Russinovich Says, Expect Vista Malware

Hypertwist writes "Despite all the anti-malware roadblocks built into Windows Vista, Microsoft technical fellow Mark Russinovich is lowering the security expectations, warning that viruses, password-stealing Trojans, and rootkits will continue to thrive as malware authors adapt to the new operating system. Even in a standard user world, he stressed that malware can still read all the user's data; can still hide with user-mode rootkits; and can still control which applications (anti-virus scanners) the user can access. From the article: '"We'll see malware developing its own elevation techniques," Russinovich said. He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

Actually

[Anonymous Coward]

I'm really quite surprised by this.

Re:Actually

[SEMW]

Actually, I'm really quite surprised by this.

Quite surprised by what, that programs running in user-mode can still access the current user's data and programs in their home folder? Hardly news.

(I was slightly confused by the statement that programs "can still hide with user-mode rootkits", though -- surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself? I thought the whole point of a rootkit was that it allows malicious programs to maintain root (i.e. highest privilege) access undetected, which would make "user-mode rootkit" a bit of a contradiction in terms, unless I'm misunderstanding somewhere...?)

(And whilst I'm posting, "...a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file"? If it's a prompt that will give a malicious program elevated rights when the user clicks 'allow', what part of it is fake? Surely a fake/spoofed dialogue box wouldn't *actually* be able to grant elevated rights (pretty much by definition); and the text in the *real* elevation prompts can't be changed, since they run in 'secure desktop' sandbox mode, no?)

Re:

[Workaphobia]

> "Quite surprised by what, that programs running in user-mode can still access the current user's data and programs in their home folder? Hardly news."

The GP was being extremely sarcastic. I'm sure most of the people who read this summary, or even just the title, thought "Duh" and wondered why an expert like Russinovich didn't have anything more insightful to say.

> "surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself?"

Well it wouldn't be able to hide itself from the root

Re:

[Oriumpor]

It needn't actually escalate right away, it need only steal the password and use it to authenticate later (or to re-use the tried and true *nix login fake prompt again to re-request after "failing" to get the right password)

Re:

[TheCoelacanth]

(I was slightly confused by the statement that programs "can still hide with user-mode rootkits", though -- surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself? I thought the whole point of a rootkit was that it allows malicious programs to maintain root (i.e. highest privilege) access undetected, which would make "user-mode rootkit" a bit of a contradiction in terms, unless I'm misunderstanding somewhere...?)

"User-mode" usually refers to everything other than the kernel. N

Re:

[mrsteveman1]

The real problem is the millions of users who blindly use the system without even the most basic understanding of how it works. You would not be surprised at the number of users who can't tell a real windows dialog box from a pop up on the web warning that you "need to scan your hard drive".

As long as people literally refuse to learn anything more than the bare minimum necessary to quickly read their email, nothing will change, especially with totally incompetent systems like windows vista, which is qu

Re:

[Ernesto Alvarez]

You might not know how an internal combustion engine works, but you certainly have trained to use a car and have a license.

Even if you know almost nothing a about your car, you certainly know when something wrong is with your engine. I've seen people do things with computers that would roughly be equivalent to driving with the engine on fire. Not only people don't bother to learn the most basic things about computers, they also ignore any problems they see and keep going like nothing is happening.

Using a co

Re:Actually

[Fhqwhgadss]

surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself?

Too bad there are lazy software companies pulling this kind of shit [chessok.com]. The developer's link to this piece of shit "patch" is listed under the headline "Convekta's products are compatible with Windows Vista !!!" (just disable the single most important security feature of the OS). I'd bet that over half of all Vista boxes will have LUA disabled within 12 months of installation. What do you have then? A new OS with the security enhancements removed and untested code running in "every user is a superuser" mode, just like XP without the 6 years of bugfixes. Don't tell me XP has limited accounts; using XP under a limited account takes more effort than using Linux ever did.

The only thing keeping the malware writers away from Vista so far is its piss-poor market penetration, not its security enhancements.

Re:

[someone1234]

Quite surprised that Russinovich who is now on M$ payroll criticizes Vista publically.

