Original URL: http://www.theregister.co.uk/2007/02/20/vista_security_oversold/

Vista security overview: too little too late

But some progress has been made

By Thomas C Greene

Posted in Security, 20th February 2007 20:30 GMT

Review Microsoft has gone out on a limb to promote Vista not merely as "the most secure version of Windows ever" (every recent version is marketed with that tired slogan), but for the first time as an adequately secure version of Windows. "We've got the message and we've done our homework", the company says. So let's see if the reality lives up to the marketing hype.

As Billg likes to point out, Windows is the platform on which 90 per cent of the computing industry builds, and this naturally means that it's the platform on which 90 per cent of spyware, adware, virus, worm, and Trojan developers build. That translates into 90 per cent of botnet zombies, 90 per cent of spam relays, 90 per cent of spyware hosts, and 90 per cent of worm propagators. In a nutshell, Windows is single-handedly responsible for turning the internet into the toxic shithole of malware that it is today.

That's not going to change any time soon, no matter how good Vista's security might be, but a version of Windows with truly adequate security and privacy features would certainly be a step in the right direction.

And indeed, there have been improvements. For one thing, IE7, at least on Vista, is no longer such a dangerous web browser. It may still be the buggiest, the most easily exploited, and the most often exploited browser in internet history, and probably will be forever, but it has become safer to use, despite its many shortcomings. This is because MS has finally addressed IE's single worst and most persistent security blunder: its deep integration with the guts of the system.

Browser woes

At last, MS has, in a sense, sandboxed IE on Vista. In IE7's new protected mode (Vista only), which is enabled by default, IE is restricted from writing to locations outside the browser cache without the user's consent, even if the user has admin privileges. IE is essentially denied write access to the wider file system and to much of the registry. Hallelujah.

To oversimplify this, IE7 protected mode runs as a low-integrity process which is restricted to writing to corresponding low-integrity locations, where rights are minimal. A process started from such a location would have very low rights, as would each child process it spawns. This helps to reduce the impact of malware on the system overall. However, there is a brokering mechanism that enables users to download files to any location they have access to, or to install browser plugins and extensions, and the like. So users are still invited to make a mess of their systems, and no doubt many will, while Microsoft has a chance to shift blame away from itself.

However, IE7 on Vista does still write to parts of the registry in protected mode. And it appears to write to parts that MS says is won't. The company says that "a low integrity process, such as Internet Explorer in Protected Mode, can create and modify files in low integrity folders". We are assured that such low integrity processes "cannot gain write access to objects at higher integrity levels". And again, MS emphasises that a low integrity process "can only write to low integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry key".

So I tested this assurance. I ran IE in protected mode, typed a URL into the location bar and went there. Then I opened regedit, and searched for a string of text from that URL.

Sadly, IE7 is still stashing typed URLs in the registry, and not in the ...\LowRegistry location, either. I found them in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs (if you want to fix this, navigate to the key in the left-hand pane of regedit and right click, and choose permissions. Deny permission for each account. That ought to delete all the entries and take care of all related keys in one go).

No doubt one of those brokering mechanisms decided to write to that location, because a URL hardly carries the risk of causing malicious activity. So it's "safe", at least to some. But I wasn't asked if IE could write anything there. It was done automatically. And this behaviour does carry a security risk, if, like me, you think that user privacy and data hygiene are at all related to computer security. Surely, users should not have to hack their registry merely to purge their browser's data traces once and for all.

Next, there is IE7's anti-phishing filter gimmick. I disabled it almost immediately. It's very showy and it says, "Message: We Care", but I found it more irritating than actually helpful. I think a lot of users will disable it, and trust their instincts instead. Remember, if you put your mouse pointer over a link, the actual URL will be displayed in the status bar. The link may say Bank of America, but if the actual URL is http://123.231.123.231/bankofamerica.com/u/0wn3d/dummy/ then it should be pretty clear that it's a dodgy link.

