Windows Is 'Insecure By Design,' Says Washington Post 1326
Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"
Choice (Score:3, Informative)
In my case, because Virginia Tech's CS department requires us to have XP Pro. The people who don't trust MS use Windows because they have to.
'windows attacked because popular' (Score:5, Informative)
-
People in glass houses (Score:1, Informative)
Granted it's been a few years since I was a Level 1 Tech for Apple Resellers, but let's not forget that for many years Macintosh (and specifically Mac-OS) reigned supreme as the simplest platform for which to write viruses. And virus writers certainly took advantage of it.
Why? Because every time you inserted a floppy or CD, or mounted a new hard disk or Syquest cartidge, the OS went behind the scenes to load CODE resources from the disk to allow the display custom dialogs (passwords, etc), change desktop settings, layout, etc. The user didn't have to take any action to open files or folders.
It didn't take virus writers long to figure out this point of entry, and with no concept of permissions or anti-trust built into the OS, the malicious code had full control of the system.
Few days went by where I didn't have to low-level format someone's hard disk and inform them that, yes, working backups are a Good Thing to have.
Re:Choice (Score:5, Informative)
In FAQ [vt.edu] they respond to the question "Do I have to use Windows XP Professional on my computer?" The requirement is more of a guideline for people who don't know what to get. And the original poster is probably just a karma whore who doesn't know what he/she is talking about.
Re:It's not Windows' fault (Score:5, Informative)
This has nothing to do with Unix and certainly isn't a standard (hell, Samba doesn't even support this). This was totally a MS-original.
A lot of the http virii are based on MS-extensions or broken non-standard behavior of the MS clients.
If MS has followed what you refer to as "obscure unix standards", this wouldn't be an issue. Despite what you may thing, Unix systems were designed with security in mind whereas Windows was designed as a user-operating system.
quoth Marc Andriesen (Score:5, Informative)
Its nothing but a virus delivery system.
That was about 8 years ago. Microsoft destroyed netscape and aside from some humorous footage of Bill Gates lying under oath nothing was done about it.
Now someone in the mainstream press has actually done their homework. Are we supposed to be impressed ?
Re:95% a target perhaps? (Score:5, Informative)
Funny how 95% of PC users have Windows, I wonder why a Virus writer would want to target Windows??!? Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure
Actually, virus writers write virii targetting windows machines because windows machines are easy targets, not because there are so many licenses sold.
According to Netcraft's site survey [netcraft.com] only a quarter of active sites run Windows leaving the bulk of the public internet running on *nix.
I suspect much of the 95% of PCs you speak of are safely walled up in institutions, schools and corporations private networks, which are generally out of scope for a worm like blaster to target.
Now koniosis, what you should impress you is that *nix's run the majority of public sites on the internet, (those sites most easily attacked, i might add) with a marked minority of serious compromises as compared to Windows. More sites, less bugs. Simple.
Finally, only a Microsoft employee could think that its justified that the amount of embarrasing code compromises grow proportionally to desktop marketshare.
Re:Insecure by Design (Score:4, Informative)
Plug and Pray, or Plug and Pay! Security Optional (Score:3, Informative)
On one of my desktop systems, the latest Windows XP driver updates trashed my Hercules Game Theater XP setup. Lots of error messages and no sound!
On my Laptop, the latest Windows 2000 service pack blew away support for the Netgear MA401 WiFi card.
The first problem is easily dealt with. Roll back the upgrade. Sound worked before and it wasn't a critical update--just recommended.
For the laptop, I now have a choice between gaping security holes or WiFi support. Thankfully it dual boots to Linux
I wonder how many people are in the same boat. Plug and pray, or plug and pay!
Re:Good point, muddled way of expressing it (Score:5, Informative)
I seem to recall XP's firewall being turned on during the inital "Welcome to Windows" wizard that pops up after installation, if you choose the option "This machine will be directly connected to the internet" (Or something like that).
That being said, I always turned the firewall OFF, it was too much of a pain to set up additional ports to allow.
Since then, I've moved to a Mac, and OS X's firewall is much easier to configure.
I certainly agree with the rest of your points though (and the majority of the article).
