Feeds

Vista security overview: too little too late

But some progress has been made

Beginner's guide to SSL certificates

Review Microsoft has gone out on a limb to promote Vista not merely as "the most secure version of Windows ever" (every recent version is marketed with that tired slogan), but for the first time as an adequately secure version of Windows. "We've got the message and we've done our homework", the company says. So let's see if the reality lives up to the marketing hype.

As Billg likes to point out, Windows is the platform on which 90 per cent of the computing industry builds, and this naturally means that it's the platform on which 90 per cent of spyware, adware, virus, worm, and Trojan developers build. That translates into 90 per cent of botnet zombies, 90 per cent of spam relays, 90 per cent of spyware hosts, and 90 per cent of worm propagators. In a nutshell, Windows is single-handedly responsible for turning the internet into the toxic shithole of malware that it is today.

That's not going to change any time soon, no matter how good Vista's security might be, but a version of Windows with truly adequate security and privacy features would certainly be a step in the right direction.

And indeed, there have been improvements. For one thing, IE7, at least on Vista, is no longer such a dangerous web browser. It may still be the buggiest, the most easily exploited, and the most often exploited browser in internet history, and probably will be forever, but it has become safer to use, despite its many shortcomings. This is because MS has finally addressed IE's single worst and most persistent security blunder: its deep integration with the guts of the system.

Browser woes

At last, MS has, in a sense, sandboxed IE on Vista. In IE7's new protected mode (Vista only), which is enabled by default, IE is restricted from writing to locations outside the browser cache without the user's consent, even if the user has admin privileges. IE is essentially denied write access to the wider file system and to much of the registry. Hallelujah.

To oversimplify this, IE7 protected mode runs as a low-integrity process which is restricted to writing to corresponding low-integrity locations, where rights are minimal. A process started from such a location would have very low rights, as would each child process it spawns. This helps to reduce the impact of malware on the system overall. However, there is a brokering mechanism that enables users to download files to any location they have access to, or to install browser plugins and extensions, and the like. So users are still invited to make a mess of their systems, and no doubt many will, while Microsoft has a chance to shift blame away from itself.

However, IE7 on Vista does still write to parts of the registry in protected mode. And it appears to write to parts that MS says is won't. The company says that "a low integrity process, such as Internet Explorer in Protected Mode, can create and modify files in low integrity folders". We are assured that such low integrity processes "cannot gain write access to objects at higher integrity levels". And again, MS emphasises that a low integrity process "can only write to low integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry key".

So I tested this assurance. I ran IE in protected mode, typed a URL into the location bar and went there. Then I opened regedit, and searched for a string of text from that URL.

Sadly, IE7 is still stashing typed URLs in the registry, and not in the ...\LowRegistry location, either. I found them in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs (if you want to fix this, navigate to the key in the left-hand pane of regedit and right click, and choose permissions. Deny permission for each account. That ought to delete all the entries and take care of all related keys in one go).

No doubt one of those brokering mechanisms decided to write to that location, because a URL hardly carries the risk of causing malicious activity. So it's "safe", at least to some. But I wasn't asked if IE could write anything there. It was done automatically. And this behaviour does carry a security risk, if, like me, you think that user privacy and data hygiene are at all related to computer security. Surely, users should not have to hack their registry merely to purge their browser's data traces once and for all.

Next, there is IE7's anti-phishing filter gimmick. I disabled it almost immediately. It's very showy and it says, "Message: We Care", but I found it more irritating than actually helpful. I think a lot of users will disable it, and trust their instincts instead. Remember, if you put your mouse pointer over a link, the actual URL will be displayed in the status bar. The link may say Bank of America, but if the actual URL is http://123.231.123.231/bankofamerica.com/u/0wn3d/dummy/ then it should be pretty clear that it's a dodgy link.

IE7 also has a handy menu for deleting your history, cookies, cache, and so on. This is similar to the Mickey Mouse privacy utility in Firefox. Remember that these data traces are not securely wiped, but merely deleted. They remain on your HDD until they happen to be overwritten. Firefox will let you delete all that stuff automatically each time you exit; IE won't: you have to do it manually. And remember, with IE your typed URLs are in the registry, where they definitely don't belong, and this utility won't purge them. Oh, and you have to enable User Account Control (UAC) for IE's protected mode to work. Not everyone is going to want to do that, as we will see later.

IE sorely needs cookie and image management like Mozilla's, allowing third-party or off-site images to be blocked, and allowing users to set all cookies to be deleted on exit. IE will allow you to block third-party cookies in the advanced section of the cookie management options, although the default is to allow them. There is no setting to block third-party images, unfortunately, which means that you can't avoid web bugs, or web "beacons" as marketing droids like to call them. IE also won't let you set cookies to be deleted on exit. IE7 will happily block cookies from websites that don't have a "compact privacy policy", a meaningless cookie policy statement that any malicious website could easily have. But this is something MS has been involved with, so they're all excited about it, even though it's rubbish. Unfortunately, they encourage users to depend on it, which is worse rubbish.

The default security settings for IE are basically sensible and I would change only a few, and this is the first time I've ever said that. I would tighten things up just a bit, disabling MetaRefresh, disabling "Launching programs and files in an IFRAME", disabling "websites in less privileged web content zone can navigate into this zone", and disabling Userdata Persistence. Otherwise, IE7 on Vista offers a decent compromise between security and usability. The privacy conscious are, as always, encouraged to use Mozilla for browsing instead, and leave IE in its default configuration, to be used solely for manual sessions with Windows Update.

Beginner's guide to SSL certificates

Next page: Spambuster?

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.