regarding how it's not fair to use this to condemn Vista security.
1. December 2007 21:51
A little more than a year ago I made a prediction that I'm sure many people called crazy. I predicted that Firefox would, slowly but surely, become a less safe way to browse the web than Internet Explorer.
Well, it appears that my prediction may have been correct. According to an analysis by Microsoft's Jeff Jones, the number of vulnerabilities in Firefox was more than double those discovered in Internet Explorer.
Not only that, but the vulnerabilities that were discovered were, in general, worse for Firefox than that were for IE. In other words, there were a greater number of "critical" vulnerabilities in Firefox than in IE, as well as a greater number of "important" vulnerabilities.
I know many of you are immediately dismissing this analysis because it came from a Microsoft employee, but the report is based off public data. It's really just an aggregation of information that was published by non-Microsoft sources. Plus, many of you would dismiss it almost regardless of where it came from.
You're probably also thinking that Microsoft is hiding vulnerabilities from the public or patching them silently, a tactic that would be almost impossible for the open source Firefox. But you would be making unsupported assertions that I've already addressed.
Now, I can't really say that my prediction has come true. I actually predicted the attacks on Firefox would increase as IE7 on Vista started to gain market share. IE7 on Vista has indeed started to gain market share, and at the same time we've been seeing a dramatic increase in the number of exploits discovered in Firefox. This, of course, doesn't show a causal relationship.
While Firefox's market share gains have basically stopped, it does hold a solid 10%+. This means that security researchers are more interested in it, and therefore will look at it more closely. This could explain the huge increase in discovered vulnerabilities.
Regardless, it seems clear now that Firefox is not as secure as everybody thought. It is now a viable and almost certainly popular attack vector for bad guys.
IE7 on Vista, meanwhile, has not had a single remotely exploitable hole that could cause a security breach. There has been at least one DoS attack (crashed the browser), but nobody has defeated Protected Mode yet. IE7 on Vista has been on the market for over a year now, and it hasn't been cracked.
I'd say that's pretty damn strong evidence that the safest way to browse the web is no longer Firefox.
21. February 2007 12:21
Sorry for the delay of part 3 of my series (Part 1, Part 2) on The FUDing of Windows Vista, but I've been pretty busy.
Today, however, I simply couldn't stop myself. The Register decided to write a "review" of Windows Vista's security features. Needless to say, it's a prime example of the FUD I'm talking about.
So, point by point:
While referring to IE's Protected Mode feature:
However, there is a brokering mechanism that enables users to download files to any location they have access to, or to install browser plugins and extensions, and the like. So users are still invited to make a mess of their systems, and no doubt many will, while Microsoft has a chance to shift blame away from itself.
Uh huh. First, you can't install plugins/extensions (with the exception of signed ActiveX) without admin privs. Period. Second, how, exactly, would you propose the user be able to save files to their Documents folder, or do any other file operation in their profile (or basically anyplace on the system) without this brokering mechanism? Would you prefer that Microsoft not allow users to download *any* files via the browser? Ya, that would work out well.
However, IE7 on Vista does still write to parts of the registry in protected mode.
IE7 is running as an extremely low-rights user. This does *not* mean that it doesn't have the ability to write to any part of the registry. It means that the registry's ACLs must explicitly allow write access to the IE's low-rights user. Certain locations have been explicitly marked as write-safe for the low integrity process. The example given by The Register is one of them. In other words, it's not an issue.
However, DEP, when full on, may cause a number of applications to crash, or interfere with their installation. I'm betting that a majority of users will opt for the more conservative setting, and this of course means less defense for everyone.
You're betting that the majority of users, most of whom think "DEP" is an actor's last name, will go and hunt down the DEP setting and turn it off because it will supposedly cause lots of applications to crash? Really? You mean they won't selectively turn it off via the dialog box that comes up after a DEP-related crash that asks if you want to turn it off just for this application? Oh, and what quantitative study are you citing that shows that lots of commonly used applications will crash because of DEP? Give me a break.
User Account Control (UAC) is another good idea, because it finally, finally, finally allows the machine's owner to work from a standard user account, and still perform administrative tasks by supplying admin credentials as needed on a per-action basis. You know, the way Linux has been doing it forever.
Windows has supported running individual processes as admin (or any other account) since NT4. It was integrated into the GUI in Windows 2000. That is not the point of UAC, and it's not how Linux does it at all. If you try and run an application or perform an operation on Linux or Unix that requires admin access, it will fail. It doesn't prompt you. It's a subtle, but big difference. And it's a critical difference in the Windows world where that vast majority of applications won't work without admin privs.
