Feeds

Vista security overview: too little too late

But some progress has been made

Beginner's guide to SSL certificates

Review Microsoft has gone out on a limb to promote Vista not merely as "the most secure version of Windows ever" (every recent version is marketed with that tired slogan), but for the first time as an adequately secure version of Windows. "We've got the message and we've done our homework", the company says. So let's see if the reality lives up to the marketing hype.

As Billg likes to point out, Windows is the platform on which 90 per cent of the computing industry builds, and this naturally means that it's the platform on which 90 per cent of spyware, adware, virus, worm, and Trojan developers build. That translates into 90 per cent of botnet zombies, 90 per cent of spam relays, 90 per cent of spyware hosts, and 90 per cent of worm propagators. In a nutshell, Windows is single-handedly responsible for turning the internet into the toxic shithole of malware that it is today.

That's not going to change any time soon, no matter how good Vista's security might be, but a version of Windows with truly adequate security and privacy features would certainly be a step in the right direction.

And indeed, there have been improvements. For one thing, IE7, at least on Vista, is no longer such a dangerous web browser. It may still be the buggiest, the most easily exploited, and the most often exploited browser in internet history, and probably will be forever, but it has become safer to use, despite its many shortcomings. This is because MS has finally addressed IE's single worst and most persistent security blunder: its deep integration with the guts of the system.

Browser woes

At last, MS has, in a sense, sandboxed IE on Vista. In IE7's new protected mode (Vista only), which is enabled by default, IE is restricted from writing to locations outside the browser cache without the user's consent, even if the user has admin privileges. IE is essentially denied write access to the wider file system and to much of the registry. Hallelujah.

To oversimplify this, IE7 protected mode runs as a low-integrity process which is restricted to writing to corresponding low-integrity locations, where rights are minimal. A process started from such a location would have very low rights, as would each child process it spawns. This helps to reduce the impact of malware on the system overall. However, there is a brokering mechanism that enables users to download files to any location they have access to, or to install browser plugins and extensions, and the like. So users are still invited to make a mess of their systems, and no doubt many will, while Microsoft has a chance to shift blame away from itself.

However, IE7 on Vista does still write to parts of the registry in protected mode. And it appears to write to parts that MS says is won't. The company says that "a low integrity process, such as Internet Explorer in Protected Mode, can create and modify files in low integrity folders". We are assured that such low integrity processes "cannot gain write access to objects at higher integrity levels". And again, MS emphasises that a low integrity process "can only write to low integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry key".

So I tested this assurance. I ran IE in protected mode, typed a URL into the location bar and went there. Then I opened regedit, and searched for a string of text from that URL.

Sadly, IE7 is still stashing typed URLs in the registry, and not in the ...\LowRegistry location, either. I found them in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs (if you want to fix this, navigate to the key in the left-hand pane of regedit and right click, and choose permissions. Deny permission for each account. That ought to delete all the entries and take care of all related keys in one go).

No doubt one of those brokering mechanisms decided to write to that location, because a URL hardly carries the risk of causing malicious activity. So it's "safe", at least to some. But I wasn't asked if IE could write anything there. It was done automatically. And this behaviour does carry a security risk, if, like me, you think that user privacy and data hygiene are at all related to computer security. Surely, users should not have to hack their registry merely to purge their browser's data traces once and for all.

Next, there is IE7's anti-phishing filter gimmick. I disabled it almost immediately. It's very showy and it says, "Message: We Care", but I found it more irritating than actually helpful. I think a lot of users will disable it, and trust their instincts instead. Remember, if you put your mouse pointer over a link, the actual URL will be displayed in the status bar. The link may say Bank of America, but if the actual URL is http://123.231.123.231/bankofamerica.com/u/0wn3d/dummy/ then it should be pretty clear that it's a dodgy link.

IE7 also has a handy menu for deleting your history, cookies, cache, and so on. This is similar to the Mickey Mouse privacy utility in Firefox. Remember that these data traces are not securely wiped, but merely deleted. They remain on your HDD until they happen to be overwritten. Firefox will let you delete all that stuff automatically each time you exit; IE won't: you have to do it manually. And remember, with IE your typed URLs are in the registry, where they definitely don't belong, and this utility won't purge them. Oh, and you have to enable User Account Control (UAC) for IE's protected mode to work. Not everyone is going to want to do that, as we will see later.

IE sorely needs cookie and image management like Mozilla's, allowing third-party or off-site images to be blocked, and allowing users to set all cookies to be deleted on exit. IE will allow you to block third-party cookies in the advanced section of the cookie management options, although the default is to allow them. There is no setting to block third-party images, unfortunately, which means that you can't avoid web bugs, or web "beacons" as marketing droids like to call them. IE also won't let you set cookies to be deleted on exit. IE7 will happily block cookies from websites that don't have a "compact privacy policy", a meaningless cookie policy statement that any malicious website could easily have. But this is something MS has been involved with, so they're all excited about it, even though it's rubbish. Unfortunately, they encourage users to depend on it, which is worse rubbish.

The default security settings for IE are basically sensible and I would change only a few, and this is the first time I've ever said that. I would tighten things up just a bit, disabling MetaRefresh, disabling "Launching programs and files in an IFRAME", disabling "websites in less privileged web content zone can navigate into this zone", and disabling Userdata Persistence. Otherwise, IE7 on Vista offers a decent compromise between security and usability. The privacy conscious are, as always, encouraged to use Mozilla for browsing instead, and leave IE in its default configuration, to be used solely for manual sessions with Windows Update.

Protecting users from Firesheep and other Sidejacking attacks with SSL

Next page: Spambuster?

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.