August 18th, 2009

XP, Vista, or Windows 7: Which OS is more secure?

Posted by Ed Bott @ 9:01 pm

Categories: Security, Windows 7, Windows Vista, Windows XP

Tags: Operating System, Patch Management, Microsoft Windows Vista, Critical, Security Bulletin MS09-032, Microsoft Windows, Microsoft Windows Vista (Longhorn), Microsoft Windows 7, Microsoft Windows XP, Operating Systems

Over the past couple years, I’ve been regularly checking in to measure whether Windows Vista is living up to its promise of being more secure than its predecessor, Windows XP. (To catch up with previous installments, see October 2007, “One year later, Vista really is more secure,” and July 2008, “21 months later, Vista is still more secure than XP.”)

My metric is a simple but effective one: count the number of Microsoft Security Bulletins rated Critical or Important for different Windows versions over time. In both previous installments, Vista had a significant edge edge over XP, with far fewer updates required. Has Vista maintained its security advantage over the past year? And are there any indications as to how Windows 7 will fare, now that it’s been released to manufacturing?

The answer to both questions is yes.

It’s far too early to make definitive judgments about the relative security of Windows 7, but Microsoft’s shiny new OS had a banner first month. A total of eight Microsoft security bulletins were aimed at various Windows versions. Three of them were rated Critical for both Windows XP and Windows Vista, even with the most recent service packs. Another two security updates were rated Important for Windows XP and Moderate for Windows Vista.

But for all eight of the August 2009 security updates, Windows 7 and Windows Server 2008 R2 were listed under the Non-Affected Software heading. Not a single one of those security holes required patching in the new OS.

That’s the same pattern that Windows Vista established when it was new. And Vista has maintained its safer-than-thou reputation in the past year. I went through every single security bulletin Microsoft published for the past 12 months, from September 2008 through August 2009. The totals?

Windows XP: 22 Critical, 16 Important

Windows Vista: 18 Critical, 11 Important

That’s a 24% reduction in the number of patches rated Critical or Important—the kind that typically involve remote code execution or escalation of privileges. Or, to put it another way, that’s 3.2 patches per month for XP and 2.4 patches for Vista. (And the next time someone complains about the number of patches they have to install for Windows, be sure to show them that number: 2.4 patches per month, delivered automatically on the first Tuesday of each month, isn’t exactly overwhelming.)

So what’s the difference? Security Bulletin MS09-032 is typical:

This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. … 

This security update is rated Critical for all supported editions of Windows XP….

That vulnerability doesn’t exist in Windows Vista or in Windows 7. And both of those newer operating systems have an additional advantage. As the bulletin notes: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” That, of course, is the whole point of the user model that was dissed so thoroughly in Windows Vista. But it seems to be working.

June 18th, 2009

How good is Microsoft's free antivirus software?

Posted by Ed Bott @ 1:00 pm

Categories: Microsoft Security Essentials, Security

Tags: Microsoft Windows 7, Malware, Antivirus Software, Microsoft Corp., Microsoft Security Essentials, MSE, Microsoft Windows, Cyberthreats, Spyware, Adware & Malware, Operating Systems

Microsoft has officially unveiled its long-awaited consumer antivirus offering. Formerly code-named “Morro,” it’s now been christened Microsoft Security Essentials, and it will enter public beta testing next week. If you have a licensed copy of Windows XP (Service Pack 2 or above), Windows Vista, or Windows 7, you’ll be able to download and install the software at no additional charge. No subscription is required for ongoing definition updates, either. The final release is scheduled for this fall. (My colleague Mary Jo Foley has more on what beta testers can expect next week.)

The public beta will be limited to 75,000 downloads, Microsoft says, and the targets are global. The initial beta release is limited to the United States, Israel (where a core development team is based), and Brazil. Next month, the beta will open up for users in China. It’s no coincidence that Microsoft is rolling out early in Brazil and China, which are large-scale vectors of malware infections because of the sheer number of Windows users running without antivirus protection. According to Microsoft, barriers to adoption of paid security software are especially high in developing markets, where internet access is slower and credit cards are unavailable to a large percentage of the population.

