Security researchers claimed today that millions of Microsoft customers are at risk from 10 serious security vulnerabilities uncovered in Windows XP patched with Service Pack 2.
Security researchers claimed today that millions of Microsoft customers are at risk from 10 serious security vulnerabilities uncovered in Windows XP patched with Service Pack 2.
Hopefully Microsoft will get a clue and start designing Windows in such a way that users will only run as admin when necessary, instead of all of the time!
It would be nice if they started unbundling applications like the web browser from the OS too. Reduce the vectors of attack.
Microsoft talks about the fact that they are serious about security. It is time for them to make some tough choices if they want to prove that they serious about security.
In order to prevent the creation of malicious viruses and worms, Finjan will not release any technical details about these vulnerabilities until they are fully patched by Microsoft,” it stated.
Now that’s what I call a decent company. I hope more companies follow this reasoning.
“In order to prevent the creation of malicious viruses and worms, Finjan will not release any technical details about these vulnerabilities until they are fully patched by Microsoft,” it stated.”
Sounds like Tom Ridge to me. I wonder what threat color Windows users are at?
That is is indeed a good policy BUT i hope that Microsift will patch those flaws within a week and not in the coming month’s.
If Finjan can find them other people could find them also.
So what is someone with bad intensions find one of those flaws we have ourselves a new virus or worm spreading like hell.
Microsoft has been sloppy when it cones to patching so we will see.
But that doesn’t hurt their profits, not much… People tend to believe marketing hype more than actual facts. So however secure and much more well-designed systems are out there, they go unnoticed. I bet at least 40% of these ‘millions’ of users haven’t even installed a sasser patch.
Even if Finjan hasn’t released any details about the vulnerabilities, I’m sure a lot of crackers have already started looking into the whole thing. It’s only a matter of time before somebody posts an exploit in IRC channels, though I may be wrong. Let’s just hope that Microsoft won’t keep customers waiting for months before issuing patches.
Now, a good question for Windows XP users is : “should they install SP2 or not ?”.
“In order to prevent the creation of malicious viruses and worms, Finjan will not release any technical details about these vulnerabilities until they are fully patched by Microsoft,” it stated.”
How about releasing information on how to protect the user. It is not necessary to release the How-To exploit but give the users the ability to proctect themselves.
Yes, it is true that some details of the exploit will be revealed by advising users methods on protecting themselves but its better than leaving our arses hanging out in the wind. This is the major issue that I have had with MS so called security.
If they were so quick on patching systems like they claim, then releasing some basic user information on protecting themselves wouldn’t be all that tragic now would it.
How about releasing information on how to protect the user.
It would be useless. Unless the patch is available through Windows Update no user will install it. And even if it’s available through WinUpdate, it probably won’t be installed en masse.
So I think it’s better to simply not release details. Ignorance is bliss.
All due respect. What about the various issue with spoofing URL’s. User could type URL’s easily to avoid some of the exploits. It gets to be a pain when there is a 1000 characters to type out.
“It would be useless. Unless the patch is available through Windows Update no user will install it”
I was not talking about a patch from some other company. I was talking about MS releasing some basic information on what to potentially avoid to limit exposure to the latest and greatest exploit.
“And even if it’s available through WinUpdate, it probably won’t be installed en masse.”
I am not part of the mass’. Based on that logic, most users dont update their systems for various reasons:
1) That wont happen to them
2) Dial-up
3) What ever else they claim.
Since most users dont update their systems, then MS should not be using automatic update. This logic is flawed.
“no” user? That’s a little ridiculous. If I knew there was a potential remote execution exploit in my OS and there was no patch but I could turn of X, Y and Z to prevent it, I’d flipping well turn off X, Y and Z. For responsible users, a known flaw with a usable known workaround is better than an unknown flaw which you hope no-one knows how to exploit. Irresponsible users can go hang.