Re:

[lpw]

Providing a truly secure OS is antithetical to the Windoze Nature, i.e., that of an OS for dummies. Maintaining a secure system takes time, know-how, and sometimes even reading some fucking manual. But Microsoft's "operating systems" are intended for the PC, a platform where the majority of users are not willing to make that investment. Eventually, once the novelty of MS Paint wears off, a user needs to install another application in order to actually accomplish something useful on the PC. Because MS ne

Re:

[drsmithy]

By definition, the user base of Windose will always wallow in mediocrity. Microsoft needs to take responsiblity for this, if it wants to dominate the OS marketplace.

"Wants to dominate" ? What _have_ they been doing then ?

I think that MS missed their opportunity to make Vista really secure. They could have developed a brand new API, and sandboxed the old API in a virtual machine environment, to maintain backwards compatibility.

Way, way too many negative tradeoffs. 99% of software would not be native a

Re:

[drsmithy]

Sure, they don't have any excuse, but MS lets them get away with it, simply because badly designed software will still work.

That's because they don't have any practical way of stopping them. Anything that doesn't involve "force" is a waste of time, because it is easily ignored. Anything that does involve "force" is an antitrust violation.

Fundamentally, it is the application vendors who beat the drum. The operating system is the chicken of the software world - it's just there to carry the flavoursome s

Re:

[ichimunki]

it is the application vendors who beat the drum. The operating system is the chicken of the software world - it's just there to carry the flavoursome software that the end user actually wants

And these days Microsoft is the single most important application vendor out there. Microsoft Office is the only "must have" application for the average home user. And MS is doing a lot of work to make sure that ISVs and competitors are left in the dust with Office2007's totally new UI that is not part of .NET and not

Security through obscurity

[EmbeddedJanitor]

Well, to hack/infect/trojan a Vista system you first have to find one. Considering the high switchback rate to XP that's going to be harder than previously expected.

Re:

[313373_bot]

What if Microsoft wrote a new OS, and no one bothered writing applications for it, not even malware? Despite all ineffective security and bad design decisions, the prevalence of viruses, trojans and spyware on previous Windows versions were (and are) in part due to their sizable market share. If Vista Me II isn't being attacked like old Windows, is it because it's so more secure, or is it because no one cares? Only time will tell, but I can't take of my mind the image of a mighty tree falling in the middle

Re:

[ady1]

mighty tree falling in the middle of a forest, with no one to hear it.

Surely you can examine the logs later on.

Re:

[poot_rootbeer]

What if Microsoft wrote a new OS, and no one bothered writing applications for it, not even malware?

IBM would probably take custody of it after their partnership with Microsoft dissolved, and it would become the OS of choice for ATMs and financial workstations for years to come.

Free screensaver !!

[Anonymous Coward]

with companies like ask.com (who run smileycentral a well know spyware site) nothing will change

just click on setup.exe and you can have this fantastic free screensaver, be the envy of your friends !

Re:

[Adambomb]

No Way!

Well, no shit

[hairykrishna]

In similar news, despite a wide variety of new content, online pornography remains disproportionately popular.

The "anti" strikes again.

[Anonymous Coward]

"He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'"

Good thing geeks are anti-social.

Vista malware

[psaunders]

Russinovich Says, Expect Vista Malware

Old news. Vista has been available for months now.

Smilies

[yotto]

So you're telling me I shouldn't have installed these smilies? Here, let me try a typical smiley face. :-@*&^^^ NO CARRIER

And ... ?

[khasim]

So now you know that Vista can be compromised ... what are you doing about it?

Where's the clean boot disk that I can use to scan a Vista box? How do I validate all the files on it?

What is your answer to AFTER the box has been cracked?

Re:

[Anonymous Coward]

To be fair, Vista's ultimate solution is probably no different from any other system:

Nuke it from orbit, reinstall.

The only difference is the hope they don't deny your registration after doing that too many times.

I suppose they could have a "Boot from CD and validate" option, but, because of subsequent system changes as the user installs drivers and other legitimate software (which could still include bogus stuff), it would probably be tricky to implement except for a few key system files that don't (or sho

Re:

[SLi]

People in the Windows world seem to ignore this until it becomes painfully obvious to them, but the only guaranteed solution, and the only solution real experts would offer (which I'm really glad is understood in the Unix world!) to you if it were of any importance that the malware be completely eradicated from your computer, to an administrator or system level compromise is a full reinstall or restore from backups before the compromise. Anything less than that and there is a way the malware can evade.

I kno

Not necessarily.