OS X is completely locked up... (Score:4, Informative)
Actually, OS X does have (in most systems) some ports/services open by default. Here's a sample portscan with no user-services (ssh,httpd, afp, etc) running. 1033 is assigned to NetInfo
427 is "server locator"
631 is "IPP (Internet Printing Protocol)"
Re:95% a target perhaps? (Score:3, Informative)
decent firewall script
For common user, redhat-config-securitylevel or menu Applications - System Settings - Security Level (enter administrator password) Choose between No, Normal, Maximum, Normal has proven to be sufficient for average users
download the latest patched kernel
Click Red asterisk that's blinking in your left corner. Click Launch up2date (enter administrator password) - Next - Next - Finish
In linux you have far more control over the system and can do far more damaging things, as its less restrictive than windows
Yes, I agree, but only when I'm root. When I'm using my user account system is far better protected. Again user don't need to know what console is.
so you can't say windows doesn't stop users being stupid because linux doesn't make an effort to either
Actualy it does, if you read what I answered
To protect your self from posting stupidity, try running system before you wanna join the critics.
And yes, there is a major difference
When you set up Windows you start as Administrator. Most people even without password. First user that you create is still administrator and again there is a possibility to have no password
When you set up linux, you MUST enter administrative password that can't be blank, but redhat starts firstboot script on first login. Here you MUST enter your username and password, by the way, default password length is 6 characters
By the way I'm available to your next comments
Re:Ummm... (Score:2, Informative)
First of all, your fear of liability is irrational. If it is known and documented that a trojan will forge the sender address, and the headers show that the mail was not sent from your ISP, it sounds like you're in the clear. Even if it were sent from your ISP, one would have to show that you controlled that IP at the time the message was sent.
Furthermore, unless you can cite a case in which a user was held responsible for the activities of a trojan running on his or her system, I feel pretty safe in calling you paranoid. Unless you did knowingly spread the trojan, you're fine, except for the aforementioned paranoia.
That aside...
Nice try.
Too bad you seem to have no clue what trademark actually covers. Contrary to what you seem to believe, owning a trademark does not give you exclusive right to control the use of a certain combination of letters in the Roman alphabet.
This means that Bertelsmann can't do a damned thing about me saying "Bertelsmann" here. Bertelsmann Bertelsmann Bertelsmann. Nor can the RIAA. From the USPTO [uspto.gov]:
As long as I'm not using a trademark to mislead people by implying that a product was provided the company which holds that trademark when the product hadn't really been provided by said company, there really isn't a problem.
Go try to register your email address at the USPTO. If you succeed, let me know what it is, and I'll email you letting you know that I heard a story about the Recording Industry Association of America (TM) was suing students from colleges including Princeton University (TM), that I saw the story on MTV's (TM) website, as well as on the news on a Time-Warner (TM) station, and that the students were likely running Microsoft (TM) Windows (TM).
Then I'll invite you to imitate the actions of The SCO Group (TM) and file a lawsuit against me which is destined to do nothing but waste court time.
Hell, you can even forward a copy to each of the companies which own the aforementioned trademarks.
When the court case is thrown out, I'll buy you a cup of coffee at Starbucks (TM), which buys its milk from Horizon Organic Dairy (TM).
Re:Running always as root.... (Score:2, Informative)
Have you ever heard of the term "NTFS"? go to an XP machine and see how C:\WINDOWS\Temp permission is set up. Your saying that Windows has no sticky bit-like mechanism is like saying *NIX doesn't hae ACL.
long week for windows users is right. (Score:4, Informative)
overtime is great.
Rob Pegoraro (Score:1, Informative)
1) Never seen an Apple product he didn't like.
2) Never read an Apple press release that he didn't agree with.
3) Agrees that all new Apple strategies have finally got it right.
Re:what about Gentoo? (Score:3, Informative)
Re:Another example of Windows' designed insecurity (Score:2, Informative)
Re:MOD PARENT UP, more.. (Score:1, Informative)
If there was a worm I've forgotten, please do remind me of it.
Re:Ummm... (Score:2, Informative)
Re:Quick linux security test. (Score:4, Informative)
I did an strace of a (brand new, designed-for-XP) program on Windows XP recently. The program changes the mouse cursor when you mouse over certain UI features. According to strace, Windows XP uses WOW (windows-on-windows -- Win16 emulation!) to do this. To this day. In their latest operating system release. Sheesh. The Win32 call thunks down to Win16 emulation, even on XP. How busted is that.
Plus, windows thinks that just because a file's name ends in ".exe" or some other magical combination of letters, that it's a program and should be loaded and run. Over here on my Linux systems, I can deny execute permission to entire filesystems (such as users' home directories), and in any case, Linux doesn't assign every random attachment and download execute permission by default.
Re:New sig file... (Score:5, Informative)
X-MailScanner: Found to be clean
Not sure what it achieves, but it's there.
Redist versions of Windows patches (Score:2, Informative)
Windows patches come in both a Windows Update version (downloaded through an ActiveX control through windowsupdate.microsoft.com) and a "redist" version (downloaded through any graphical web browser).