Upon learning of this news story a spokesperson for Microsoft said the company “is aware of the claims by Finjan Software and at this time cannot confirm Finjan’s claims of “ten new vulnerabilities” in Windows XP SP2. Moreover, Microsoft is currently unaware of active attacks against customers attempting to utilize the alleged vulnerabilities as reported by Finjan.
We have been contacted by Finjan regarding various potential issues as part of the usual responsible disclosure protocol and are actively investigating those issues through our security response process to determine the validity and accuracy of the reported issues.”
“Our early analysis indicates that Finjan’s claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2. Once Microsoft concludes investigating Finjan’s claims and if Microsoft finds any valid vulnerability in Windows XP SP2, Microsoft will take immediate and appropriate action to help protect customers. “
Let this be a lesson to all you programmers/project managers. Security comes through understanding of flaws and solid design so that code will be maintainable in the future.
So what’s your point? That the flaws don’t exist and that this is simply Finjan yelling “fire”?
Stop running as “Administrator.”
Ideally, each user on an XP machine should be no higher up the chain than “Power User”, but the problem lies in that there are software bundles (like Nero or almost any of the antivirus programs) that require Administrator level to function, and there’s no way to add CD Burning to “Power User” and there’s no way to tell the software companies to get their act together on privelage requirements.
That’s the flaw. It’s too late to retroactively fix XP, let’s hope Longhorn fixes this; but just saying “run Linux” (or BSD or whatever) is *not* an acceptible answer, educating the user is. Pity that MS isn’t really helping in that matter.
If Finjan can find them other people could find them also.
it’s a knotty issue. in the short-term, full disclosure helps script kiddies and worm authors. however, no one knows the full ramifications (long-term) of partial disclosure and non-disclosure. certainly the better blackhats will benefit from non-disclosure. pen testers and admins will benefit, in part, from full or partial disclosure because they can tweak NIDS, use Canvas and CoreImpact, etc.
People are quick to mouth off about full disclosure, but apparently they are oblivious to the problems posed by the non-disclosure system (no one bothers releasing patches).
Agreed.
And most should note, you can run specific processes as other users within one login. So you can right click and select run as..for your games.
If putting in a password is too much, well then seriously:
Unplug your internet connection, use a better webbrowser and turn your firewall on.
If you really want secure:
http://www.dillo.org/
Yes I’m kidding, but I actually do use it on one machine fairly often (every one or two days)…
Ideally, each user on an XP machine should be no higher up the chain than “Power User”, but the problem lies in that there are software bundles (like Nero or almost any of the antivirus programs) that require Administrator level to function
Nero has BurnRights, which takes care of this problem. It certainly doesn’t require you to be the Administrator all the time, just the first time you configure it.
The real flaw lies between the computer and the chair.
“The real flaw lies between the computer and the chair.”
Yeah, the programmers who can’t spot a bug that they themselves have allowed to go into the OS. After that it sneaks past Q&A after which it is fully enabled by companies too cheap to put out manuals with their OS teaching new users the dangers of the internet, and finally makes it way to internet forums to be discussed where haughty geeks mourn the lack computer knowledge amongst users who actually have social lives and don’t spend all their time downloading free apps and studying computer manuals. Ah yes, the life of a security flaw.
How about releasing information on how to protect the user. It is not necessary to release the How-To exploit but give the users the ability to proctect themselves.
Simple – don’t use Internet Explorer unless absolutely necessary.
Remember, if these 10 don’t get you, another one will. The only way to secure a MS product is to get it off the net.
Right, so lets have them switch to Linux, where they’d have to compile apps from source everytime they want to install one, and recompile their kernels when adding hardware.
Only paranoids survive.
Seriously, everybody is worried with many things that don’t even come close to security.
Some issues transcend what a lone person can do. Other issues transcend what a bunch of people can do. And lastly, there are those issues that not even the entire humanity can handle. So, what to do first?
Depending on the scale of the issue, we start to lose too much as individuals to gain a little bit for the society. How can we discuss serious issues if they can’t be handled, anyway?