Of course, it only works if everyone stays out of the admin account as much as possible, and if everyone with an admin password knows better than to install a questionable program with admin privileges. And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."
Wrong. It works regardless of what user you *think* you're running as. An admin account on Vista (with UAC enabled) is NOT AN ADMIN ACCOUNT. It's a limited user. The *only* difference is that an admin account isn't prompted to type in credentials in the UAC prompt, where as a limited user is.
So you see that, here again, MS's security strategy involves shifting responsibility to the user.
Ok, smart ass. What's a better solution? Get rid of admin accounts entirely? Don't allow any programs to run at all? Never allow a user to connect to the net? Oh, how about only allowing signed, Microsoft approved applications to be installed on Vista. Ya, that would go over well. What would you say about "The Vole", then?
And the reason why it's never going to work is because MS still encourages the person who installs Vista (the owner presumably) to run their machine with admin privileges by default....Until MS gets it through their thick skulls that a multi-user OS needs a separate admin account and a user account for the owner, and that the owner should be encouraged to work from a regular user account as much as possible, UAC will never work as intended.
Wow. Ok. Imagine this scenario: A person installs/buys Vista and sets up the machine. Vista does what you want so badly and first asks for an admin account password, but then asks the user for the login/password for their limited account. Having an admin account on the machine is unavoidable if you ever want to do anything on the machine past checking your e-mail and reading high-quality publications like The Register.
So now the user has the admin account (that they're not using as their primary account), and they have their limited user account. Now anytime they need to do something that does require admin privs they will be prompted via UAC for the admin password. Since they're the ones who setup the machine, they'll type in the admin password. For all the other users on the machine, they'll have to go get the person who setup the machine to type in the admin password, exactly as they'll have to do right now in Vista.
So, how is this any better? Now, instead of the occasional annoying OK button, you'll have an OK button and be required to type in admin credentials. If you're the guy who setup the machine, you know the password. If you're not, then it works just like it does now.
Or perhaps you would rather have it just like it is in Linux, and have all operations simply fail with access denied errors? See, it works fairly well for Linux because all Linux applications were designed from the ground up with a multi-user system in mind. But Microsoft *must* support as many legacy applications as possible. That legacy application support is one big reason why Linux on the desktop has failed to defeat Windows.
Furthermore, if you want UAC to always prompt for credentials even as the "admin" user, there is a policy setting to make that the case.
UAC is, in my opinion, a good solution to a problem that exists only on Windows. Saying that Windows should operate its elevation system like Linux simply shows that you don't understand the problems at hand.
In fact, UAC is the most complained-about new feature of Vista, and most people are disabling it as soon as possible.
It's the most complained about by people like you, and by a few vocal power users. But guess what, you're all in the minority. Most people will fairly rarely encounter UAC. As a person actually using Vista on a daily basis at both work and at home, I don't find UAC annoying at all. There ya go.
And when you're running in an admin account, UAC is nothing but a bother.
And when you're running as a non-admin account, UAC is nothing but a time consuming bother? Give me a break.
And once UAC is disabled, all of its security enhancements are lost. Yes, the basic idea is good, but the implementation has been completely bungled.
So what's the better solution?
And since it's very likely that you will still be running your Windows box as an admin, if you're going to open a file with Windows Explorer, you'd better look to see whether or not it's an executable, because it will run with your privileges. So, at a minimum, the folder view should default to showing file extensions.
I kind of agree with this, but the chances that you'll run an application without knowing it's an application are fairly small. If you downloaded this application from the net, Windows will flag it as potentially unsafe. When you try and run it, Windows will ask you to confirm that you really want to run this application and that you trust it. (And yes, you can turn this off by unchecking a box in the properties dialog of the file.)
As usual, Windows enables far too many services by default.
Examples? Oh, that's right... we don't need examples. This is The Register.
It's a little craplet with a stereotypical icon that looks like a shield, and it simply informs you of whether or not the firewall is on, whether or not you've got anti-virus software installed, and so on.
One major hurdle for users security their system is that they don't know all the things they need to secure. The Security Center provides a single place where they can check their most important security settings. Seems like a good idea to me, and it seems to work pretty well. But I guess because The Register thinks it's a "craplet", I must be wrong.
We have got, instead, a slightly more secure version than XP SP2.
Uh huh. And if I took this "review" at face value, I might have to agree with you. Except luckily, I don't usually take things at face value. The "review" ignores many of Vista's security features, and it gives an extremely biased and unfair assessment of the ones it does touch on.
Only time will tell as far as how security Vista will be against the onslaught of hackers that will undoubtedly be attacking it, but it's a helluva lot better than The Register gives it credit for.