[khasim]

I can boot with a LiveCD and mount the hard drive so that NONE of its files are being run.

Then I simply match each and every file on the hard drive to the package that it should have come from and validate the md5 checksum.

Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable.

Remember, in Linux, everything is a file and the boot process is very clearly defined. If something is running on your machine, you can find what it is and why it is running.

Any system that REQUIRES a complete tear down after ANY vulnerability is exploited is NOT a well designed system. There has to be a way to validate each section of the system.

Re:

[SLi]

In theory, yes, you can do that. In reality though in any reasonable system quite a number of configuration files have been modified, and the users have stuff in their home directories that does not directly come from any installation CD that could be used for at least a user-level exploit (which makes a root exploit dramatically easier). In such a system it is generally quite a bit less work actually to do a reinstall and reconfiguration than combing all the files with the kind of comb you need to catch al

Read what I had posted, okay?

[khasim]

In reality though in any reasonable system quite a number of configuration files have been modified, and the users have stuff in their home directories that does not directly come from any installation CD that could be used for at least a user-level exploit (which makes a root exploit dramatically easier).

I had already addressed that.

I had said:
"Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable."

Again, you should be able to automatically validate the system files, then you manually check the others. Those others include the config files, user files and so on.

In such a system it is generally quite a bit less work actually to do a reinstall and reconfiguration than combing all the files with the kind of comb you need to catch all things evil.

If that were correct than your newly installed box would be cracked as soon as those user files were restored.

And, yes, they will need to be restored.

So, in EITHER case those files will have to checked for "all things evil".

But in my scenario, the box is validated FASTER and you can identify the files that were added/replaced.

More importantly, you can validate whether the box WAS compromised.

It's like trying to find the proverbial needle in the haystack, except that the needles have been deliberately hidden and you don't know how many there are - and if you miss one, you lose.

I take it that you don't work on Linux boxes much.

There are a finite number of files on the box. And EVERYTHING is a file.

The more of them that you can automatically validate, the smaller the number of files that you have to search through. This isn't magic. It's something called "Computer Science".

In your scenario, you rebuild the box, restore the users' files ... and you've just been compromised again.

Re:

[Watson Ladd]

That's not computer science. That's systems administration. And not everything is a file in Unix. Everything is a file in Plan 9. Although automatic validation will not fix the problem of misconfiguration. If you have been 0wnd, you should see what you forgot to patch, and what configuration mistakes you made.

Re:

[Daengbo]

In my opinion, you have just highlighted the strength of the average package system in Linux vs. the binary patch system some people would like to go to. Making a hash comparison is easy in the first case but either more difficult by a magnitude or just impossible, depending on how the patch is done, I guess.

As much as moving to a binary patch system would save bandwidth, I find the .deb, .rpm, and .tgz packages to have significant strengths.

Re:

[QuantumG]

If they've owned your BIOS, reinstalling won't help.

Flash BIOS exploits

[jmorris42]

> If they've owned your BIOS, reinstalling won't help.

Something I'm suprised doesn't actually happen more often.

But even if it ever does, I'm as ready as I can be for it. I write protect the BIOS whereever possible and it is usually possible.

I really like the Gigabyte DualBios feature as well, for a belt & suspenders approach. You can't write the BIOS without keyboard intervention during POST and even IF you screw up or opt to enable writes (I guess the Windoze folk prefer the GUI update util) you

Re:

[QuantumG]

Hmm.. wonder if you could flash a CD-ROM drive to run arbitary code on start-up.. presumably yes.

Re:

[Joe The Dragon]

It's better to flash a video card or other pci-e / pci card as they can have there roms loaded before the os stars up

Re:And ... ?

[QuantumG]

I love the way people say "you need to reinstall" .. as if you're going to do better building the box to be secure this time.

Re:

[SLi]

Well, you had better, because if you don't, you'll have go through the same again. Many people learn from their mistakes, fortunately. Reasonable security even on Windows is not that hard, if you take the steps before the compromise.

Re:

[WrongSizeGlass]

What is your answer to AFTER the box has been cracked?

I've found that super glue works pretty well, bu nothing is as good as blue duct tape. Blue duct tape rules.

Re:

[alshithead]

"I've found that super glue works pretty well, bu nothing is as good as blue duct tape. Blue duct tape rules."

