Criticism mounting over Windows 7 security

That'll be right for people complaining how fastidious UAC can be. Either too chatty or now too quiet and vulnerable. There will never be a perfect solution.

 

U can,t make all people happy afterall.

 

Vista's UAC prompts never did bother me at all. It actual made me feel safer seeing it. I think those who were complaining about it really didn't understand just how it was protecting them. In Windows 7 I've cranked up the UAC adjustment tool all the way up. In other words, I want to be notified.

Later...

 

It's a shame when folks can't figure out how to work a "slider" control.

 

I left it where it was. I like being notified. Just scan every file you have prior to install of the OS, disconnect from the internet and install your OS. Turn off UAC, install all your CLEAN apps while not online. Turn UAC back on, get online and activate, update, etc. All set. Only time I even know its running is when I run CCleaner, lol.

 

Microsoft has brought this on themselves. Until Vista, the trend has been the opposite. Each OS expected less from the user than the one before. By the time XP came around, all the user had to do was plug it in, hook up a couple cables, and go surfing. Everything was enabled by default so the user wouldn't have to learn how. The OS did the rest for them. After all these years, MS finally figured out that the user has to be included in the decision process, that the OS can't do everything in spite of them. The average users who grew up on XP aren't used to being required to make decisions about things the past operating systems did for them. The previous versions of Windows didn't expect anything from them, so they never learned the basics.
Too bad Microsoft. You made these users what they are. Deal with it.

 

It's a bit misleading to use the all inclusive "they" because there are many who have learned the basics and are able to take care of themselves.

A few days ago I was discussing with a few people a blog by Long Zheng who has been looking at vulnerabilities in Windows 7 UAC (this is referenced in the first article posted by ronjor). Zheng had pointed out a couple of vulnerabilities to Microsoft. We agreed that from its beginning in Vista, we saw UAC as reactive, rather than proactive. That is, UAC deals with malware after it has made it onto the system and then begins to do its work.

A close reading of these articles and blogs shows a continuing concern in Windows 7 with how UAC deals with malware once it has been allowed to execute and then attempts to make changes to the system.

So, Microsoft finds itself in the unenviable position of that of HIPS products: keeping ahead of malware tricks to circumvent its reactive measures. One vulnerability discovered by Long Zheng has alreay been fixed, although not available in the current Beta.

This is similar to firewall leaktests, where testers post results of various firewalls against vulnerabilities and vendors rush to patch. This also presupposes that the malware is able to intrude onto the system, whereupon the firewall is able to alert to its activity to do damage.

So, how does malware get onto the system and then attempt to make changes? From the second article ronjor posted,

This brings up the problem of "alerts."

Regarding alerts in UAC: According to Microsoft,

Not much has been discussed concerning how to respond to alerts, which are really prompts. This has also been a criticism for HIPS products at the outer perimeter, the point at which malware attempts to intrude.

Let's take Microsoft's first scenario for intrusion of malware:

The Drive-by Download can be included here. Let's take a simple example. The user is looking at some web sites and suddenly an alert pops up. This is from Process Guard, but it is typical of many similar products.

​

How is a user to make a judgment? An alert user might think,

• Why is an executable file attempting to run while I'm on the internet?
  
  
• Svchost is a trusted application, so why an alert?
  
  
• There is no svchost in the temp directory

On the other hand, a user might be fooled because svchost is supposed to be OK. Which is what the malware authors were hoping for, when they used a common filename.

If this were a UAC alert, where svchost had started to run and attempt to make changes to the system, the user would be in the same predicament.

In my opinion, the alert in this scenario should not be a prompt, rather, a Default-Deny notification, which Software Restriction Policies (SRP) in WinXP and Vista provide:

​

With all of the attention given to UAC and its problems, why is there not discussion about SRP in Windows 7? It's called APP Locker. Search for APP Locker - several articles late last year were very encouraging. I assume it has not been dropped from the Beta versions. Does it provide the same Default-Deny White Listing protection as in XP?

