February 7th, 2006

Least privilege is not panacea

Posted by Richard Stiennon @ 11:01 am

Categories: Security Industry News

Tags:

It is always a mistake to expect Microsoft to fix the security issues with Windows. When Microsoft bought Gecad and Pelican software in 2003, and then again when they purchased Sybari last year at this time many were quick to predict the demise of the major desktop security powerhouses. The most damaging impact of these false expectations was that Symantec and McAfee adopted them and reduced their focus on desktop security and attempted to diversify; McAfee by branching into Intrusion Prevention and Symantec by first becoming the WalMart of security (everyday low prices on everything you need) and then when that did not work attempting to reduce its reliance on desktop anti-virus by merging with Veritas.

Now pundits are proclaiming that Windows Vista will finally solve the desktop security issue by enforcing a policy of “Least Privileges�. There are so many reasons why this is just wrong it is hard to choose a place to start.

First what is “Least Privileges�? It is the idea that a user of a PC does not need complete administrative rights to do their every day tasks. Unfortunately in Windows you *do* need administrative privileges for such every day tasks as installing software, printer drivers, and patches. So Vista, in beta right now, has work-arounds for each common task. Most software or at least software installation tools will have to be modified to accommodate this. Instead of installing key files in the C:\Windows, C:\Program files, HKEY_Local_Machine that today need administrative rights Vista will provide virtual directories for those files. You will then be able to install applications, printer drivers, and patches. (Of course so will malware.)
Sounds nice, right? Wrong! I maintain that the entire Vista model of least privileges addresses yesterday’s problems. With Vista the Blackworm worm would not be able to spread, the “I love you� virus would not have worked. Those relied on a user to click and open a file that was automatically installed. But the recent spate of Windows Meta File exploits would all be successful. They gain admin rights via an *exploit* before installing whatever software is desired. As soon as Vista achieves a 30% presence in the market (early 2009 by my estimates) most new threats will be able to side step any least privilege defense.
What does this mean? You will still need to protect your PC with multiple pieces of software: AV, firewall, and some sort of block-and-remove-of-nasty-stuff currently provided by anti-spyware solutions. There will still be hundreds of desktop security products to address the shortcomings in Windows. There will still be bad guys exploiting vulnerabilities for fun and profit.
So, if you are a security product vendor, or an investor in security solutions do not play the waiting for Microsoft game. It is safe to assume that the overall threat level to PC’s will not be reduced at all by Vista.