IE7 also has a handy menu for deleting your history, cookies, cache, and so on. This is similar to the Mickey Mouse privacy utility in Firefox. Remember that these data traces are not securely wiped, but merely deleted. They remain on your HDD until they happen to be overwritten. Firefox will let you delete all that stuff automatically each time you exit; IE won't: you have to do it manually. And remember, with IE your typed URLs are in the registry, where they definitely don't belong, and this utility won't purge them. Oh, and you have to enable User Account Control (UAC) for IE's protected mode to work. Not everyone is going to want to do that, as we will see later.

IE sorely needs cookie and image management like Mozilla's, allowing third-party or off-site images to be blocked, and allowing users to set all cookies to be deleted on exit. IE will allow you to block third-party cookies in the advanced section of the cookie management options, although the default is to allow them. There is no setting to block third-party images, unfortunately, which means that you can't avoid web bugs, or web "beacons" as marketing droids like to call them. IE also won't let you set cookies to be deleted on exit. IE7 will happily block cookies from websites that don't have a "compact privacy policy", a meaningless cookie policy statement that any malicious website could easily have. But this is something MS has been involved with, so they're all excited about it, even though it's rubbish. Unfortunately, they encourage users to depend on it, which is worse rubbish.

The default security settings for IE are basically sensible and I would change only a few, and this is the first time I've ever said that. I would tighten things up just a bit, disabling MetaRefresh, disabling "Launching programs and files in an IFRAME", disabling "websites in less privileged web content zone can navigate into this zone", and disabling Userdata Persistence. Otherwise, IE7 on Vista offers a decent compromise between security and usability. The privacy conscious are, as always, encouraged to use Mozilla for browsing instead, and leave IE in its default configuration, to be used solely for manual sessions with Windows Update.

Spambuster?

Next up, we have the successor to Outlook Express, called Windows Mail. I always considered Outlook Express to be hands down the worst email client ever devised. Windows Mail is a little better. There now are half-decent junk mail controls and, of course, the famous anti-phishing filter. Email memos are now stored as individual files instead of in a database file, which means they can be searched faster, and email contents will show up in the Windows main search, which is either very handy, or a privacy nightmare, depending on what you get up to with your email. This type of storage also makes it easier for you to nuke messages with a wipe utility, either by wiping free space after deleting, or wiping them manually if you have the patience.

However, junk mail controls are awkward. Flagging memos as spam is a hassle; you do this in a list above the preview pane with the right mouse button, and then select from a list of actions. This can be quite tedious if you get a lot of spam, because one can't select several emails for the same action. There really ought to be a junk button that one can use to mark memos as spam and delete them with a single click, as there is with Thunderbird. It would be nice if the default rule for such a junk button were to be blocking the sender, rather than the sender's domain. One can always block a troublesome domain manually if need be.

Interestingly, an email from Microsoft Press Pass - a mailing list of self-congratulatory press releases for tech journos - was automatically flagged as spam. I find it hard to disagree with that call.

Memos can be displayed as HTML with all the risky stuff, such as online images and scripts, blocked. And Windows Mail doesn't give you a hard time about displaying all memos as plain text, which I recommend. Or rather, it displays lightly formatted text; you don't get the raw text as you do with Kmail, so links show up as they would in HTML, with the actual URL hidden. Now, with IE7, such links show up in the status bar as the full URL when you mouse over them, but in Windows Mail they don't. This should be fixed, because otherwise one is stuck relying solely on Microsoft's anti-phishing filter gimmick.

While not security related, I will note briefly that there is no undelete button or Edit menu option to undo a deletion, for those of us who tend to delete first and ask questions later.

Click yes to continue

Data Execution Prevention (DEP) is a feature from XP SP2 that shuts down programs that handle memory oddly, and it is now set to full on by default. It works with address space layout randomisation, a new feature in Vista that loads some system code in unpredictable memory locations to defend against buffer overflow attacks. Both are very good ideas, and should help reduce the impact of malware to some extent.

However, DEP, when full on, may cause a number of applications to crash, or interfere with their installation. I'm betting that a majority of users will opt for the more conservative setting, and this of course means less defense for everyone.

User Account Control (UAC) is another good idea, because it finally, finally, finally allows the machine's owner to work from a standard user account, and still perform administrative tasks by supplying admin credentials as needed on a per-action basis. You know, the way Linux has been doing it forever.