Your duct tape has been hacked. Duct tape does not come in blue. The blue tape is masking tape for painting. Yes, it does stick very goodly...but by that fact alone it is not duct tape. Real duct tape is gray or silver and DOES NOT stick nearly as goodly to some surfaces.

Re:

[Weedlekin]

"The blue tape is masking tape for painting"

It's more likely to be electrical insulating tape. Masking tape is usually made of paper, and isn't particularly sticky because it's manufactured for easy removal after painting without leaving adhesive on the surfaces it was applied to.

Re:

[WrongSizeGlass]

You can find blue duct tape on this new intertube place called Google. My mechanic uses some magic blue duct tape he refers to as "100 MPH tape" ... which is why I never let him tow my car.

Re:

[SpaceLifeForm]

Rename files containing 'install' to something else.

Link [theregister.co.uk]

The height of stupidity from Microsoft.
Will they be able to top it?

Well, I for one

[Almahtar]

will do absolutely nothing about it. On purpose. When people get fed up enough with Windows that fair market conditions are restored I will consider helping out. In the mean time I'm more interested in letting Windows enjoy the just failure that its unethically-boosted success has brought it. No, I'm not going to play a part in cracking it- but if it can't defend itself despite the billions of dollars it has to put towards the cause, perhaps it's time for things to change and a new "king of the hill" sh

Duh!

[Cervantes]

From the "No fucking shit, sherlock" file...

Malware writers will write malware for the latest OS? And they'll try and find ways around the blocks? And in the millions of lines of code, they'll find a weakness and succeed? Holy shit, I never would have guessed!!

Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever.

Re:Duh!

[Workaphobia]

> "Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever."

This was only the first in a sequence of articles, the next being "Hackers can break into unsecured wireless routers."

The Jedis are going to feel this one.

Re:

[drsmithy]

Malware writers will write malware for the latest OS? And they'll try and find ways around the blocks? And in the millions of lines of code, they'll find a weakness and succeed? Holy shit, I never would have guessed!!

The only "weakness" the majority of malware succeeds against is the weakness of the user to do whatever it asks them to so they can watch porn, get new smileys, win an ipod, etc.

Uuuuhh? I thought...

[ukemike]

Gee whiz, I thought that Vista itself was the malware?

Re:

[evilviper]

Don't worry. He's just new there. He'll become utterly detached from reality soon enough.

Hey, Russinovich

[Ranger]

Vista is Malware!

Standard plug-in joke #3:

[Black Parrot]

In Russinovich, malware attacks Vista.

Re:

[Opportunist]

In capitalist America, Vista attacks YOU.

Is it me or is something wrong with the world when the punchline of the "in Soviet Russia" jokes is not in the "in Soviet Russia" line?

An Expected Approach

[gooman]

He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.

That is the scenario I have been envisioning since I first installed RC1. Microsoft is conditioning users to agree to about anything by having so many intrusive pop-ups. People just want to get on with their computing experience. Maybe they will read the warning a few times at first, but after a short while they just respond without reading because that is how they get to the next step. Of course malware writers will use this method, it is almost as if Microsoft has given them a gift.

Re:

[Ephemeriis]

That's something that I noticed almost immediately when I installed Vista. I guess I don't know how it would be for your typical home user, but the things I was trying to do kept asking me for permission. Had to click OK to install software...had to click OK to change network settings...had to click OK to change firewall/filesharing settings when it detected a new network...had to intentionally run the command prompt with administrative rights, and then click OK to allow it... Maybe your average user wou

Re:

[VertigoAce]

Vista just asks me for my password. I haven't seen this cancel or allow prompt in months. When I need admin access for a task I have to type in an admin password. The kinds of tasks that require admin access in Vista seem to be more or less the same as those in Linux that require root.

Basically, the behavior you are seeing is that you are taking a shortcut and running as root all the time. Any time you actually need to be an admin it'll ask for your permission, but not require a password, since you already

Re:

[gutnor]

First, I don't have Vista and I don't plan to have it.

However, I assume that in a sane environment, the user should be asked when it install software ( at least the one that register some system-wide stuff - which is pretty much everything in windows world ), change firewall/antivir settings, network config,... unless it runs in administrative mode of course

When people talk about confirmation box, I suppose they run in user mode where that makes sense to elevate a process priviledge when running 'admin' stu

Re:

[Ephemeriis]

I think a good part of the problem is that many people, myself included, are still running software that requires administrative access to work properly.