Microsoft Security Essentials requires validation, which means it won’t be available to anyone using a pirated copy of Windows. But it won’t require registration or personal information of any kind. In an interview last week, Theresa Burch, director of product management for Microsoft Security Essentials, confirmed that decision in no uncertain terms: “We collect no information from you at all,” she told me. No Windows Live ID, nothing. You agree to the EULA, validate, download, and you’re done.”

Over the past few days I’ve been testing recent builds of Microsoft Security Essentials on two machines, one running a 32-bit edition of Windows Vista, the other running a 64-bit copy of the Windows 7 release candidate. The software I describe in this post is a more recent build than the current beta that has been floating around back channels on the Internet. Here’s my report:

Page 2: Microsoft Security Essentials in action –>

March 31st, 2009

McAfee fails the Conficker test

Posted by Ed Bott @ 8:55 am

Categories: Security

Tags: McAfee Inc., Security, Ed Bott

Update: 31-Mar, 4PM PDT: McAfee has corrected the errors on the web pages associated with its Stinger downloads. Joris Evers, McAfee’s director of worldwide PR, writes via e-mail: ” It’s unfortunate that you don’t like the way we present the Conficker information on our Web site, but there is a lot out there including a front page banner that leads to a landing page that went live early this week.” He points to the company’s main landing page for Conficker information, which contains a link to a Conficker-specific version of the Stinger tool, and to a 15-page PDF document entitled “Finding W32/Conficker.worm,” He also notes that McAfee’s Avert Labs has “blogged numeroius times about conficker.”

The hysteria over the Conficker worm is reaching a fever pitch, with mainstream media doing their bit to whip Windows users into an unjustified panic over something that will affect a tiny fraction of the user community, made up almost entirely of people who were too stupid or negligent to apply a Windows patch issued nearly six months ago.

Ironically, many security professionals are in the amusing position of having to tamp down the hysteria. See, for example:

• Please, the world is NOT ending on April 1 (Sunbelt Software)
• Watch out for the Honda Accords (ESET)
• Conficker April Fools Hype (SecureWorks)

The trouble with virus scares is that they do a wonderful job of driving people directly into the arms of rogue security vendors (thank you, F-Secure). What makes this phenomenon even worse is when one of the largest security companies in the world creates a website filled with sloppy mistakes that make it look exactly like a rogue vendor.

Yes, I’m talking about you, McAfee. Let’s go through the list.

For starters, McAfee’s W32/Conficker.worm information page is hosted at a very strange URL: http://vil.nai.com/vil/content/v_153464.htm. Now, an old-timer like me will remember that McAfee Inc. used to be Network Associates, Inc. (NAI) until about five years ago. So I didn’t find that nai.com domain too alarming. But a casual computer user certainly won’t know that obscure bit of corporate history, and the McAfee logo and name are splashed all over that page, even though the domain name is completely unrelated. You know, like rogue security sites do.

On its home page, under a bold red “BREAKING ADVISORY” head, McAfee has also helpfully noted that it has “posted a W32/Conficker-specific version of our Stinger tool.” Following that link takes you to the Avert Tools download page and then to a download page for the tool itself (many third-party sites link directly to this page). Like the  Conficker info page, the Stinger download page is hosted at nai.com even though the McAfee name is the only one used on the page. One IT pro I spoke with was convinced this was a bogus download after he went to the Stinger page, clicked the About Us link, and saw … well, see for yourself:

Sloppy website design or a rogue site? If you’re a nervous Windows user who’s been told that the world’s most dangerous computer worm is going to strike tomorrow, do you trust this site? Me neither.

And as long as we’re picking on sloppy web designers, take another look at the McAfee Secure logo in the upper right corner of that page. According to the logo, this page was last tested by the McAfee Secure service on November 5 (2008, I presume, but who knows?). For the record, that’s nearly five months ago. McAfee’s home page carries a current date in this spot.

Security is serious business, and details matter. When a company as large as McAfee is this sloppy with its public response to a high-profile issue, it makes you wonder how tightly the engineering, development, and support sides of the business are being operated.

My advice: If you’re looking for a reliable source of security information, skip McAfee.