Re:'windows attacked because popular' (Score:3, Informative)
First, consider who Microsoft based systems are popular with: home and office users. Often, as in the case of SoBig, the users are as much a target as the operating system.
Second, because Microsoft is so popular and because they have a history of problems (such as bluescreens), they have become extremely unpopular, particularly among that certain segment of the population that might create and unleash viruses. While I know of many corporations//organizations whose capacity for evil greatly exceeds Microsoft's (Monsanto, Phillip Morris, etc), I know of no company so hated by so many all over the world.
Finally, when you consider the amount of viruses, worms, and the like that affect Microsoft versus a nix, it is important to remember that Microsoft is an entire homogonized platform in and of itself. The misc services, the ftp server, the smtp server, the web server, the database server, the mail server, etc are all made by Microsoft and many of these components are standard, especially in a microsoft shop. Compare this to a nix where people more readily pick and choose each of the above components. If you are writing a multi-vector worm like Nimda, windows represents the easiest target because there are a lot of standard uniformly implemented services which are virtually guaranteed to be there. If you were writing the same thing for a Nix, you could target Apache, sendmail maybe, and then what? There's so much diversity in the Nix world that it makes it more difficult to target.
I am not excusing Microsoft's security problems in any way. I just believe that the popularity of Microsoft and its platforms has had an extremely significant effect on the number of times they are targetted, and as a result, compromised.
Re:Don't worry... (Score:3, Informative)
Honestly, any user with an ounce of common sense can use Outlook perfectly safely. That e-mail with the pidgin English and the
NSA Secure Linux going into the standard kernel (Score:5, Informative)
It's not a magic bullet, but mandatory security just went mainstream.
What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.
The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project [theregister.co.uk] failed.
Re:Perhaps I'm doing something wrong... (Score:5, Informative)
Re:Ummm... (Score:5, Informative)
This includes security updates and point-revisions of the OS (which one might presume to have less-critical security updates rolled into them), and excludes application specific updates for the i-App suite, Safari, etc. that were not labelled as "Security" related (one might assert that they were in fact security related, but they included point-upgrades to the applications as well. Those toatlled perhaps 8-10 updates over the span covered). Note that two (Stuffit! and IE) are for 3rd-party bundled apps with labelled "Security" updates.
yes, I'm aware that I haven't installed the latest one to patch the off-by-one bug that impacts the FTP server. I'm waiting until I need to reboot for some other reason.
TOTAL UPDATES OVER THE PAST 10 MONTHS: 5. 7 if you count patches to 3rd party apps, one of which was IE. 10 if you're really liberal and include the point-revisions of the OS too.
Please tell me where these "lot of security updates in the past 6 months" are... I'm not seeing them.
Re:Ummm... (Score:2, Informative)
People, please stop saying 'virii' (Score:1, Informative)
I know it's a lot to ask on Slashdot, where grammar and spelling aren't exactly second nature, but can we please get over this pseudo-latinistic plural of the word virus?
I know it's vogue with geeks to use latin plurals, but as anyone who has studied latin knows (and I realize nowadays not many people can claim this), not every word ending in -us is a second declension masculine noun (whose nominative plural, of course, ends in -i).
It's a good guess for most words ending in -us obviously of latin origin (focus, for example), but it doesn't hold in all cases and you should definitely do your homework.
But since this is Slashdot, I did your homework for you. Check out this page for an explanation. [perl.com]
Be warned, though, it sort of assumes that you have a brain. Those lacking need not read it. For those of you that just want to take my word for it, the plural is 'viruses' (that wasn't so hard, now was it).
Re:Good point, muddled way of expressing it (Score:3, Informative)
Not only that, it goes and hides that part of the name by default, so most people won't get a warning that the file will be executed.
it's even possible to deny the "execute" permission to an entire filesystem
You can actually deny execute permission on a drive (or any file/folder) in Windows as well, but since that's shared with folder traversal it may not be feasable. (and I doubt that's available in "Home" editions...) It might work if you go and enable it for all folders specifically (and not thier content), but that would get extremely tedious.
MS Marketing department security bulletin ratings (Score:4, Informative)
Re:Why was this posted? (Score:1, Informative)
Re:Perhaps I'm doing something wrong... (Score:2, Informative)
The Symantic W32.Blaster.Worm Removal Tool [com.com] has been downloaded about 131,000 times through Download.com, which is probably a fair measure of the scale of the infection.
---but, in comparison, Kazaa was downloaded 2,678,000 times last week alone.
To break into Download.com's top fifty lists, a Windows program must approach 30,000 downloads a week, to make the Mac list, a bare---some would say pathetic--- eight hundred.
