A new scripting tool targeted by a virus writer will not be part of Windows Vista, the next Windows client release, Microsoft announced Friday. Instead, the software maker is looking at delivering the command-line shell tool, code-named Monad, as part of its next major server operating system release, a Microsoft representative said. That release, code-named Longhorn Server, is due in 2007.
Now Monad can join WinFS in the league of interesting software ideas that’ll be released in a big ceremony along with Duke Nukem Forever. Honestly. You’d think porting BFS and irb to Windows would be somewhat quicker than this*…
* Yes, I know that WinFS isn’t remotely like BFS, and that Monad is not really like irb (which is the interactive ruby display, which is much closer to Monad than bash is). But they’re close.
The concerns around the viral proof-of-concept scripts for monad are really blown out of proportion in my opinion. Sure scripts can contain malicious code, but that’s something that can happen on a number of platforms.
Script viruses are no harder to protect against than ones written with compiled programming languages, the difference is simply that writing them becomes a little easier. Anti-virus software may have an easier time detecting viral script code than compiled code, and I’m sure MS could implement a sandbox for monad if the need arises.
2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 commencomment2t2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 commecomment2nt2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2comment2comment2comment2comment2commecomment2comment2ncomment2 comment2comment2comment2comment2comment2t2 comment2 comment2 comment2 comment2commencomment2comment2comment2comment2t2comment2comment2commen t2comment2 comment2 comment2 comment2 comment2 comment2comment2comment2comment2comment2comment2comment2comment2commen t2comment2commentcomment2comment2comment2comment2comment2comment2comme nt2comment22 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comm22 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment co22 comment2 comment comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 comment2 commentmm2 commentent2 comment2 comment2 comment2 comment2 comment2 comment2 commenten2 comment2 commentt2 comment2 comment2 comment2 comment2 comment
http://news.bbc.co.uk/1/hi/technology/4748257.stm
why do people still believe microsoft ?
“why do people still believe microsoft ?”
Seems you don’t and me neither,
That’s allready at least two people less ;oP
The current delivery vehicles for MSH are Exchange 2006 and the WinFX SDK, meaning MSH will be available for Vista/Longhorn Server as well as Windows XP/Server 2003. The current beta of MSH is shipping now as part of the Beta 1 WinFX SDK.
Regarding these “viruses” and MSH security:
http://www.leeholmes.com/blog/MonadAndTheFirstVistaVirus.aspx
The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad.
Monad has three features to help: not installing a shell association by default, configurable execution policies (along with digitally signing scripts,) and not running scripts from the current directory.
Our installer doesn’t tell Windows that it understands .msh scripts, so double-clicking on a .msh file does nothing.
Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to. This prevents malicious scripts (with names such as dir.msh, or get-childitem.msh) from intercepting your otherwise innocent attempt to list the files in that directory.
We also support three execution policies to help you run scripts only from publishers that you trust.
The first execution policy, “AllSigned,” checks all scripts for a digital signature. Monad asks you if you trust that publisher to run scripts on your system. The second execution policy, “RemoteSigned,” checks scripts origintating from the Internet for a digital signature.
[In either of the above modes], if the file doesn’t have a digital signature, Monad won’t run the file. Monad contains functionality to let you digitally sign your own scripts to help you run in this mode.
This will be our default execution policy past beta.
The final execution policy, “Unrestricted,” does not check the digital signatures on scripts. However, if a script originates from the internet, it will warn (and prompt you) before it runs it.
Quick, remove all shells from all operating systems! Virus alert!
And it’s not like Windows had WSH or Cmd.exe since quite some time.
And another one bites the dust. Figures that this would happen, but it doesn’t supprise me. I don’t understand why microsoft can’t just say “Vista will be done when it’s done” It’s not like they are tight on money right now…
hehe, I totally agree with ya. They should take the time (A good 5 years) and make Windows good.
XP came out in 2001, so if Vista comes out in late 2006 it will have been 6 years (2001-2006=6 years – dont forget to count the first year).