5. February 2007 21:14
I just saw an article posted on Slashdot regarding Bank of America's relatively new online security feature, called SiteKey. The basic gist of the story is that because users tend to ignore an incorrect or missing SiteKey, the security system is therefore flawed.
That's true, I guess. But the article more or less ignores the fact that SiteKey is also technically flawed. Of course, all knowledge-based security mechanisms are fundamentally flawed. That's the elephant in the living room that a lot of people are ignoring.
Bank of America's SiteKey feature is, for the most part, an improvement over previous security measures. It is designed to mitigate basic phishing techniques, not to protect against man-in-the-middle attacks or other more sophisticated hacks.
Other banks use different measures, each of which is typically aimed at a different security problem. For instance, HSBC uses a "virtual keyboard" to mitigate keyboard loggers, for instance.
But the basic flaw in all of these security measures is that they rely on knowledge to authenticate a user. The problem is, knowledge is transferable. Whether it was a keyboard logger or a phishing attack, whatever the company is using to try and make sure you are who you say you are can just as easily be used by somebody else.
The only way around this is using a combination of both knowledge *and* something non-transferable. This can be biometric (retinal, finger print, face, whatever), or something a lot more simple (and cheap), such as a smart card. (Yes, I know a smart card can be stolen, but it's going to be a *lot* harder to steal a smart card AND the login information at the same time.)
Using a combination of transferable and non-transferable authentication requirements means that even if somebody phishes my login/password/sitekey/mother's maiden name/social security number/etc, if they don't have the little card on my key chain, they're not getting into my bank account.
It's just a matter of time before this becomes widespread. Microsoft already requires this for all employees accessing their company network, and support for this kind of two phase authentication is built into Windows Vista. Vista also supports a technology called CardSpace, which can further mitigate the security problems associated with knowledge-based mechanisms.
As the technology becomes cheaper, it will slowly become an option for banking customers, and eventually a requirement. Only then will online transactions become, at least in principle, truly secure.
26. January 2007 18:32
My previous blog post, The FUDing of Windows Vista, concentrated on how the major tech media organizations are giving Vista a bum rap, either intentionally or out of simple ignorance. But Vista reviewers are not the only ones doing their best to spread the FUD.
Several major security vendors, such as McAfee and Symantec, see Vista as a major threat. Vista's new security features will make it much, much harder to attack. Since these companies make the majority of their money from providing products to protect users from these kinds of attacks, I can understand why they would be worried.
Instead of innovating and coming up with new products and services to supplant a business built on other's mistakes, they decided to try and FUD their way out. McAfee took out a full page ad in the Financial Times that claimed that Vista will be less secure than previous versions of Windows.
McAfee's reasoning is that because Vista prevents direct access to the kernel via a technology called PatchGuard, McAfee will no longer be able to modify Windows at will to provide their services.
Of course, this also means that the bad guys won't be able to either, which is kind of the point. The most dangerous malware out there right now are of the rootkit variety, and these guys rely on patching the kernel.
Furthermore, Microsoft has never supported directly patching the kernel. In addition, Microsoft has provided a rich set of APIs to perform the tasks that McAfee and Symantec need for their product to function. How do I know these APIs work? Maybe because several other security vendors, such as AVG, Kaspersky, and even Microsoft, have already released Vista compatible security suites that use these APIs are work just fine.
Lastly, PatchGuard is only in Vista x64, which probably won't be adopted in wide form for at least another year. Not to mention the fact that Microsoft has a nearly identical feature in XP 64 bit edition, and announced their intentions to include it in Vista x64 several years ago. McAfee and Symantec have had ample time to fix their stuff.
The other feature of Vista that these vendors are getting upset about is the Security Center. The Security Center basically just gives you one stop shopping for all your computer's security related settings. In order to provide a consistent user interface (consistency is a key for usability, and when it comes to security that's very, very important) they prohibit 3rd parties from modifying the interface. Instead, if you have a 3rd party firewall or antivirus package, it will list them in the security center and provide links to modify their settings.
McAfee and Symantec didn't like that. Why? Because they want to brand everything they possibly can. They want you to think that the security of your computer is completely dependant on them. That way you'll be less likely to cancel your subscription. So they scream and yell about this, calling it anti-competitive, and claiming that Microsoft is trying to give special treatment to their own OneCare software. They of course ignore that OneCare follows all the same rules that Microsoft is asking McAfee and Symantec to follow.
McAfee and Symantec are terrified that Vista will make their business less profitable, so they're lashing out. They figure if they can scare enough people into thinking that Vista is unsafe, they won't have to spend as much time and money fixing their software and coming up with products that actually provide value to their customers.
Update: Be sure to checkout the 3rd part in my series of blog posts about The FUDing of Windows Vista!