December 19th, 2008

That Windows 7 bootleg is a ticking time bomb

Posted by Ed Bott @ 5:17 am

Categories: Internet Explorer, Security, Windows 7

Tags: Beta Release, BitTorrent, Microsoft Windows 7, Microsoft Corp., Microsoft Windows, Security Administration, Patches, Operating Systems, Web Browsers, Security

Bootleggers, beware.

Judging by my inbox, lots of you downloaded a bootleg copy of Windows 7 build 6956 from BitTorrent, and now you have it running. But no matter how hard you try, you can’t update its built-in copy of Internet Explorer 8 with this week’s extremely critical out-of-band security update, which Microsoft turned around in record time.

That’s the downside of running software from unauthorized channels. You see, the build zipping around the BitTorrent tubes right now is a random “daily build,” one of many that was produced during the run-up to the upcoming beta release of Windows 7. Anyone who would have had authorized access to that build (Microsoft employees, OEM partners, a tiny corps of trusted beta testers) already has authorized access to more recent builds (including, rumors say, the final beta release itself) that can be updated with a supported version of this crucial IE8 patch. So, logically enough, Microsoft’s security team doesn’t release an update for that leaked version, just as it didn’t release an update for build 6952 or build 6961. As a result, you’re vulnerable if you visit a compromised website using the unpatched version of IE8.

Do you feel lucky? Maybe you might want to use a different browser (or even a different operating system) for the next few weeks…

August 11th, 2008

Alarmed about Vista security? Black Hat researcher Alexander Sotirov speaks out

Posted by Ed Bott @ 5:57 pm

Categories: Internet Explorer, Security, Windows Vista, Windows XP

Tags: Black Hat, Paper, Microsoft Windows XP, Vulnerability, Microsoft Windows Vista, Microsoft Corp., Web Browser, Exploitation, Microsoft Windows, Microsoft Windows Vista (Longhorn)

Earlier today I published a lengthy blog post questioning some of the sensationalist conclusions raised in press coverage of a paper presented by Alexander Sotirov and Mark Dowd at last week’s Black Hat Conference in Las Vegas. (See Windows security rendered useless? Uh, not exactly…) As I noted in that post:

It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code. …Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries [that were] wildly inaccurate and hopelessly sensationalized.

This afternoon, I received the following e-mail from Alex Sotirov and am reprinting it with his permission:

Thanks for your blog post about our research. I was horrified by the lack of understanding displayed by the tech press when they covered the paper Mark and I presented at BlackHat. You rightly point out that the sky is not falling and the flaws are not unfixable. In fact, the next versions of Flash and Java will contain specific measures that limit the impact of the techniques we presented. We expect Microsoft to follow suit as well.

Exploitation is a cat and mouse game. The paper we presented puts the offensive side at a slight advantage, but it won’t take long for the defenses to catch up. Our intention was always to nudge the software vendors into improving their defenses and I hope we will succeed.

I just got off the phone with Alex, who took time out of his busy schedule to answer a few follow-up questions:

What was the atmosphere like at Black Hat? How was your paper received by people in the audience?

Positive. A lot of people in the audience seemed to really like the paper. A lot of them came up and asked more questions afterward. Everybody who talked to me said it was pretty impressive.

Did you get any reaction from Microsoft?

Microsoft had contacted us before Black Hat. We had some conference calls and sent them an early draft a few weeks ago. In fact, they put us in touch with the people who designed the [memory protection] defenses [in Windows Vista] and sent us a few minor corrections. It was a very positive experience working with Microsoft. Our research is helping them learn where they need to focus their resources and where they need to improve. We did not take any of the vendors by surprise. Also through Microsoft, both Adobe and Sun were notified about the paper. We haven’t spoken to them directly, but the Microsoft people have, I believe.

Is there any exploit code or proof of concept code available yet for the techniques you describe?

Well, we only gave the paper last week, so I doubt that anyone is using any of these techniques right now. What we presented is weaknesses in the protection mechanism. It still requires the attacker to have a vulnerability. Without the presence of a vulnerability these techniques don’t really [accomplish] anything. We used the ANI cursor vulnerability that had been patched. We chose this example because it worked on XP and Vista, but the example we used would not work [in the real world] because this issue was patched already.

