I read this article from Angus today with much amusement. Apparently Vista is more insecure than Windows 2000. I found this really very funny. Why?
The number of virus infections found by a virus vendor does not necessarily equal poor security. In many cases (though not all) it equals poor user behaviour. Why?
If I, despite all prompting and consent behaviour, choose to go to a (probably dodgy) website, accept the ActiveX control prompts to download (probably dodgy) code and I actually choose to execute that code then I'm hosed. I'm now at the mercy of whatever code I've chosen to run - and in many cases its running under your local shell integrity level. The anti-virus vendor is now the last line of defense and you need them to help get the malicious code off the PC.
So is this purely the operating system's fault? I contend not. No in some cases its the user and their lack of knowledge and their implicit "it-wont-happen-to-me" complacency. Hence my comments to Angus that we do need to do more to educate users about security and UAC. Take for example a previous post on Protecting Your Business from your users. Sometimes we just have to spend more time in actually helping them to understand the risks....there's only so far that technology can go in protecting users....
This brings us to the point of UAC and why its there. Its there to add another layer and to enforce least privilege. In the majority of cases in Windows 2000 and XP people ran their applications while logged on with local administrator privileges. This was something we wanted to stop and UAC does that. Assuming that I don't have local admin privilege I cant even consent to install the potential malware - but my apps run and I can do basic things now like connect to a wireless LAN, connect to a VPN and change my timezone....all things that previously you needed local admin privilege to do. In some cases, yes, some apps have issues running like this. The CoPilot Live software that came with my TyTN II phone is one of these...
And its not like the application developer community didn't know about writing for least privilege. We made it pretty clear over a number of years not to write to protected parts of the OS. Our logo certification reflects this!! UAC is designed to enforce least privilege and for the most part applications do work nicely and behave properly running under UAC without any prompting whatsoever. So far today I've run Office, run Camtasia, even Command and Conquer Generals....all without a single prompt.
Despite the claims - Vista's actual vulnerabilities are significantly less than Windows 2000...period. And we still stand by that claim. We also stand behind UAC and its intent - and what I showed Angus was that we have made great strides in reducing the excessive amount of UAC prompting for a single action. Ill be doing a webcast shortly showing you this fact with Windows Vista and Windows Vista SP1 running side-by-side. More to come on that!
PingBack from http://windows.wawblog.info/?p=27809
"there's only so far that technology can go in protecting users...."
Correct. And of course finally it's always the user who is at fault. They chose and paid for the operating system, after all. And why at all do they use computers, if they are not trained enough?
(Or is this not what you said? ;-) )
Why does an ActiveX control have full access to my computer's resources? There is a difference between local content and data display, background communications, or a fancy user interface for a web application - and between modify access to program files.
If all you offer is a hammer "Allow application to do everything?") people have no choice but to use it for everything. And if it's used for a lot of little, nagging stuff, people will start to ignore it.
Anyway, it's "full access or nothing", not e.g. "This application wants read access for Video files. OK?"
If UAC is only used to play the blame game - "But you confirmed it!" - it's not ever going to get the recognition it deserves.
The security model used for BitFrost looks appealing - by default an application does not have any rights. The programmer can apply for certain rights and encode the request in the app, but even then certain combinations of rights and resource accesses are only allowed by the user or for manufacturer-signed code. And MS _is_ actually going towards that direction (e.g. with Manifests).
So much for my 2 cents. Thanks for making Windows more secure.
Let me be clearer here - Im not laying the blame at the user. Im saying that technology cant be completely blamed for every woe especially when users choose to bypass every security prompt, layer, function or alert we provide.
Actually ActiveX controls only require the elevated privilege to install. One they are installed they can be instantiated with permission. Given IE runs the process as a low integrity process by default, the only access it has is to the temporary internet files directory...so its not that it has full access to the OS either or protected locations.
UAC is not in itself a security boundary - its a layer and it does assist in implementing least privilege. At some point in order to install something you need to elevate permissions. Unix does it with su. Apple does it...actually I dont really care how Apple does stuff :) UAC does it with a prompt. So we warn people that an administrative operation is about to happen that could affect system integrity. Thats really what UAC is doing and controlling it through integrity levels.