Maybe they should take another good 5 years…
The problem with having a scripting language built into an OS used by a bunch of neophytes is that they’ll pretty much run anything that promises them nude pics of J-Lo. So, how do you protect against that? I don’t think you can. Even in Linux, if you have written something that can completely take over system but needs root access, all you gotta do is trick a user into typing in the password. Most Linux users are too savvy for that nonsense. Most Windows users however, are not.
If Windows users were as literate as Linux users are, as unsecure as Windows is, you’d probably see a reduction in viruses/spyware/malware by at *least* 90%.
My point here is that as long as a scripting language gives the user any kind of power to do anything, the entire OS just became insecure by default.
Your point about scripting language built-in os is valid but it is essentially ability to execute anything. People even click on binaries thinking JLO pics.
By the way, Monad has a really great defense and i must appreciate people who designed it for that. Here is what happens:
1. By default monad only run digitally signed scripts. This will prevent accident execution of scripts. User can however disable this feature and probably they will since it will become annoying.
2. Monad doesn’t associate .msh files with shell, so double clicking on a .msh file won’t launch it. Another good defense.
3. Monad shell won’t run dir.msh if user types dir, this will prevent execution of local dir.msh without user’s knowledge.
Other than that, they are doing some more things to protect *stupid* users.
Your point about scripting language built-in os is valid but it is essentially ability to execute anything. People even click on binaries thinking JLO pics.
It’s not just about executing though. Think about phishing attacks – in order to make that work, you have to get the user to launch a browser and fill in credit card information.
no, I disagree
if your linux distro uses SELinux, which most major disrtos do these day… then, it will not matter if a user is tricked into supplying the root password, as even the root user has no access to system files, unless he access them through the SELinux policies
your argument is moot and windows is still behind linux in terms of security, even with muppet users
Its been known for a while that Monad was not going to be distributed with longhorn (vista) client. It will not ship with Longhorn client! It will ship with Exchange Server 12 at the end of 2006 only.
Monad Shell (MSH) Chat Transcript December 2004:
http://www.microsoft.com/technet/community/chats/trans/windowsnet/w…
At the rate they keep knocking back features, Vista will be nothing more than a Windows Bitmap (TM) with Digital Rights Manipulation technology embeded in it.
But coming from microsoft, someone will have worked out a way to exploit it!
Other than that, they are doing some more things to protect *stupid* users.
i.e. Those that choose to run Microsoft Windows.
Yes ofcourse and not for morons who run Linux ha ha ha i kicked the shyt out of another linsux fanboys…isn’t it always fun…its like kicking muslims LOL…
Muslims have Jihadis…Linux has Zealots (or a$$holes)…kick both have fun hahaha
Yeah i read this yesterday. The only two features i have actually had any interest in that where promised for longhorn have been dropped (WinFS and Monad). Not that it matters im in the monad beta program so i can use it anyway but its still a pain in the ass
I wonder if someone has already made a list of all things expected to be in Vista comparing what will finally be there versus what has been dropped.
It could be interesting.
Maybe they should change the name again into Windows NULL :] because if they remove everything that can become a virus target… you know the rest
Maybe they will remove all stuff that has security issues and in 2008 they will release Dos 6.22
It’s 2005 for fsck’s sake and Microseft still doesn’t ship a shell that matches ksh from 1993. Microseft XP is a total joke and you’d be a complete idiot if you used it for server purposes. Microseft Windows 2003 is even worse, asking you for a reason every time you shut down the system. I mean, a Microseft operating system can barely stay up for 3-4 days before collapsing, while there are BSD boxen that have been running for years without a problem.
What is it with Microsoft and their poor choice of product code names?
First “Longhorn” – think cowpies. Then “Monad” – think gonads.
Lordy, someone there really doesn’t have a clue, do they?
heh…. i was drinking milk when i read this post and i almost spit it heh
maybe microsoft should implement BASH, set as the default shell and give BASH full root access at all times by default
Ahh how much i pity you. You know in your heart that you want Linux to succeed but then you also know you are not that capable. So you try to make fun of the others.
It is simply unachievable for people like you to make a general purpose and useful OS like Windows. So all you do is sit here and talk. LoL no wonder Linux is still strugging to gain even 5% desktop after so many years