Many of my son's games only run correctly when you are logged in as an administrator (under XP, not Vista). I assume that he'd need to enter a password or click OK to make them work under Vista.

Utilities like Net Stumbler require administrative rights to run properly under Vista.

One of the language training programs at a school that I support requires admi

Re:

[SEMW]

Maybe there's a good reason why these programs need administrative access, maybe not...but they need it. And under Vista you'll be prompted.

Sorry, but that's just wrong. Pretty much everything that "needs" admin rights in XP does so because the app wants write access to either the systemwide branch of the registry (i.e. HKLM) rather than current user branch, or, more often, their own folder in \Program files rather than \appdata in the current user's home folder (ini files etc.). Neither of these will need admin privs in Vista due to file & registry virtualization, which redirects writes (and subsequent reads) to a per-user location with

Re:

[Durandal64]

What is the method, exactly? How does putting up a fake elevation prompt accomplish anything? If it's a fake elevation prompt, by definition, it accomplishes nothing. To get elevated privileges, you have to go through UAC, and the actual elevation interface exists on a separate desktop to prevent scripts from faking a click on the "Allow" button. So how is this "attack" any different from just presenting a random button to the user that says "CLICK ME OMG PLEEEZE CLICK ME!!!"?

Re:

[NatasRevol]

The question is - can the script prompt the real UAC interface and because the user is so used to just clicking Accept to get things to work, and the rootkit is thus installed by the user?

Re:

[funkyloki]

The gift is that Microsoft can now "blame" the user for their weakly written OS. By making it the user's responsibility to approve/disapprove just about every freakin' thing that runs on the Vista box, they can then go back and say "Gee, too bad you got that virus/spyware/malware infection, but it's not our fault, you clicked Allow".

Instead of making a better, more secure OS, they just shifted the culpability for weak security to the user.

Re:

[SEMW]

By making it the user's responsibility to approve/disapprove just about every freakin' thing that runs on the Vista box, they can then go back and say "Gee, too bad you got that virus/spyware/malware infection, but it's not our fault, you clicked Allow".

I've seen this comment quite a few times on Slashdot, and it continues to be completely senseless. Someone has to decide whether any particular piece of software is permitted to be installed. Either it's you, or its Microsoft. If you'd be happy for Microsoft to decide for you what programs you're allowed to install on your own computer, if you'd be happy to download and run a program only for a prompt to say "Sorry, Microsoft has forbidden the installation of this program on Windows PCs", if you'd be ha

Insecure, yes...

[Almahtar]

But as it's been said time and again here in slashdot comments, what this DOES do is absolve Microsoft of all responsibility. "You have malware problems? Shouldn't have clicked 'allow'."

Why is this news?

[grapeape]

Seriously, this is like one of those headlines where researchers find that depressed people are more likely to commit suicide or that water is wet. As long as there are stupid users there will be exploited computers and as long as Microsoft has the lions share of the market there will be more zombied windows boxes.

I had a bit of a disagreement with a client today over spam on her computer. She freaks out if there is more than one in her inbox. Every time I am at her machine she has webshots or smily cent

Unix-style permissions are not enough.

[earthbound kid]

People sometimes talk like strong enforcement of Unix-style permissions is sufficient to provide local security. I find that argument totally unconvincing. Yes, it's nice to have the confidence that with modern OSes like Linux, OS X, and (probably) Vista I won't end up like the old Windows where you have to reformat a disk to try to clear the deeply dug in roots of some spyware crap from the system, but there's still the pretty damn big issue of all my data. Namely, having to reinstall the OS would be a pain, and I'm glad I don't have to waste an hour doing it, but losing all my data (documents, photos, music, and to a lesser extent application preferences) would be devastating. The data on my PowerBook is my life, and the reassurance that at least I don't have to reinstall OS X would be cold comfort at best. True, I do make a monthly backup onto an external drive that is normally unplugged (and thus out of range of rm *ing attacks), but probably most users don't follow this practice. Besides, a subtler virus could just silently corrupt my data over a period of months, so that I don't notice what's going on until my backups are no longer any good!