Not knowing much about BitFrost (despite it sounding an interesting concept), at some point the application has to be installed and code has to execute. If at that time I choose to run code that is poorly written and provides somewhat open security descriptors then what? Developers are fairly notorious for relaxing security in order to get their app working...and from what I read the user also has a panel to override certain things. So were back to square one.
Manifests are cool because they describe in detail exactly how the deployment of a component or feature - including ACL's.
But all this stuff depends on the level of security discretion you give to the user and the app developer for that matter. Present too many security roadblocks in the way and theres complaints. Present too little and its poor security. Theres a careful balance and thats what we are working towards.
I think we have to remember that security is a journey and that there are no silver bullets. For us as a vendor its something that we will continue to work hard on, refine and improve. I think this was a good first step to set a line in the sand about defining system integrity which I think will improve as future versions are developed.
The old advice for IT admins was to have separate privileged accounts for any actions that required privileges. I used to have various shortcuts that used the runas command to launch AD users and computers, etc.
I haven't found any elegant way to do the same thing under Vista. The closest I have is to change my machine's Local security policy to prompt for credentials whenever I right-click and choose to "run as administrator".
Has Microsoft's best practice advice changed? Should I now give my day-to-day account privileges and just click on OK when UAC prompts or should I get the OS to prompt for full credentials every time as I have done?
Greg...and that advice hasnt changed. Its always best practise to have two accounts. One for your admin and then another for your day to day. UAC can actually provide the runas to call that credential if you want it to like you have been doing.
Today I posted a short and sharp screencast just showing the differences in Vista RTM to Vista SP1 in
<cite>The number of virus infections found by a virus vendor does not necessarily equal poor security. In many cases (though not all) it equals poor user behaviour.</cite>
Michael, are you saying that Windows Vista users behave poorer than Windows 2000 users?
Good point George, no I dont think user behaviour is necessarily changing...but it needs to. Anecdotely, users seem to be becoming more aware of security in certain scenarios such as internet banking though not necessarily in everyday usage.
So this points to something you have alluded to though not directly stated - if thats the case then why do more Vista users seem to get infected than Windows 2000 ones?
Without having found the test matrix or resultant data for this study, think about this one for a moment. How many consumers are still using Windows 2000? The majority will be using Windows XP (which explains the "poorer than Vista" result there), a growing number will be using Vista and a vastly diminishing number of Windows 2000 users.
Hence when you track trends from people doing AV scans via a website:
1. These are likely to be consumers and not corporates (that are likely to have their own in house mechanisms for AV scan and protection. Consumers are less likely to still be using Windows 2000 as they migrate to new hardware incrementally.
2. Thus the installed base of each platform will have an effect on the numbers produced.
I wonder if the same data is showing Windows 3.11 and DOS 6.22 to be "more secure" by the fact that there are no online scans found for it? :) Not all study results show the complete story...
Of course at present Im speculating here - I havent seen the study. I havent seen the test methodology and Ive yet to find it. If you do please let me know as Id love to see it.
Well, I agree that Vista is not worse than Windows 2000. However, I think users should not be blamed. Operating systems, especially mass market ones like Windows Vista, should improve security features - not just eye candy.
You should expect that basic user of your operating system is not a geek and so does not know much about security or technology.
For example, making it mandatory that a) only signed executables can be run b) signing should be controlled by trusted party (Microsoft or its partner, or some community). Also, alternative would be to check hash codes of executables / dlls against online database.
That would help a lot.
> why do more Vista users seem to get infected than Windows 2000 ones
Michael, this was almost my point, except I was referring to the relative number of infections, more precisely to the number unique threats per 1000 computers as was reported in the original article (http://www.pctools.com/news/view/id/206/):
Unique Threats per 1000 machines
Windows 2000 586
Windows 2003 478
Windows XP 1, 021
Windows Vista 639
If the samples were chosen to be representative of a population then the numbers would not depened on the install bases of either Windows 2000 or Windows Vista, provided both install bases are comparable. And during the six-month study, according to the statistics gatherd by w3schools (http://w3schools.com/browsers/browsers_os.asp), the install bases of both OSs were comparable. I understand that the statistics could be biased, but this is the best I have. I only wish that the top ranked sites (http://www.quantcast.com/top-sites-1) published similar information on regular basis.