Do you have any advice for Windows users today? Should they be alarmed?

As long as they follow standard security practices — use antivirus products and other typical things that are good standard policy — they shouldn’t have anything to worry about. Our research is to some extent academic. The articles that describe Vista security as “broken” or “done for,” with “unfixable vulnerabilities” are completely inaccurate. One of the suggestions I saw in many of the discussions was that people should just use Windows XP. In fact, in XP a lot of those protections we’re bypassing don’t even exist. XP is even less secure than Vista in this respect. [What we established is that the security advantage of Vista over XP is not as great as [previously] thought. Vista is still very good at preventing vulnerabilities.

Your research focuses on weaknesses in browsers. Does the movement to doing more in the browser mean the danger is increasing?

Browsers are used more widely than they were five years ago. A lot more businesses rely on browsers now to do [everyday work]. Businesses could have blocked access to the web five years ago, but with widespread use of the web as an interface, the importance of the browser has increased. It’s a lot harder to tell people they cannot use a browser. The possibility of a vulnerability in the browser affects their security.

One last question. Your paper was entitled “How to Impress Girls with Browser Memory Protection Bypasses.” In a blog post, your partner Mark Dowd said you were going to be conducting “ongoing research” on this subject in Las Vegas. Did you really flood your hot tub at Caesars Palace?

Uh… [pause] Yeah.

Thanks for your time.

You’re welcome.

August 11th, 2008

Windows security rendered useless? Uh, not exactly

Posted by Ed Bott @ 7:03 am

Categories: Internet Explorer, Security, Windows Vista, Windows XP

Tags: black hat, attacker, windows security, vulnerability, microsoft windows vista, defense, memory protection, microsoft windows, microsoft windows vista (longhorn), operating systems

Update 11-August, 6:00PM: Don’t miss my exclusive follow-up interview with researcher Alexander Sotirov, who says “The sky is not falling and the flaws are not unfixable.”

Oh dear. The Chicken Little contingent is out in full force. Break out your Kevlar helmets, everyone, because the sky is falling on Windows! At last week’s Black Hat conference in Las Vegas, researchers Alexander Sotirov and Mark Dowd presented a paper that outlined some new attack vectors they had discovered targeting some security features introduced in different versions of Windows XP and Windows Vista. It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code.

Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries, most notably the one provided by SearchSecurity, which was picked up by Slashdot and our own Adrian Kingsley-Hughes. Alas, those stories are wildly inaccurate and hopelessly sensationalized.

Read the rest of this entry »

July 25th, 2008

21 months later, Vista is still more secure than XP

Posted by Ed Bott @ 2:30 pm

Categories: Security, Service Pack 1, Windows Vista, Windows XP

Tags: Security, Microsoft Windows Vista, Microsoft Windows Vista (Longhorn), Microsoft Windows XP, Microsoft Windows, Operating Systems, Software, Ed Bott

Last October, roughly one year after the release to manufacturing of Windows Vista, I did a comparison of how well Windows Vista was living up to its promise of being more secure than its predecessor, Windows XP (see “One year later, Vista really is more secure”). My data source was the Microsoft Security Bulletin Search page, where I tallied up security bulletins rated Critical or Important for the two Windows versions. The result? Vista had an overwhelming edge over XP, with a mere 14 security updates compared to 41 for XP with Service Pack 2 during the same period.

Has Vista maintained its security edge in the succeeding nine months? The answer, it turns out, is yes, although the margin has narrowed. I repeated that previous experiment using data from November 2007 through July 2008. The totals are as follows (in both cases, I assume that the most recent service pack is installed, with Vista SP1 counted beginning in March 2008 and XP SP3 in May 2008):

• Windows XP: 23
• Windows Vista: 19

The grand total for the period from November 2006 through July 2008, again assuming the most recent service pack is installed:

• Windows XP: 64
• Windows Vista: 33

Over the 21-month period, that’s a monthly average of roughly 1.5 Critical or Important security updates for Vista and 3 for XP.