The simplest conclusion to be drawn from such numbers is that it is difficult for even the most aggressive worm or virus to bring down more than the tiniest fraction of the installed Windows base.
---not because Windows systems are "inherently secure," but because the Windows user base is so immense an infection can be contained before it becomes unmanageable, or even visible to users, for anyone who auto-magically installed the RPC patch on July 16th, the hoo-rah after must have come as quite a surprise.
Re:JRTFA (Score:2, Informative)
Windows Update had (and still has) a flaw [zdnet.co.uk] in that it checks registry keys to determine if you have patches installed, rather than the files themselves. Sometimes the registry key is inserted but some or all of the actual patch files are not, for one reason or another. This happened to many people on July 17th, and they were probably really surprised when they got hit by the MS Blaster worm.
One particularly noteworthy victim of this flaw is the US army.
Re:I have a coworker who kept saying it was hardwa (Score:3, Informative)
There's Bochs [sourceforge.net], which is free and will emulate an x86 on almost anything, including the Mac, but it's not very fast.
And since about 1994, there have been Macs that can run Windows using a built-in x86 compatible processor, like having two computers in one. You could switch between them by pressing a simple key combination, and it came with software to help you do things like copy and paste between them. The high school I attended had one.
My bosses generally don't believe in "can't", but most of the time they're right.
Re:Ummm... (Score:3, Informative)
---
Use a proper business model:
"Okay, my first charge for help is going to be $100 -- $50 for one hour of help, and another $50 for a second HDD, installing a dual-boot Debian Linux on your computer. At that point, you have a choice about which system you want to boot into, and it will make it easier for me to disk-image your Windows system directories, and fix your problems. One thing, though: keep all your program CDs in one place for quick reinstall; your programs installed in c:\my programs; your downloaded programs in c:\my downloads\programs; and all your documents stored somewhere under c:\mydocuments. That will keep things simple for me, and cheap for you.
"After that, I'll charge $50/hr for service, but it will be a ton cheaper, because I'll often simply restore the image of your OS directory. Indeed, I'll show you how to do it.
---
Quite honestly, as they get used to using Linux, they'll start to forget Windows. I know I did. It's still on my system. Eventually, though, I had to completely reformat my Win98 HDD and reinstall. This time, the reinstall for some reason never gave me Word, which was in the original software set, and I can't figure out how to get it [and it is one of my main reasons for keeping Windows around.] But interestingly, with the reinstall, I ended up doing it a second time and installing almost nothing, but lo and behold, my HP DJ1120c print driver, which used to crash on the loaded system, still crashes on the empty system, and now it's clear that it is an OS bug, since it crashes other things, too. So my other major reason for keeping Windows around, a better print driver, is also bogus.
Well, as people start to realize this stuff, they're going to drop Windows on their own. And you're not going to make yourself poor, servicing them for free.
Re:Ummm... (Score:3, Informative)
I recently got a load of Failure Notices to my University mail account that claimed the mail I had sent was infected with a virus (I think it was an earlier SoBig variant). Well, the notice included the header of the original email, which in turn included the Received: line I was looking for.
The guy's computer (in another dorm) was denied net access by the computer center after my mail to their abuse handler until he proved to the net admins in his dorm that his box was clean again.
In short: to anyone who asks you, you can effectively prove the mail did not come from you. Unless, of course, you're in via some dialup provider which happens to be the same the sender of the virus mail used; that makes it a bit harder.
Re:Ummm... (Score:3, Informative)
Email viruses for a long time couldn't be prevented by the end user, if that user was using Outlook/Outlook Express.
If I get an attachment called 'summary.txt' then I tend to assume it's a text file, and will view it to see its contents. In OE it may actually have been 'summary.txt.pif', an executable virus. A system that allows that mistake to happen has inherent design flaws.
For the record, that's one reason I've never used Outlook Express. I use mail systems that tell me what I've received, and that will handle attachments in the manner I expect.
Calling people 'stoopids' may make you feel superior, but doesn't alter the insecurity of the design of many MS products.
A lot of users are ignorant. There are solutions to that problem that don't include introducing a whole new class of virus (email viruses), or leaving systems open to remote attack (e.g. MSBlast) by default.
~Cederic
Re:Ummm... (Score:3, Informative)
1 per month is a fairly small number, I agree. But for your average clueless user... "I just did that last month, now I have to do it again? I thought I bought an iMac so I didn't have to do this anymore..."
Re:JRTFA (Score:2, Informative)
> know or trust. Don't open attachments if they're not absolutely
> known and expected Update early and often
No. Tell them go to www.pmail.com and get Pegasus Mail, and read
email with that. "Don't use Outlook. It's too dangerous."