I’m a person who likes to install small programs for the fun of it and just for testing. Plus some games requires me to be administrator to play. So it will be better IF Microsoft did something like Linux. If we want to do something that requires the adminstrator privelege, then ask us for the password.
It’s that simple.
It really doesn’t matter how secure an OS is, if the users aren’t educated about security.
Example –
* When/If GNULinux ever becomes popular on the desktop, installed and used by Joe Blow(aka StupidUser1).
StupidUser1 recieves an email ‘from his friend’ with an attached executable, email as follows:
—-
It is an awesome cool game but it’ll require your to run it as root.
—-
StupidUser1 runs the attachment, blindly types in his root password and gets owned!
“Right, so lets have them switch to Linux, where they’d have to compile apps from source everytime they want to install one, and recompile their kernels when adding hardware.”
what world are you living in. we live in a real world where such things are mostly unnecessary
“Upon learning of this news story a spokesperson for Microsoft said the company “is aware of the claims by Finjan Software and at this time cannot confirm Finjan’s claims of “ten new vulnerabilities” in Windows XP SP2. Moreover, Microsoft is currently unaware of active attacks against customers attempting to utilize the alleged vulnerabilities as reported by Finjan.”
That’s a rather specious use of ‘moreover’, isn’t it? Paraphrased:
“Well, we’re not going to admit that these vulnerabilities exist. Moreover, we can’t find anyone attacking our users with them. Wait, did I just admit they existed? Oh, poop.”
you know what, I can’t remember the last time I recompiled a kernel, so I just sat down and worked it out.
late 2001; I recompiled the SuSE default kernel of that time to see if I could make it any faster on my laptop. I couldn’t.
I’ve run Linux on three completely different machines since then, all of which have had several changes of hardware. No kernel compilation has occurred…
”
“Right, so lets have them switch to Linux, where they’d have to compile apps from source everytime they want to install one, and recompile their kernels when adding hardware.”
what world are you living in. we live in a real world where such things are mostly unnecessary
”
Windows users live in an even better real world where such things are always unnecessary.
Right, so lets have them switch to Linux, where they’d have to compile apps from source everytime they want to install one, and recompile their kernels when adding hardware.
You’ve used Linux 0.0.9b?
“Windows users live in an even better real world where such things are always unnecessary. ”
Yeah, they live in a magical world where antivirus and anti-spyware programs are mandatary. No, thanks.
Hopefully Microsoft will get a clue and start designing Windows in such a way that users will only run as admin when necessary, instead of all of the time!
Already done. Hell, it’s always been possible.
The problem isn’t the OS design in this regard, it’s the users (who don’t want to know about the concepts behind multiuser), the software developers (who insist on writing software that only works properly as an Administrator) and the UI (which could use some improvements with regards to temporarily running things with higher privileges).
It would be nice if they started unbundling applications like the web browser from the OS too. Reduce the vectors of attack.
Yeah, I suppose removing things like glibc from Linux and Quicktime from OS X would “reduce the vectors of attack” as well, but the users and developers probably wouldn’t like it much.
Microsoft talks about the fact that they are serious about security. It is time for them to make some tough choices if they want to prove that they serious about security.
Given the vast bulk of the security “problems” Windows has suffered from are caused by things outside of Microsoft’s control (mostly ignorant users and poorly written software), what would you suggest they do ?
Ideally, each user on an XP machine should be no higher up the chain than “Power User”, but the problem lies in that there are software bundles (like Nero or almost any of the antivirus programs) that require Administrator level to function, and there’s no way to add CD Burning to “Power User” and there’s no way to tell the software companies to get their act together on privelage requirements.
The simple short-term solution is to use “Run As” for those applications that require it.
You are correct, though, the problem lies mostly with software developers – so there’s not much Microsoft can do about it, is there ?
That’s the flaw. It’s too late to retroactively fix XP, let’s hope Longhorn fixes this; but just saying “run Linux” (or BSD or whatever) is *not* an acceptible answer, educating the user is.