Default-Deny should be the only notification in this scenario.
The user has not intended to run an executable at this point,
so no option to do so should be available.​

This avoids the UAC prompt and the burden of a decision.

In XP, Microsoft unfortunately does not include SRP for the Home edition (although I understand that it can be added with some tweaking), and I'm not sure about the different Windows 7 editions. But a couple of products do offer Default-Deny notifications, including Anti-Executable, which can be demonstrated with Microsoft's example of intrusion by email if the user is tricked. Here, the Sober worm, which raised havoc for years, is prevented from extracting. Note the double-extension trick:

​

Storm exploits arrive by email - same scenario. Valentine's day is coming!

The point is that there are a number of effective Default-Deny solutions to negate this type of malware attack.

You can even get more basic than this with a firm policy of not opening email attachments unless expected from a trusted source. Back to basics: no additional product needed!

Microsoft's approach with UAC is to assume that malware has somehow intruded and to alert to its attempts to change things on the system. I think that puts an unnecessary burden on the less-technically savvy user.

The second scenario Microsoft gives where malware gets onto the system is where the user has explicitly consented to install something which turns out to be malware.

A typical example is an update to Flash, or a codec when prompted online. As described in one analysis of an exploit targeting MAC systems, this trick is not OS specific at all:

These types of exploits are beginning to outnumber the drive-by type, and no security can prevent this once the user has granted intallation privileges. Comment from a Prevx blog, and from TrendMicro:

Which comes around full circle to learning the basics, which includes dealing with social engineering.

While many have commended Microsoft and UAC for doing something, those who have the opportunity, will continue to help people with the basics, set up preventative measures, and preclude the need to worry about UAC and the possibility of future breaches of its reactive measures.

----
rich

 

Hello,

I disagree that the security will be lowered, just because there are fewer prompts. People who want to infect themselves - will, by running the executable, no matter what. And they will do it, provide passwords and do whatever is necessary to run the program they wanna run.

So prompts are actually useful only against UNWANTED actions. Meaning, if you get a prompt when running an executable, it's meaningless. But if you get it while typing in Word, then maybe yes, you ought to look twice what the alert says.

The fewer the alerts, the higher the chance you will be more attentive to what they say. If something as simple as wallpaper change demands a prompt, people will stop paying attention.

So, IMHO, fewer prompts, more attention, better security.

Talking about why Windows 7 does not protect users from themselves, after they've been infected by themselves is kind of ... paradoxical. You can't spoonfeed people intent on proverbial e-suicide.

Besides, security is such a simple matter when you really think about it, but people cling to outdated models, use inferior software instead of rational thinking and refuse to analyze their daily computer usage, so they can't have any productive output from their experience.

It's a rather closed-loop situation. If you want NOT to get infected, you can do, and then you learn more, and then you visit forums, and then ... but if you don't, you close your mind, use anti-x for naught, cry, curse, format and run all over again into the same woes. I'll be as blunt and say that even a basic firewall and a non-IE browser in its default settings, no geek stuff like Noscript, are enough for the average user to stay safe PROVIDED they don't download crap and install it themselves.

You can't beat keygen.exe for photoshop when users set their mind to it.

Mrk

 

The only infection my personal pc ever caught, was just that same filename, lol. Keygen.exe I'll never use another one!

 

Not all remote code execution (drive-by download) exploits target the browser.
Recent exploits have delivered malware via Flash SWF files and PDF files.

While user procedures/patches can deal with plugins and such applications, nonetheless
a specific Default-Deny rule of some type to block any unauthorized executable
takes care of the problem in all instances.

Yesterday:

Titan Shields up!
http://isc.sans.org/diary.html?storyid=5803

(Today Google has posted its "This site may harm your computer" notifcation under the URL.)

----
rich

 

rich, that site won't do anything in FF ... But again, if you download files on your own, this includes pdf, flash etc and run them, how is this different than executing any other file?

1) Block drive-by by using a good browser.
2) After that, everything else is a consentual, deliberate, user-initiated download, upon which there may be an execution. Analyzing the file type and content is a different story. But if you don't run it, it won't harm you. And if there's doubt, there's no doubt.

