Microsoft has blamed common third-party desktop applications, rather than Windows, for the majority of security threats in a new report. The finding might appear surprising at first but is backed by independent security notification firm Secunia. The latest edition of Microsoft's Security Intelligence Report suggests that " …
Secunia's scanner is a convenient way to monitor some 3rd party software that can be a problem (Adobe Flash, the Java runtime, Adobe pdf reader, browsers, etc).
Still Microsoft's problem
It's still Microsoft's problem though - they've insist on allowing users and applications to run with admin rights for years, and are now feeling the repercussions of this stupidity.
And they still have this assumption that applications running in windows are trusted and can do anything they like. Pretty much the only defense is that they ask the user to say whether it's ok for programs to run before they're installed.
They're going to need to design the OS so that individual applications are sandboxed, and so that the OS doesn't trust applications by default. I've been suggesting signed applications, with programs only able to modify their own files for years, because trusting random programs downloaded from the internet has always seemed a bit dubious.
Oh, and they might want to take a leaf out of Linux's book and create an application repository so it's possible for users to easily update all their applications at once.
I wouldn't mind this if Microsoft didn't *also* trumpet surveys which say it's "more secure" than Linux - because they compare vulnerabilities in just Windows versus vulnerabilities in an entire Linux distro (including tons of what would be third-party apps on Windows).
Can't have it both ways.
If Microsoft would provide an API for their Automatic Updates system so third parties could distribute software updates as easily as Microsoft can, then a lot more people would have up-to-date software.
If I look at my home PC, I have services from Apple, Sun (Java), Microsoft and Adobe (Flash/Acrobat) all running at once to slow my machine down / check for updates regularly.
Why can't that be a single update service, like apt-get on Debian/Ubuntu or rpm on Red Hat?
From Page 66 of the Report. Is the U.K. that bad?
The 25 locations with the most computers cleaned by Microsoft anti-malware desktop products in 2H08
Country/Region------------------Computers Cleaned in 2H08
I have only shown the first three, because that is scary enough.
I'd tend to agree
The vast majority of grief I get at work (IT field-support for a university) is caused by crap 3rd-party MS-Windows programmers who don't understand that MS users DON"T always have (or even want) administrative privileges. That and 3rd-rater programmer hacks that haven't realised that MS-Windows has supported multiple users since the turn of the century.
At least in the Linux world we publicly ridicule at programmers who expect users to run as root or try to store their prefs in /bin directories.
And Centre For Tobacco Studies Says...........
The is no conclusive proof that smoking is harmful.
And how do these said apps manage to run with full privileges ? Because the crap OS security model lets them.
Actually, I was reading said tome earlier today (coz I work in Security and have to 8-) and it has some interesting quotes in it ...
"In 2H08, Microsoft released 42 security bulletins that addressed 97 individual vulnerabilities identified on the Common Vulnerabilities and Exposures (CVE) list, a 67.2 percent increase over the number of vulnerabilities addressed in 1H08. For the full year of 2008, Microsoft released 78 security bulletins addressing 155 vulnerabilities, a 16.8 percent increase over 2007." (page 8)
which to me reads different to the journalist spin in this article, in that Microsoft software still has a lot of underlying issues. I suspect the low number of Vista specific vulnerabilities might be due to lack of focus on it as its essentially an OS lying on the street and people are stepping over it to reach XP.
"To facilitate analysis of core operating system vulnerabilities, Microsoft researchers devised a model by which all disclosed vulnerabilities affecting core components of Microsoft Windows, Apple Mac OS X, proprietary Unix systems, or the Linux kernel were classified as operating system vulnerabilities, with everything else classified as application vulnerabilities.
Using this model, programs like media players are considered application vulnerabilities, as are Linux components like the X Window System, the GNOME desktop environment, and others." (page 30)
which actually means they are trying to measure like for like and not spinning it to say Linux = everything that runs on it.
There are other interesting things in the 183 pages, including good descriptions of how "drive-by" hacks work and why it is increasing and the difficulties of reducing social engineering based attacks.
I'm no Microsoft fan and there maybesome possibly dodgy stats in those pages but it does appear to be a good piece of research overall. I just wish Apple were as open ! (some hope and I'm an Apple fan 8-)
Microsoft Applications are the problem
'The latest edition of Microsoft's Security Intelligence Report suggests that "nearly 90 percent of vulnerabilities disclosed in the second half of 2008 affected applications".'
Agree but More Is Needed
To some degree this is true however MS does need to make the system more secure by default. Also you have to consider users due to the prominence of social engineering attacks.
For MS to make a fair "security" comparison with Linux, they need to measure like-for-like. I don't use Vista, but an XP install only seems to be the equivalent of Linux Kernel + KDE or GNOME + equivalents for a handful of minor apps like notepad, solitaire, calc?