Re:Total Windows XP updates (Score:2, Informative)
Successful Thursday, August 21, 2003 Security Update for Microsoft Data Access Components (823718) Web site
Successful Thursday, August 21, 2003 August 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 (822925) Web site
Successful Wednesday, July 30, 2003 Windows Error Reporting: Recommended Update (Windows XP) Web site
Successful Thursday, July 24, 2003 Q322011: Recommended Update
Read more... Web site
Successful Thursday, July 24, 2003 Recommended Update for Windows XP SP1 (817778) Web site
Successful Thursday, July 24, 2003 DirectX 9.0b End-User Runtime
Read more... Web site
Successful Thursday, July 24, 2003 Security Update for Microsoft Windows (819696) Web site
Successful Thursday, July 17, 2003 821557: Security Update (Windows XP) Web site
Successful Thursday, July 17, 2003 Security Update for Windows XP (823980) Web site
Successful Friday, July 11, 2003 817606: Security Update (Windows XP) Web site
Successful Friday, July 11, 2003 823559: Security Update for Microsoft Windows Web site
Successful Friday, June 27, 2003 Hp Printer Driver Version 4.20.4100.430 Web site
Successful Friday, June 27, 2003 Q282010: Recommended Update for Microsoft Jet 4.0 Service Pack 7 (SP7) - Windows XP Web site
Successful Thursday, June 26, 2003 327979: Recommended Update Web site
Successful Thursday, June 26, 2003 DirectX 9.0a End-User Runtime
Read more... Web site
Successful Tuesday, June 24, 2003 Microsoft
Read more... Web site
Successful Tuesday, June 24, 2003 814995: Recommended Update Web site
Successful Tuesday, June 24, 2003 331953: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 329170: Security Update Web site
Successful Tuesday, June 24, 2003 811630: Critical Update (Windows XP)
Read more... Web site
Successful Tuesday, June 24, 2003 Q329048: Security Update
Read more... Web site
Successful Tuesday, June 24, 2003 Q323255: Security Update (Windows XP)
Read more... Web site
Successful Tuesday, June 24, 2003 Microsoft
Read more... Web site
Successful Tuesday, June 24, 2003 814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) Web site
Successful Tuesday, June 24, 2003 817787: Security Update Windows Media Player for XP Web site
Successful Tuesday, June 24, 2003 810577: Security Update Web site
Successful Tuesday, June 24, 2003 810833: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 810565: Critical Update Web site
Successful Tuesday, June 24, 2003 328310: Security Update Web site
Successful Tuesday, June 24, 2003 Q329115: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 Q329390: Security Update Web site
Successful Tuesday, June 24, 2003 Q329834: Security Update (Windows XP)
Read more... Web site
Successful Tuesday, June 24, 2003 814033: Critical Update Web site
Successful Tuesday, June 24, 2003 Q329441: Critical Update Web site
Successful Tuesday, June 24, 2003 Q815021 XP: Security Update Web site
Successful Tuesday, June 24, 2003 816093: Security Update Microsoft Virtual Machine (Microsoft VM) Web site
Successful Tuesday, June 24, 2003 Q817287: Critical Update (Catalog Database Corruption in Microsoft Windows XP) Web site
Successful Tuesday, June 24, 2003 811493: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 330994: April 2003, Security Update for Outlook Express 6 SP1 Web site
Successful Tuesday, June 24, 2003 818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 Web site
Canceled Monday, June 23, 2003 Microsoft
Read more... Web site
Failed Monday, June 23, 2003 DirectX 9.0a End-User Runtime
Read more... Web site
Successful Thursday, November 01, 2001 Windows XP Update Package, October 25, 2001 Web site
S
Re:why don't you want flash installed... (Score:3, Informative)
The only way to turn off the noise was remove the player. Until they fix the problem of no user control, it won't run on my systems.
A simple always functioning stop and play buttons are all that are needed but are lacking in many in your face blinking wiggiling distracting ads. Even if ESC would work like animated GIF's stop, but even this is non-functional on FLASH. The stop button does nothing, right clicking to uncheck play does not work, only removal works 100% of the time. It's the same reason the blink tag was so hated.
Since I don't need to see all the trivial stuff to read the news, I just do without the player as it's the easiest way to kill the video noise.
Re:Quick linux security test. (Score:2, Informative)
The latest version of Microsoft Outlook can be setup so it doesn't even allow me to save an 'unsafe attachment', much less run it. I have to hack around in the registery to re-enable it, or ask the sender to resend it in a zip file.