Cheers,
Mrk

 

Mrk, That page wouldn't work here in either Opera or IE6. I was told it was because I'm using an old version of Flash. Looking at the source code, it's targeting v9:

Code:

  var version = deconcept.SWFObjectUtil.getPlayerVersion();  
        
        if (version['major'] == 9)

Evidently some PDF and SWF file exploits are triggered without the user having to download the specific files. I have not been able to test any of these, so I can't comment further.

It is evident that these attacks are limited in their effectiveness, since they target specific versions of the plugins.

Nonetheless, I still believe in a Default-Deny rule in place. I use it in home environments not just for drive-by downloads but for other situations regarding unauthorized executables.

Otherwise, everything is consensual, as you state.

----
rich

 

Seems like I made a grammar doo-doo

I agree with DD - it can be employed by software or not clicking ...

Cheers,
Mrk

 

Just as I originally thought. Tis all crap about the security hole. Know what your clicking on and you won't be infected. Do not browse sites known for baddies and you won't be infected. Hell, I have even ran with no av for months at a time with no infection. Its all in how you interact with YOUR pc. nuff said'

 

That therein is the problem, as long as internet explorer is "built-in" to windows, your going to get attacked. There is no way around it.

UAC is "crying wolf" all the time, which renders it ineffective and most annoying. The "disable" setting I found to be where UAC worked best for me.

 

This is quite something! Had the writer made this point in the earlier blogs, it might have cleared up a lot of things. As if to emphasize this point, he states again,

Now, if this is so, why the need for UAC? or AV? or anything thing else?

Did anyone else challenge this bold assertion? Only one way to find out: run a test.

First, the examples he gave use IE browsing to an EXE or VBS file and triggering a prompt. Well, this exists in all browsers, as he mentions, so why this example is used is puzzling. Of course, the browser doesn't know if the file is malware or not - it's just the standard warning for these file types.

A better test is by remote code execution. I chose the autorun since that is one of the attack vectors of the conficker worm.

I don't have Windows 7 so I enlisted the help of Sully. I sent him a small program that he probably doesn't have, and it did successfully get onto the system and run:

​

I chose this because it is a self-contained program. When you enter values it calculates f-stop and shutter speed for photographing the moon. As a self-contained program it doesn't extract any files nor make any changes to the system. Remember Microsoft's statement,

So it is proven that an unauthorized file can get onto the system without consent. I didn't have Sully use malware but it would be easy to test such and it would succeed because Windows by itself cannot distinguish bad from good code.

Other remote code execution exploits include using malformed PDF files to trigger the download of malware. A recent one was the Google 7.7.7.0 redirect which first came to light in the Google forums, and later a thread started at DSLR by one who was infected:

This is not to single out a browser because this exploit doesn't target a browser nor an operating system.

Note that the above victim did not open a PDF file. The exploit triggered as soon as he went to the site.

Now, it is probable that UAC would catch these exploits as they attempted to make changes. Yet Microsoft's point in these latest blogs is, to state again,

Since it has been shown that malware can get onto the machine without express consent (my astroexp.exe could easily have been malware) who is to say that down the road some other vulnerability to disable UAC will be discovered and included in a malware attack?

In the latest blog, Microsoft is less assertive:

Why Microsoft doesn't mention SRP - APP Locker - is puzzling. That is built in and not a third party tool. SRP provides secure Default-Deny protection when configured for White Listing. A Default-Deny policy would have protected against the PDF attacks above.

Can someone who is evaluating Window 7 check out SRP?

Windows 7 promises to be a feature-packed OS with many improvements and Microsoft is in the unenviable position of trying to balance Security and Useability, as discussed in one of the blogs. But no one I know has ever depended on the OS alone to protect against malware. It's just too big of a job. While UAC may contribute to constraining malware once installed, no security-minded people I know would depend on this feature. Rather, they would concentrate on prevention at the outer perimeter with secure Default-Deny protection.

----
rich