Ok, I see that there's some issues around comparing (illegally) integrated apps such as IE, but surely Windows XP vs Debian is unfair (unless you stick every app you can get your grubby paws on into the XP install as well)
Even then, surely the "install as root" security model in Windows is a pretty fundamental hole in the security infrastructure?
Well, since day one, Windows has had no native internal model of security and that all current concessions to security are just ill-fitting afterthoughts bolted on ad-hoc decade after decade I think they really have a bit of a cheek.
Windows is inherently, by its very architecture, not secure. No amount of hideous user-annoying half-baked bolted-on measures will ever change that. They need to completely revise the concept of file ownership and executability (make these more UNIX-like in fact) and MS appear unable or reluctant to do this. Ideas like "root" in Windows are just thin veneers there to pay lip-service to the concept. Doesn't really work as such though.
@ LaeMi Qian: "At least in the Linux world we publicly ridicule at programmers who expect users to run as root or try to store their prefs in /bin directories."
Well, it still doesn't stop this kind of thing from happening on Linux, now, does it?
This should be good
The comments this will surely generate should be great reading.
Give me a break
I have left all Microsoft products and run Linux Ubuntu reason tired of the security issues tired of viruses .
Microsoft systems are bad they are bloated and full of useless code, the last great Microsoft OS was probably Windows NT and Windows 2000.
Microsoft can blame whoever but the in the end it is there product they should secure it better.
"Oh, and they might want to take a leaf out of Linux's book and create an application repository so it's possible for users to easily update all their applications at once."
They have tried for years to get third party companies to use the Windows update service, yet have meet with huge resistance from outside companies. For those of you who are beta testing Windows 7, you have probably noticed that allot of companies have stepped up to the plate with their drivers (notably Nvidia and intel) to have those update through MS's system. Kind of confuses me, why not give MS the updates and let them bear the burden of the bandwidth costs?
@Richard Gadsden re, Automatic Updates
"...so third parties could distribute software updates as easily as Microsoft can, then a lot more people would have up-to-date software."
A lot more people would have a lot more to worry about as well.
Re: I'd tend to agree
"3rd-rater programmer hacks that haven't realised that MS-Windows has supported multiple users since the turn of the century."
Since when? The Windows SDK from about 1990 onwards had a whole section about how to play nicely with "network installations" where each user had their own WINDOWS directory but shared all the SYSTEM rubbish. Broadly speaking, this amounted to "use the documented APIs to find these two directories and don't assume you can write to the latter".
Sound advice, which Microsoft's own applications division started to take on-board about a decade later when people started asking why (say) Office 2000 only really worked properly if you ran it as Administrator.
Running windows as a regular user...
Sort of works sometimes.
If you try and install a font in Windows XP is should say something like "you need power user rights or better to install fonts, please enter your user/pass here... NOT some error message that a file is in use and try again later. Actually there would be no use for power users if Windows worked right. There are lots of examples were regular users will just end up puzzled at why something will not work, or hacks and tricks are required to make something work for a normal user. That's why most people just run as administrator given the choice.
UAC and Admin privs has nothing to do with it
The ability for malware to get on a machine is limited by Vista's ASLR on 64-bit (or at least NX and XD-bit enabled) computers. It has nothing to do with administrative privs or UAC. This is simply incorrect on the commenters' part, as well as the author's.
Microsoft has made ASLR, DEP, and SafeSEH available to Adobe and RealPlayer, but both of these ISVs (as well as numerous others) fail to utilize them, and continue to write code that violates Microsoft SDL practices -- such as use of functions on the unsafe functions list.
Richard Gadsden is definitely correct though. I flat out refuse to install software that has it's own update manager. I'd rather just use the Microsoft alternatives. Google and Apple are notoriously bad for this. For this reason, and others, I don't install Google or Apple software.
The Java updater has some poor defaults, and I change them to be more secure. This does add some overhead, and can be annoying at times. The Adobe updater is only a problem when you start Adobe Reader for the first time... thereafter you can use "Check for updates".
A special note is that the Secunia code isn't secure either. Microsoft has invested a lot, and here come some random players trying to prove or show problems, but they themselves create more problems. Anti-Virus needs to change, but it won't -- and users are going to be stuck misunderstanding the security of their systems from many angles for a very long time as a result.
Hmm. Here I always thought it was the duty of the OPERATING SYSTEM to protect applications from each other, and to protect the integrity of the system from rogue applications. Are they claiming then that they have given up on that duty?
I'll start using MSWindows when it starts acting like a real operating system, not just a shell on top of a single-user DOS environment. I'm still waiting. Microsoft doesn't "support" multiple users, it merely sort of fakes it. Poorly at that.