There is a solution to the problem, but it requires a deep rooted change in how things are done. What I propose is that we shift from permissions by user to permissions by application. Right now, any app that my user launches can erase any of my files. That's ridiculous! Much more logical would be allowing me to decide which subset of my files each app can user and how. So, for example, I would let FireFox write downloads to my desktop and its preferences and caches to subfolders of the Library, but I wouldn't want it to be able to erase any of my other files under any circumstances. In fact, most of the time I don't even want FireFox to be able to read my local files, but I'd be willing to put in a password to let it do on a time limited basis so during uploads and the like.

Basically, what I'm proposing amounts to sandboxing every app. This may seem harsh, but why not do it? What's the advantage of letting any app destroy any of my files? Make them at least beg me for permission first, I say!

So, that's what's on my wishlist for the future of OS level security.

Re:

[DaleGlass]

One word: SELinux

It's not new either. And it does what you want it to do. However, it's a royal pain in the ass to configure, because you need to figure out what every application should be able to do. It's definitely not something for a newbie, and probably it will be long before such a thing is usable by normal people.

Also, I doubt it'll work well for Windows. For Linux sure, distributions would just have to provide the SELinux security settings for the packages. But for Windows? Who provides the list of

Re:

[kisielk]

Malware writers are not interested in corrupting your data, what do they have to gain from that? Maybe a small minority who just want to mess with people would actually bother. Real malware is created with the intent of taking over your machine silently and then using it as a zombie to distribute spam, that's where the money is after all.

Re:

[99BottlesOfBeerInMyF]

Malware writers are not interested in corrupting your data, what do they have to gain from that?

Actually, while malware writers may not be interested in specifically corrupting data they do have motivation to mess with it. There has been malware that mined use machines for online account info and credit card numbers. There has been malware that deleted chunks of data and used disk space for temporary data storage of illicit materials. There has been a lot of malware that hides among data, making your data unsafe. There has been an enormous number of malware infections that unintentionally destroy da

Why You're Wrong

[DeadManCoding]

Let's put this simple. You're right, permissions by user isn't enough. But if we set permissions by app, eventually, Windows users will become accustomed to clicking "Accept" to every app permission that occurs, creating the same state we're in now. Do I read all of the XP pop-ups? Yes, I do, as well as all my Spybot pop-ups, as I don't want a randow BHO installed on my system. Does everyone read those pop-ups? Hell no!!! And that's the reason why I have to clean out my girlfriend's computer on a mon

Why You're Also Wrong

[99BottlesOfBeerInMyF]

You're right, permissions by user isn't enough. But if we set permissions by app, eventually, Windows users will become accustomed to clicking "Accept" to every app permission that occurs, creating the same state we're in now.

You're right that just adding application level privileges isn't enough either, but no one said we have to only add application level privileges and not the rest of what is needed to make them useful as well. First, the UI needs to be fixed to eliminate all the current, spurious pop-ups. Then you need to build in good default settings. Right now users are clueless about firewall configuration, and yet many machines ship with one running out of the box without being prompted all the time. This is the resul

Re:

[99BottlesOfBeerInMyF]

Why is she running Administrator at all? My wife runs as Limited user (just as my father, my mother, my brother and my sister, and some other family I manage computers for) Now, I do realise that it take quite some work to set up a computer in such a way that all applications run under Limited User.

Holy crap! You actually waste time sorting out permissions to get everything running for a normal user under WinXP? Even most corporate places I've worked with centrally managed installations give up on that eventually and give a significant number of users admin rights. What an enormous waste of effort.

Of course, they cannot install applications themselves, but that is actually a good thing.

It is a good thing that your wife can't install applications? Do you let her wear shoes? This is why my mother has a Mac. She can run as a regular user and install applications and I've spent about an h

Re:

[99BottlesOfBeerInMyF]

Why is it a waste of time, when it saves me time in the long run? The parent poster said he had to reinstall or clean his wifes machine every two months!

Because both of those are huge wastes of time made necessary by MS's design choices. Compared to doing no work and getting the same result because software runs and installs fine as a regular user, spending a lot of time to manually investigate, edit, and test the permissions for each application seems like a waste to me.

Yes, it's a good thing my wife cannot install anything. That way I protect her from herself. She doesn't know that those smilies advertised are in fact spyware.

It is sad that the state of computing has gotten to such a bad state on some platforms that a normal adult can't install and run software without a great likelihood of being compromise

SE-Linux

[Almahtar]

I was under the impression that this is what SE-Linux was doing. I fully expect to be wrong here, because I just heard it from one person. I'd like to know though. Anyone?