This is one way of helping protect a multi-user system from being loaded with malware by users, and for ensuring that any malware on the system runs with reduced privileges. When you are in a user account, and you wish to perform an administrative task, you will be prompted for the required credentials. Aside from the prompt, the GUI shell will be disabled during this time, to help prevent certain kinds of privilege escalation attacks where the GUI shell or elements of it are spoofed by malicious software.

Of course, it only works if everyone stays out of the admin account as much as possible, and if everyone with an admin password knows better than to install a questionable program with admin privileges. And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."

So you see that, here again, MS's security strategy involves shifting responsibility to the user.

UAC is all well and good in theory, but here's the problem: it's never going to work. And the reason why it's never going to work is because MS still encourages the person who installs Vista (the owner presumably) to run their machine with admin privileges by default. I was delighted, when I set up Vista for the first time, to be presented with an opportunity to set up a "user" account. But moments later, when I saw that I was not invited also to create an admin account, I knew that the "user" account I had just set up was indeed an admin account. And so it was.

Until MS gets it through their thick skulls that a multi-user OS needs a separate admin account and a user account for the owner, and that the owner should be encouraged to work from a regular user account as much as possible, UAC will never work as intended.

In fact, UAC is the most complained-about new feature of Vista, and most people are disabling it as soon as possible. Why? Because MS still encourages the owner to set himself up as the admin, and work from that account. And when you're running in an admin account, UAC is nothing but a bother. Every time you try to take an action, and this could be as simple as opening something in Control Panel, UAC disables your screen and pops up a little dialog asking you if you really want to do what you just did. A pointless irritant that will cause the vast majority of Vista users to disable UAC, because the vast majority of Vista users will, unfortunately, be running as admins, thanks to MS's stubborn refusal to try to put everyone into a user account to the extent possible.

And once UAC is disabled, all of its security enhancements are lost. Yes, the basic idea is good, but the implementation has been completely bungled.

A few irritating details

The default folder view options could be improved for the security conscious user. One should definitely not hide file extensions, as the default file view has it, because it is possible to spoof icons and use bogus extensions that can make executables appear to be other than they are. Yes, UAC and DEP are supposed to help with this, but DEP will be set to its lower setting, and UAC will be turned off, on the vast majority of Vista boxes, for reasons we've already discussed. And since it's very likely that you will still be running your Windows box as an admin, if you're going to open a file with Windows Explorer, you'd better look to see whether or not it's an executable, because it will run with your privileges. So, at a minimum, the folder view should default to showing file extensions.

As usual, Windows enables far too many services by default. It would be a tremendous help if MS could somehow use its many wizards to enable only the services needed for each bit of hardware or software installed. That would take some effort on Microsoft's part, and on the part of device and software vendors, but the alternative so far has been to leave every single bell and whistle blaring. Unnecessary services waste RAM, and worse, those related to networking are a needless target for worms and other online attacks.

Data hygiene

The start menu now offers the option of not storing or displaying a list of recently-accessed files and programs. This used to be a real nightmare for data hygiene. Finally, it's fixed.

Oh wait; it's not fixed. In fact, things just got a lot worse. There is the new "Recently Changed" directory, which will show up as one of your "Favourite Links" in the left-hand column of your home or user directory, and in Windows Explorer. And guess what: all the files you've been fiddling with recently will show up in it. Its contents are identical to the "Recent Documents" folder that Microsoft let you think you had shut off.

But worse, the contents of your recently-changed directory will not show up in main search, even if you use advanced search, and search "everywhere". So you might not even know it's there. And still worse, you can't empty this directory without deleting all of the files it points to. You can empty your "Recent Documents" folder, and only the pointers or links will be gone; you don't lose the actual files. But with this new gimmick, you've got an archive of all the files you've looked at, regardless of where you've buried them in the file system hierarchy in hopes of keeping prying eyes off them, and you can't empty it unless you want to say goodbye to the files themselves.