It’s a *sofware developer problem*. Precisely what “fixes” do you think could be “retrofitted” to XP ?
Pity that MS isn’t really helping in that matter.
What would you suggest they do ?
How about innocent until proven guilty?
Paraphrased:
“Well, Microsoft is not able to confirm that these vulnerabilities exist. Moreover, no one can find anyone attacking Windows users with them. Wait, could it just be they do not exist? Oh, poop.”
But, hey, if it makes you happy, they do exist and we are all 0wned, or will be soon.
Meanwhile, what is the definition of the FUD, again?
It would be nice if they started unbundling applications like the web browser from the OS too. Reduce the vectors of attack.
Yeah, I suppose removing things like glibc from Linux and Quicktime from OS X would “reduce the vectors of attack” as well, but the users and developers probably wouldn’t like it much.
This is a stupid comparison. If you’re to compare, compare properly – if you would want to remove say glibc from a linux system then have it compared with deleting the system libraries. You need a C library to enable applications to use system calls. As for deleting software on the mac like Quicktime – it’s just as simple as deleting the folder containing the unwanted app. Not much need for a single point of failure such as a binary registry.
Given that the design of the Windows operating system is really bad from a computer science and engineering point of view (graphics routines in kernel space is already one security risk, among other things…), it can really help if they reduce possible vectors of attack by clearly delineating what is essential. Is a web browser essential for operation? A media player? Really? If that’s the case I guess it’s just like saying that it’s imperative for all cars to have stereos or swimming pools built in.
Microsoft talks about the fact that they are serious about security. It is time for them to make some tough choices if they want to prove that they serious about security.
Given the vast bulk of the security “problems” Windows has suffered from are caused by things outside of Microsoft’s control (mostly ignorant users and poorly written software), what would you suggest they do ?
Stupid users magnify to great extents stupid operating system design. It’s just like having a badly-engineered car – no matter how many seats or stereos you place, or cans of paint job you apply, or retrofit seatbelts, or letting a good driver drive the car it still doesn’t change that it’s a badly-engineered car at its guts.
Now how do you solve a badly-engineered product? Retrofit? No. Add more? No. What you do – reduce the badly engineered parts by fixing them and throwing away the unnecessary parts. I guess re-engineering from scratch is out of the question – MS won’t be insane to heed proper design by investing man hours to do a complete and proper redesign as it would break a lot of things and ultimately kill themselves in the process. Live with it.
Microsoft talks about the fact that they are serious about security. It is time for them to make some tough choices if they want to prove that they serious about security.
Actually they already have made some tough choices:
– slowed down Longhorn development to make more resources for XPSP2 and other security improvements available;
– restarted/continued IE development.
From short-term [marketing] standpoint these decisions are disaster – stripped down new product will become later [Longhorn], old and working product won’t have any visible differences [XP, IE]. But MS wants money in the long run too – thereby they need to restore fallen confidence into their products.
Just MS is too big, it cannot change so fast. I personally hope that they’ll start making better code sooner or later. If not – well, it’s their problem.
I was a little confused by the article: are these security risks ONLY linked to using IE? Are they things a good third party firewall (like Zone Alarm) could protect against? Is Firefox liable to the same holes?
“Already done. Hell, it’s always been possible.”
You mean, it’s sorta-kinda been possible since NT came out. If you didn’t want to run too many applications, that is.
for one thing, they could do what all responsible Linux distros do and default to multiuser; remember when Lindows came out and we all bashed that because its default setup is just to run as root? Even though you CAN have a sensible multi-user setup in Windows, no new user will ever know that, as every pre-installed Windows PC comes with one root user, and the XP setup defaults to setting you up with one admin user.
“The simple short-term solution is to use “Run As” for those applications that require it.
You are correct, though, the problem lies mostly with software developers – so there’s not much Microsoft can do about it, is there ?”
There is one incredibly simple action Microsoft could take to address this. Don’t make users members of the Administrator group by default.