Actually, the problem is even deeper.

[master_p]

The fundamental error of operating system designers is the concept of a filesystem. Computers should not have filesystems, but they should have databases. As every DB programmer knows, in these systems, users do not have an all-or-nothing clearance to use the database: they can only use the part that they need to do their job. Not only DB systems make finding and querying files much much easier, you also get a better security system for free.

Another approach is to use a software ring system like the 80x86 p

Re:

[99BottlesOfBeerInMyF]

What I propose is that we shift from permissions by user to permissions by application.

If you're in a hurry to add this functionality, it is freely available from the port of TrustedBSD to OS X which you can get here [trustedbsd.org]. It is still pretty difficult for everyday use, however, because applications are not designed to accommodate it very well. In other news Apple had posted mention on an application signing framework and a mandatory access control framework on their public facing developer pages for leopard, but it was pulled with no explanation at the end of 2006. Keep your fingers crossed as t

Re:

[99BottlesOfBeerInMyF]

Running a full desktop environment and expecting your computer to be secure... ...doesn't really add up, when you get down to it.

Is that you Mr. Gates?

At present that probably means binary drivers, that wont load into your hardened kernel or X...

Most desktop users are concerned about malware and trojans and the like. They are less concerned about commercially supported applications and binaries which they have a more reasonable expectation of. A reasonable person might be willing to trust a binary driver from HP in order to get their Webcam working, while that same user might not be willing to trust SpaceBlast45.exe with their machine's security just to play a game. The goal of a reasonable security system is to allow the

Expect ??!?!!?

[unity100]

Rather make it "look forward to".

see, you cant cram in crapload of control mechanisms (DRM and other shit) that can affect operation of entire computer (and permission wise, at even hardware level too !) and then expect it to be only as vulnerable as previous oses (or any os, in fact) that did not contain that much shit in them.

malware producers, virus makers are going to exploit the hell out of the mechanisms microsoft put in vista.

User Mode Rootkits?

[WiseWeasel]

From the summary:
"malware... can still hide with user-mode rootkits"

Did that strike anyone else as odd? User mode rootkits... wouldn't that be "userkits", or just trojans/viruses/malware? If it doesn't have root access, I don't think you can call it a rootkit.

Re:

[SLi]

You are right. They should call it something else if it doesn't compromise the entire system. That makes it a relatively isolated incident securitywise (not that it wouldn't be serious if they have compromised all your passwords, which I hope are different from your administrator password, bank account logins and credit card numbers).

Re:

[Megane]

That makes it a relatively isolated incident securitywise (not that it wouldn't be serious if they have compromised all your passwords, which I hope are different from your administrator password, bank account logins and credit card numbers).

The hell with that, all most of them want to do is use your box as a zombie spam/DoS mule. You don't need root (or its Windows equivalent) to do that.

Re:

[QuantumG]

"rootkit" is often, stupidly, used as a term for what the old school virus writers call "stealth".. intercepting api calls and falsifying the result to hide something.

they usually only do directory stealth.. the most trivial form..

although I suppose there have been a few rootkits that did full stealth.. actually hiding modifications that have been made to a file.

Full stealth comes in two forms:

* remove info to be hidden on open / replace info to be hidden on close; or
* direct updates of the buffers returned

Social engineering

[Matt Perry]

He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

Your computer is broadcasting an IP address! Click here to download the fix!

Re:

[vertigoCiel]

Pssssh. Just try to hack me. My IP adresss is 127.0.0.1.

pfffft..

[Jose]

malware tends to only be available for popular OS's! I am sure that Vista will remain safe from such attacks.

So, why weren't they saying this BEFORE release?

[dpbsmith]

Funny how it's all happy-talk before release, and it's only afterwards that they start to "lower expectations."

Remind me again, what was supposed to be so good about Vista? Oh, yeah, all the stuff like WinFS that somehow never happened.

And when people pointed that out, the answer was "but the really important thing is security, which Vista does have."

The real role of WinFS

[EmbeddedJanitor]

WinFS and precursors have been promised in all versions of Windows since the early 1990s (except probablyy ME). It seems that WinFS has two main functions

A) A teaser. A compelling "new age in computing" to get some hype going.