You could also say that since Windows 2000 is an old OS the targeted attacts are less frequent. I would agree with this, and even more so if I saw supporting data. Nevertheless, the numbers shown in the study are indeed alarming, especially considering all the work that had been done around UAC.
Rooperi - of course mandating signed executables (implying that only trusted code will execute) is one way to help though think of everything that breaks when you do that. And I should note that you can do this today - though we dont mandate it because of the application compatibility implications. Try this for a moment.
Go into group policy and switch on the policy for "User Account Control: Only Elevate executables that are signed and validated". Its under the local machine policy security node. Then go try and install an msi package or ten.
Tell me how many actually elevate to allow you to install.
Then think: Can you imagine the outcry of forcing the entire developer ecosystem to get their applications signed for every executable they write and have written - past and present?
Further to this, can you imagine every consumer with all their old applications they have had for years now breaking because of this?
George - firstly thanks for taking the time to reply with helpful information on market platform trends. Its interesting that Windows 2000, according to this w3schools site, only has now 3.3% market. Maybe that is affecting the data...
I still, without seeing the test methodology or data, find it ridiculous to believe that Windows 2000 is more secure than Vista. That said I do agree with one of the statements, that Vista PCs still require anti virus and that the protections we have put in place are no silver bullet. We have never stated otherwise.
Especially when users are so willing to click consent prompts that warn them and trust anything they download, run and execute.
Lets look at a few things:
1. To date theres been a handful of critical issues with Vista requiring a patch. Of those, many also affected Win2k. If a vulnerability was being exploited out of one of these patches it would also affect Win2k.
2. Of the viruses and trojans target Windows execution; If they run on Vista, they run on Win2k.
3. A good portion of the APIs that exist in Vista exist in Win2k.
4. IE6 runs on Win2k and IE7 runs on Vista. Firefox fans aside, most people would agree that IE7 is a much more secure browser than IE6.
5. Most consumers (like 99% of them) run their interactive user session on a Windows PC as a local admin. Vista restricts this through a split token requiring elevation to gain administrative access for anything that affects the integrity of the machine. Windows 2000 allows everything in that shell session to run as admin including IE.
Theres a whole bunch of reasons that affect "studies" like this. Without seeing the methodology its hard to make a judgement though I find it very, very difficult to take this "study" seriously.
Windows Vista is, apparently, less secure than Windows 2000. An analysis of threat data collected over a six month period by security software developer PC Tools suggests that despite a bottom-up code rewrite and the uber-annoying User Account Control
This latest revelation that Vista is less secure is further evidence that more needs to be done limiting user control of fundamental systems. The issue isn't whether education will prevent users from executing "dodgy" code - it is whether we allow dodgy code to run on a system. One of the most obvious facts of security IMHO is that you can NEVER educate a user in a substantial enough way to prevent security issues. What is needed is for ActiveX to have more of the JVM like sandbox features to stop nasty code from executing (NOTE: I am not saying Java is perfectly secure or better, just that some of the JVM controls are well planned to prevent harmful execution). In any event, whether Vista is more or less secure that 2000 remains to be seen - I personally don't get hosed on either OS ^_^
Let's stop this education approach and move into the prison approach... total lockdown.
Vista's UAC is so bloody annoying and interferes so much with legitimate work, that practically all users I know who are using Vista have turned it off. In fact, I know only one person who hasn't; he keeps Vista on a separate partition from all installed programs; according to him, in such a setup the UAC pops up its annoying dialogs less often.
Microsoft have still a lot to learn about security. We who have been professionals in this field for decades learned long time ago that a pop-up dialog saying essentially "Foo bar, click here to make this go away" is *not* going to protect the user.