After a barage of complaint calls to these companies from frusterated users, they will get the picture.
Microsoft talks about the fact that they are serious about security.
Yeah serious, seriously poor.
This is a stupid comparison. If you’re to compare, compare properly – if you would want to remove say glibc from a linux system then have it compared with deleting the system libraries.
Well, it’s often necessary to use over the top examples here to get a glimmer of the basic point through.
To compare more directly, use khtml. Take khtml out of KDE and it breaks.
You need a C library to enable applications to use system calls.
Actually you don’t – you can statically compile the binaries.
As for deleting software on the mac like Quicktime – it’s just as simple as deleting the folder containing the unwanted app. Not much need for a single point of failure such as a binary registry.
Quicktime is a tad more than the player app.
Given that the design of the Windows operating system is really bad from a computer science and engineering point of view (graphics routines in kernel space is already one security risk, among other things…), […]
Like, say, just about everyone else does it you mean ?
[…] it can really help if they reduce possible vectors of attack by clearly delineating what is essential. Is a web browser essential for operation? A media player?[/i]
Your standard is ridiculous. Really, even a *shell* isn’t “necessary” – but you’ll have a hell of a lot of trouble selling an OS without a shell.
Really? If that’s the case I guess it’s just like saying that it’s imperative for all cars to have stereos or swimming pools built in.
No, it’s more like saying manufacturers would have a great deal of difficulty selling cars without stereos.
IE is simply a resuable component distributed with the OS tha is used by the shell. Conceptually and architecturally no different from KDE’s khtml.
Microsoft talks about the fact that they are serious about security. It is time for them to make some tough choices if they want to prove that they serious about security.
Having the most secure OS in the world wouldn’t be particularly useful if no-one would buy it because it didn’t have any of the features they want.
Stupid users magnify to great extents stupid operating system design.
Stupid design being…?
Now how do you solve a badly-engineered product? Retrofit? No. Add more? No. What you do – reduce the badly engineered parts by fixing them and throwing away the unnecessary parts. I guess re-engineering from scratch is out of the question – MS won’t be insane to heed proper design by investing man hours to do a complete and proper redesign as it would break a lot of things and ultimately kill themselves in the process. Live with it.
The *design* of NT is quite sound. Some of the default settings could definitely be improved, but its deep down, fundamental, basic design is fine.
You mean, it’s sorta-kinda been possible since NT came out. If you didn’t want to run too many applications, that is.
Uh, what ?
I’ve been doing it quite successfully for ~8 years now and, believe me, I run a _lot_ of applications.
There is one incredibly simple action Microsoft could take to address this. Don’t make users members of the Administrator group by default.
I agree completely. The UI for “Run As” and for the automatic prompt to run with Admin privileges needs improving as well. However, firstly this is not a design issue and secondly it would be a PR disaster.
After a barage of complaint calls to these companies from frusterated users, they will get the picture.
Pfft, like they’d be blamed. Hell, you just have to look at the number of supposedly knowledgable people who think it’s Microsoft’s fault so many applications need admin privileges to run _now_. A few articles online and in print blaming Microsoft for “breaking everything” followed up by a “HOWTO add yourself to the Administrators group” and life would proceed as normal.
Not to mention, within a week all those products’ knowledgebases would be saying the same thing.
NT has been around since 1993. It’s had reasonably good feature-parity with “consumer” Windows since about 1996. The API infrastructure – if not the underlying technical capabilities – for creating “multiuser aware” apps has even been in “consumer” Windows since Windows 98. Yet still application developers insist on writing apps that require Admin privileges. Personally I’m of the opinion that if they haven’t gotten their acts together yet, they’re never going to. Unfortunately, many of these developers are producing the bread and butter of Windows software.
I doubt we’ll see the “Admin by default” configuration change until Longhorn (and I do expect to see it then). Practically speaking, I just can’t see it as being doable before then.