Although it’s difficult to do Apple-to-Windows comparisons, I tried my best, using the Apple security updates page. By my count, between November 2007 and July 2008 there were 22 updates for Mac OS X and its included components, including seven Security Update packages designed to fix multiple vulnerabilities (such as the 13 separate fixes listed in the Mac OS X 10.5.4 update released on June 30). That’s four more than the Vista patch count during the same period and one less than the XP total. Make of that what you will.

My takeaway? The changes in the security model for Vista are continuing to pay off, and as Vista’s market share grows, bad guys are turning their attention to vulnerabilities that can exploit both operating systems. When they do, the impact on Vista is likely to be less severe, as in Bulletin MS08-36, which was rated Important for XP SP2 and SP3 but only Moderate for Vista RTM and SP1. And, of course, none of these numbers take into account the improvements in security that accrue when administrators are able to configure a standard user account in Vista that wouldn’t work smoothly if at all in XP. That simple change goes a long way to preventing users from being able to compromise a system by running malicious executable code.

July 15th, 2008

Windows Update versus Ubuntu Update

Posted by Ed Bott @ 10:00 am

Categories: Linux, Security, Windows Vista

Tags: Ubuntu, Microsoft Windows Update, Operating System, Update, Microsoft Windows Vista, Microsoft Windows, Microsoft Windows Vista (Longhorn), Operating Systems, Software, Ed Bott

A few months ago, Steve Ballmer publicly noted that Windows Vista was “a work in progress.” That inspired a predictable outpouring of Vista-bashing. After all, look how many updates Windows Vista has had since it was first released. Obviously, it was a disaster, or there would have been no need for that many updates, right? Why couldn’t Microsoft get it right the first time?

The reality? All modern operating systems used as mainstream business and consumer platforms are “works in progress” and require frequent updates to fix bugs and resolve security issues (and occasionally to add features). Many of those bugs and security issues don’t surface until the code gets deployed widely, and even then it sometimes takes detective work to figure out where the actual problem is. Presumably, the big issues get worked out within a few months, and the pace of updates drops off (but not to zero).

I thought about this over the weekend when I opened up a Hyper-V virtual machine running Ubuntu Linux 8.04. This was a plain-vanilla install of Ubuntu, with no additional software except what is included with the downloaded distro. I had last used this VM 51 days earlier, at which point the OS release was about a month old. At that time, it was completely current with patches and updates, and I hadn’t reopened it since. (A side note: My Ubuntu and OpenSUSE 11 installations on this Hyper-V server were exceptionally easy and performance is excellent. I’ll be migrating my Fedora installation from Virtual PC 2007 to Hyper-V and adding an OpenBSD machine on this platform as well.)

I expected that I would have to install a few updates. But I was surprised to see how many.

Read the rest of this entry »

July 3rd, 2008

Nothing stealthy about this Windows Update update

Posted by Ed Bott @ 11:27 am

Categories: Security, Windows Vista, Windows XP

Tags: Microsoft Windows Update, Update, Microsoft Windows, Operating Systems, Software, Ed Bott

For years, Microsoft has occasionally updated its Windows Update client software automatically on systems that are configured to check for updates. This has been true even when Windows Update is set to simply check for (and optionally, download) updates but not to install them.

That decision led to a flurry of negative publicity about “stealth” Windows Update updates last year, triggered when one of those automatic updates caused problems on a small number of Windows XP systems whose owners used the repair option from the installation media. Most of those customers were surprised to find that the culprit was an update they never realized they had installed.

At the end of July, Microsoft is going to make some changes to the infrastructure of its Windows Update back end, and as part of the change it will begin delivering another update to Windows XP and Vista systems (as well as systems running Windows Server 2003 or 2008). This time, though, the plan is to communicate the details well in advance and to provide more notice before and after the process.

I spoke yesterday with Microsoft product manager Michelle Haven, who told me that the primary purpose of the update is to improve performance, scanning more quickly for updates and delivering those updates more quickly. It won’t change the way Windows Update looks or feels, she says. In a related blog post, Haven says Microsoft has “invested heavily in reducing the amount of time it takes the Windows Update agent to scan to see if new updates are available. In this case, we’ve seen some instances of the scan times on some machines decreasing almost 20 percent.”