The worst part of this is that by offering the option to disable the list of recent files, MS has given users a false sense of privacy and security. The reality is that privacy and data hygiene are even more difficult than before. What a blunder.

Child safety first

Now there is some good news, finally. Vista ships with parental controls that are reasonably easy to implement. You can set up accounts for the kiddies, and prevent them using all sorts of programs, like email, chat, and IM, or even deny them internet access altogether if they're too young. One thing that I like is the ability to prevent the little porn fiends from downloading files via IE7. But remember, if you have any other browsers loaded on the system, you must disable them all individually via the parental controls, because download blocking only works with IE.

The basic setup is sensible and allows for fine-tuning depending on each child's level of maturity and responsibility. And parents can schedule regular reports on their children's internet use.

Now, parental controls and filtering are all well and good, but we should beware of any false sense of security they might encourage. In a recent Today Show interview (video), Billg dilated glowingly about Vista's new parental control centre; but we should remember that it's merely a tool, not a solution. Parental controls are not a substitute for adult supervision. The internet is adult space, and so it should remain. Nothing sends my blood pressure into aneurysm territory faster than talk of legislation that would make the internet safe for children. The internet has been created by adults for adults, and children venturing online simply have got to be supervised, either by a parent or by a mature and responsible older sibling. Filtering is not a panacea.

Package deal

Now, for the Vista Security Centre. This has been controversial, involving MS in skirmishes with security software vendors who claim that Vista's built-in product is anti-competitive.

I'm not sure why anyone would worry. The Security Centre doesn't do very much except remind users, "Message: We Care". It's a little craplet with a stereotypical icon that looks like a shield, and it simply informs you of whether or not the firewall is on, whether or not you've got anti-virus software installed, and so on. It is integrated with an improved version of the malicious software removal tool, or anti-spyware tool, in the form of Windows Defender.

There's nothing much in Security Centre that XP SP2 doesn't have, except a warning that you've turned off UAC. It's something that one might wish to run or consult after installation, and maybe once a month thereafter. But it's on all the time, ready to harangue you, and it's rather difficult to make it go away.

It doesn't contain AV software, but a query for further information on virus issues will bring you to this web page, where MS recommends the vendors it thinks are ready to handle Vista (McAfee is notably absent). Nor does it have a packet filter (firewall) with many features. It's not too bad to configure, but third-party packet filters offer many more options in terms of notification and controlling individual applications. I noticed one exception in the default firewall configuration that I didn't care for, for allowing remote assistance. I don't think that should be allowed unless you're actually using remote assistance.

Windows Defender is certainly better than nothing; it monitors files for changes that can indicate malicious activity, and searches for known spyware. It is also integrated with IE7 to some extent. However, what constitutes spyware is a judgment call, and it's never a bad idea to use more than one anti-spyware/anti-adware product, in hopes that one will pick up what another overlooks. (And WD does seem to miss an awful lot of spyware.) I certainly wouldn't recommend depending solely on Windows Defender. But it's nice that it's there.

In a nutshell

So, what have we got here? An adequately secure version of Windows, finally? I think not. We have got, instead, a slightly more secure version than XP SP2. There are good features, and there are good ideas, but they've been implemented badly. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on. But MS has, in a sense, shifted the responsibility onto users: it has addressed numerous issues where too much was going on automatically and with too many privileges. But this simply means that the owner will be the one making a mess of their Windows box.

Data hygiene is still an absolute disaster on Windows. In fact, it's worse than it ever was in some ways, and that's very bad indeed. Browser traces still in the registry, heavy and complicated indexing to improve search, new locations where data is being stored. It all adds up to a privacy nightmare. Keeping a Vista box "clean" is going to be impossible for all but the most knowledgeable and fastidious users.

So don't rush out to buy Vista in hopes of getting much in return security-wise. I do like some of the changes, at least in theory, or as a decent platform on which to build an adequately secure version of Windows one day. But that day, if it ever comes, will be well in the future. ®

Correction I'm grateful to a Reg reader who pointed out an error in a previous edition of this story. I had stated incorrectly that IE7 doesn't allow blocking third-party cookies. It defaults to accepting them, but can be made to block them.