"Secunia's scanner is a convenient way to monitor some 3rd party software that can be a problem (Adobe Flash, the Java runtime, Adobe pdf reader, browsers, etc). http://secunia.com/vulnerability_scanning/online/"
Does that qualify as 4th party software?
Just a moment.
Let's say Windows is 1st party and then Windows Software is 2nd party. 3rd party is 'logo' qualified. 4th party is not. 5th party is virus/other stuff. 6th party is 1st, 2nd, 3rd, or 4th party to deal with 5th party.
So Secunia is 7th party, and some of the other parties, to make sure all the rest is.... up to date.
"Oh, and they might want to take a leaf out of Linux's book and create an application repository so it's possible for users to easily update all their applications at once."
Don't think that has happened.... yet.
"Why can't that be a single update service, like apt-get on Debian/Ubuntu or rpm on Red Hat?"
Build specific for (commercial) reasons unknown?
Secunia's PSI *is* a single update service
I love Secunia PSI so much that, if I weren't already happily married, I would pursue it with vigor.
It replaces a product I used a decade ago from Cybermedia, called Oil Change. It took 10 years for another company to come up with something that did the same thing. And they give it away for home use!
It checks almost every application on my system and lets me know when I need to patch it and why.
Oh lovely Secunia, PSI! You have saved me much time and grief with family members.
Also, I already get hardware driver updates from Windows Update. That's the only third party stuff I know of you can get through it. And those are Microsoft certified.
Windows, an OS, designed by a committee?
It has to be said that Windows was a half-arsed OS from its concept, and has been subdividing ever since. I'd say that at the moment it's passing through the two-hundred and fifty-sixth-arsed stage. As someone familiar with the essential simplicity of the Unix system, it's hard to imagine how anyone could come up with the mess that is Windows, but I suppose the committee/meetings concept could manage it.
Umm, argument doesn't fly
AFAIK there's really NO Linux distro out there that doesn't allow you to install a veritable avalanche of 3rd party apps - yet that doesn't appear to increase the security risk of the platform.
Nice try MS, but we're talking about fundamental design here. The good news is that MS is at least trying to borrow some bits from Linux, but without the fundamental OS segregation sorted out (and removing a serious amount of bloat) slapping something on *top* isn't going to help.
BTW, Vista has proven to many that they don't actually NEED to upgrade..
Why do you want to use MS's update facility? Its the most fragile POS I've ever encountered. It only works about 30% of the time thru a proxy, its overly complex, and it insists on using about 75 different domains making it near impossible to create firewall rules for. Other software I have that updates automatically does a hell of a lot better than MS. For one, AVG updates on its own about 360 days of the year, maybe the other 5 it gets stuck or wants to reboot so manual intervention is needed.
Applications which compromise security
year after year, update after update: Internet Explorer, Excel, Word, Powerpoint, Windows Media Player and not an application but a component of many, Activex .... Just count how many Activex, Microsoft Office or Internet Explorer security issues there have been since their introduction. Despite endless revisions the security weaknesses that appear to be at the heart of these applications continue to be patched on an ad hoc basis. The last straw has to be when security companies earlier this year advised Windows users not to use Internet Explorer as a way of keeping their systems safe - after how many years of IE as the market leader in bowsers? Microsoft know their secret APIs and have vast programming resources and should be expected to produce software that has been tested for elementary vulnerabilities, yet time after time they seem unable to. How long did it take for Windows 7 to get pwned? What is Microsoft's ultimate security solution to the problems of Internet Explorer - drop it and rip off Firefox?
"compared to none on PCs running Windows Vista"
But aren't there only six people in the world using Vista?
Five of which work for MS...
Niave fool here
This article makes me think of why I left the Windows world and went to Linux.
Aside from me being sick of paying money for shit software, I saw Ubuntu as a way of getting rid of continual harassment of viruses (including the M$ ones).
So, being a naive noob, what I don't get is why M$ is advertising that security vulnerabilities are to be blamed on third parties. Doesn't that underline a serious failure as an operating system? Am I expecting too much from operating system?
Shoe is on the other foot now
Didn't Microsoft claim for years all of the "more" security issues with Linux platform v/s Windows. Even though 99.99% of those issues had nothing to do with the Linux operating system itself but rather third party applications that were written for it. Now Microsoft is being weighed on the products that run there as well. Time for you to drink your own kool-aid Microsoft!
Funny how Linux provides a built mechanism to patch all products you chose to install(openoffice, mysql, apache, php), not just the ones that the operating system provider wants to ship.
- Hi-torque tank engines: EXTREME car hacking with The Register
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...