B) A feature to cut when projects run late.

Likely, WinFS will make 20 years old without ever shipping.

Re:

[inviolet]

WinFS and precursors have been promised in all versions of Windows since the early 1990s (except probablyy ME). [...]

I'm guessing that Duke Nukem Forever is dependent on some unique feature of the WinFS filesystem...

But the website said to answer yes

[noidentity]

I was trying to print some online coupons recently and special software had to be installed. On the installation instructions, it said to run the intstaller than answer "yes" to the question it asked (obviously whether it should be allowed to modify system files). What's the use of OS security if users regularly install software which requires admin access? (due to some kind of Digital Restrictions Management scheme of course)

malware controlling apps

[zobier]

Um, if malware can control what apps can do/run then why can't anti-malware or in fact the system itself control what the malware can do/run? In So...

Just a dare, or a double-dog dare?

[bl8n8r]

And, how would that be pronounced in Russian? Where Vista infects you.. er, I mean where you infect Vista.. er..
http://blogs.zdnet.com/Apple/?p=422 [zdnet.com]

I'm puzzled.

[Tibor the Hun]

How can just clicking on "Allow" escalate priviledges? Wouldn't you need to enter a password of some sort to prove that you do have admin permissions?

Re:

[figleaf]

In Vista, if you are a standard user then you have to enter a password.
If you are an admin you get a prompt to allow priv escalation.

Not surprising, but....

[adachan]

I have yet to be convinced that Vista itself isn't actually malware. Here is my reasoning:

1. Usually malware comes bundled with something that I am interested in actually using. I was kind of interested in trying the aero interface of Vista, so I installed it. After doing that I noticed weird things with my computer (lockups, hard drives failing to read and write) -- a sure sign of malware.

2. After installing Vista, my system tends to be slower. This is a clear indication of malware being on my system.

2. Strange windows keep popping up telling me messages I am not interested in. This tends to happen also when malware is installed on a computer.

There are several other issues, but these are the main ones. I looked at some websites describing malware, and according to security experts, these are key factors indicating that its highly likely I have some malware on my computer. I think I will have to get rid of Vista becasue not only will it eventually allow for malware to run inside of it, in fact, it IS malware!!!
 

Re:

[Macthorpe]

Taking your comment at face value:

1. Did you check your drivers? Try booting another OS and see if you get the same problem. In other words, instead of just crying into your pillow at night, try and fix it. You're on Slashdot, you're supposed to be a geek for crying out loud.

2. Yes, we're all aware that Vista requires higher system requirements than XP or Linux to run smoothly. Whoop-de-do. However, they're not as high as people pretend and Vista works well on my ex-boyfriend's 3 year old Sempron.

2 (again).

Vista raises the bar. The possibility remains

[Opportunist]

The additional layers of "security" (I'd rather call them "more red tape") in Vista certainly make it more difficult (well, rather "less easy") to infect it. But still far from impossible.

Given the amount of "allow or deny" request the average user gets during his life with Vista, he is no longer able to make a qualified decision. Take any kind of "personal firewall" and let it go to berserk levels. A request for pretty much anything when you install something.

So the average malware will not come along as s

Re:

[dsanfte]

Commas represent pauses in speech. Speaking that headline, you'd pause in exactly the same place.

Re:

[vux984]

The comma isn't extra:
Proper punctuation for a sentence like this is:

Someone said, "Something that they said goes here."

A comma is supposed to precede the quote. If anything, one might ask, why the headline is missing the quotes. :)

Re:

[dsanfte]

The comma isn't extra:

I never said it was.

Re:

[Petrushka]

Oh, that's easy: because it takes a lot longer to type &quot; ... &quot; than it takes to type " ... " into the <title> tag. (Though that's still not as long as it took me to type this comment.)

Re:

[alshithead]

"That's it for today. Time to go to my home under a log. Where I've been living for the last two decades :)"

Dude...you are so way behind teh times...Shouldn't you like be living under a ROCK! Living under a log has been out of date for like evar...

Re:

[SEMW]

The real fun will start if someone manages to let the operating system protect a malware's subjects and objects (processes, files, registry keys, etc.) by using its digital restrictions management or code signature features.

If someone manages to crack a standard implementation of public key AES encryption, which is basically what code signing is, we're going to have a hell of a lot more problems than more malware...