Unlike previous Windows Update updates, this one isn’t sneaking in under anyone’s radar. In addition to the Microsoft Update blog, this update will be documented in an updated version of Knowledge Base article 946928 (“Information for network administrators about how to obtain the latest Windows Update Agent”) and will be available for download there.

One additional change provides a notification in the Windows Update history with a link to additional details. This screen shot show what the Windows Update log will look like after the updated agent software is installed.

If you want to opt out of this update until you’re certain that it won’t cause problems on your system or network, you’ll need to completely disable Windows Update. On systems running Windows Vista, that means selecting “Never check for updates” and on Windows XP it means selecting “Turn off Automatic Updates.” The update will be applied if any other option is selected (including “Download updates but let me choose whether to install them” or “Check for updates but let me choose whether to download and install them”).

And because I knew the question would come up in the comments here, I asked whether this update has anything to do with anti-piracy or Windows Genuine Advantage features. The answer was a categorical no: “There is no WGA component in this client update.” A follow-up e-mail message from a contact at Microsoft’s PR agency confirmed this information for me.

July 2nd, 2008

Microsoft to ratchet IE8 security another notch in Beta 2

Posted by Ed Bott @ 10:05 am

Categories: Internet Explorer, Security

Tags: Microsoft Internet Explorer 7, ActiveX Control, Microsoft Corp., Beta, Site, IE8, Microsoft Windows, ActiveX/COM/COM+/DCOM, Phishing, Web Browsers

Sometime in August, Microsoft plans to release Beta 2 of Internet Explorer 8. Yesterday, I spoke with Austin Wilson, Director of Windows Client Product Management at Microsoft, about some of the security-related changes due in this milestone, and got a preview of the changes announced today.

The most noticeable change is the SmartScreen Filter, which replaces the Phishing Filter found in IE7. It uses the same reputation-based filter as its predecessor, but adds a few tweaks to make it easier to spot social engineering attempts. IE8 adds domain highlighting (as shown below) to frustrate phishing attempts that use long, complex URLs to make a link appear to go to a legitimate domain.

Part of the work involves simplifying the interface for displaying potentially dangerous websites. In IE7, for example, the address bar turns yellow when you encounter a suspicious site and red when you attempt to visit a site that is reported as unsafe. In IE8 the yellow bar is gone, replaced by a dialog box. The green address bar for sites that use Extended Validation certificates remains.

When you try to visit a site that is listed in the database of known unsafe sites, the background of the browser window turns blood red and this stern warning appears:

The SmartScreen filter in IE8 also extends protection to download attempts, blocking access to servers that are known to be serving up malware

The concepts behind that work should be familiar to anyone who’s used a competing browser, such as the just-released Firefox 3. Corporate customers and security professionals should be more interested in architectural changes designed to block access to vulnerabilities in ActiveX controls and take advantage of Data Execution Prevention features.

The ActiveX changes (some of which were announced in May) allow controls to be locked to a specific site and to be offered on a per-user basis. The former prevents a hostile website from being able to call an existing ActiveX control (such as one installed by the system builder or with another program, or one downloaded from a different, presumably safe web page). The user (or a system administrator, using group policy) has to opt-in to those controls and can lock them for use only on a specific site.

ActiveX controls can also be offered on a per-user basis, bypassing the need for UAC prompts and lessening the possibility that one user can install a control that compromises the entire system or other user accounts.

In IE7, Data Execution Protection is disabled for the browser process by default, primarily for compatibility reasons. IE8 enables DEP on Windows Vista SP1, Windows XP SP3, and Windows Server 2008. As a result, any page or add-in that tries to use a buffer overflow or other exploit to write executable code to an area of memory that is reserved for data will crash that browser tab (but shouldn’t take down other tabs).

Finally, IE8 is designed to protect from some forms of server-based attacks as well. The most noteworthy change is code that blocks common forms of cross-site scripting exploits. According to Wilson, IE8 will detect Type-1 (reflection) attacks and block script from being injected to web a server via URL.

I’ll have a more detailed look at these changes when the beta code is available next month.