So you’re going to try and have me believe that NT4 was happily compatible with a huge range of software out of the box? And that it all worked well in a properly setup multiuser environment, no need to be root or anything? Come on. There are still badly designed apps that don’t play with Windows multiuser TODAY, back before even Win2K it was way way worse. The two big reasons people didn’t use NT series OSes until XP were a) they didn’t support their hardware and b) they didn’t properly support their made-for-Windows-95 software.
So you’re going to try and have me believe that NT4 was happily compatible with a huge range of software out of the box?
Well, that depends on what you’re comparing against to get the measure of “huge”. Certainly the vast majority of *Windows* software I ever tried on it worked, although some of it required running with Admin privileges.
And that it all worked well in a properly setup multiuser environment, no need to be root or anything?
Some software needed the “Run As” facility to start with admin privileges (usually games and things like CDR apps). That was kind of the point I was trying to make – that it’s been easily doable (and I’ve been doing it) since NT4 (“Run As” on NT4 did require a freely available download from Microsoft, but it was trivial to install and use).
There *is* a middle ground between “must run as an Administrator all the time” and “can’t run any apps that require Administrative privileges” you know.
The two big reasons people didn’t use NT series OSes until XP were a) they didn’t support their hardware and b) they didn’t properly support their made-for-Windows-95 software.
I think you’ll find more important reasons were higher hardware requirements [0] (NT4 really needed 32MB as a starting point, Windows 95 was quite usable in 8 – 12) and a complete and utter lack of target marketing at the home user (ie: it wasn’t bundled with home PCs). The same applied to Windows 2000 (96MB – 128MB vs 32MB – 64MB RAM). Certainly hardware and software support were – if not on par – “good enough” from the late NT4 (~1999) days.
By far the biggest reason would have been lack of preinstalls. That aspect may have been influenced by the things you mention, along with the hardware requirements and licensing costs, I’ll agree – but if Microsoft had pushed the point and dropped DOS-based Windows after Windows 95 (as originally planned) then followed up with a properly configured Windows 2000 (not Admin by default) I daresay their job today would be a lot easier than it’s going to be. and much of the bad press regarding security would never have occurred. Back then the industry was a lot smaller and, even better, going through a transitional period. These days, it’s established and set in its ways. Still, hindsight is always 20/20, as they say.
[0] Also one of the major reasons OS/2 faltered a year or so earlier (1994). It really needed 10+ MB of RAM when most machines only shipped with 4MB (or maybe 8MB for a higher end machine) and was still quite expensive, before RAM prices crashed.
“Windows 95 was quite usable”
I take issue with that.
And lack of preinstalls can’t explain the enterprise; Win98 was widely installed in enterprise situations, despite its eminent lack of suitability.
I meant to say Win95 / Win98, of course.
I take issue with that.
Well, that doesn’t change much
.
Windows 95, along with basic tools like Word were usable on machines with 8 – 12 MB of RAM. As always, more means better, but they were usable for basic “office” tasks the bulk of end users perform.
Remember, this is well before fancy, skin-laden UIs and behemoths like IE4 and Navigator 4 (even Firefox is enormous compared to the footprint software like Mosaic had). 12MB of RAM was a _lot_, 32+MB almost unheard of at the consumer level.
One of Windows 95’s primary product goals – second only to maximising DOS and Windows 3.1 compatibility – was to install, run and be usable for very basic tasks (Wordpad, Paint and the like) on a 386SX with 4MB of RAM. And it pretty much was (not fast, by any stretch, but usable – only marginally slower than Windows 3.1 on the same hardware, and better if you counted the improved I/O, memory management and multitasking).
And lack of preinstalls can’t explain the enterprise; Win98 was widely installed in enterprise situations, despite its eminent lack of suitability.
Easy. Most desktop machine purchases are dictated by bean counters, not IT managers and sysadmins (in contrast to servers and other infrastructure, where they usually have much more say). Trying to convince an accountant to spend an extra 10% on an office full of desktops to make support and upgrades easier is nearly impossible. Remember, this is back when computers were still relatively expensive.