Mostly Harmless: Google Project Zero man's verdict on Windows 10 Accomplished Google hacker James Forshaw has given Windows 10 a slight security tick of approval, badging the platform as two-steps-forward, one-step-back affair when compared to version 8.1. The Project Zero vulnerability man praised Redmond for making some inroads to hardening in its latest Windows iteration, but scolded …
"I don't know, what do you call a 6'6" kangaroo with sunglasses and a machine gun?"
The Terminator. Sent back from an alternative timeline where Marsupials became the dominant species on Earth, then created a self aware computer system and put it in charge of the weapons.
"The 600 series had rubber skin. We spotted them easy, but these are new. They look... er, like Kangaroos."
....standing around on a field with nothing to keep people walking around it.
Seriously as long as the form of software distribution is "random people installing random stuff from random sources" or "companies pay us to put things into a store", there will be not even the slightest bit of security. After all if Microsoft would refuse to carry Adobe software in their store, they'd probably get sued even if most people would agree that it would help security a _lot_.
Seriously as long as the form of software distribution is "random people installing random stuff from random sources" or "companies pay us to put things into a store", there will be not even the slightest bit of security
I get where you're coming from, but no.
I don't want to limited to who can provide me software, and as a developer, I don't want to be restricted on where I output my wares.
I also don't think your statement is true either. As there are other security tools and features that exist - certificate signing is just one example.
You worried about people installing "any old program", well, teach them not to (okay, I know this is hard, I won't pretend it's not) instead of taking away an open platform.
... and yes, I consider Windows an open platform from a developer point of view - you can get plenty of developer tools (free or paid for), it's pretty well documented, and you don't have to jump through hoops to compile, run and distribute your programs.
Actually no I'm not saying that systems should be closed. We see what happens there with iOS and Android, you end up with a system that needs to be rooted/jailbroken in order to be useful, but still isn't secure even if you stick with the stores. (It's the same with other mobile OSes, but I'm just to lazy to list them all)
What I instead propose is a system like it's used in Linux Distributions. It doesn't keep you from installing your own software, but it provides a save and very convenient way of installing software. Distributions feel responsible for the software they have in their repositories. That's why you won't find software like "Acrobat Reader" there. If a software package has to many security problems and a safer option is available, a distribution may actually remove the unsafe package in a future version.
Of course this is a form of censorship (though easy to circumvent as mentioned above). However I can choose which distribution/repository I want to have. I can choose whom I trust. And again, I can simply get the source of any program and compile it myself if I don't like what the distribution is doing.
That's why you won't find software like "Acrobat Reader" there.
Urm, you realise Flash are in some repos - even comes preinstalled on Mint 17 (or it did on my install, I had to remove it).
Also, Linux repos are not unlike the other repos/app stores, including Microsoft's, Google's and Apple's; so whilst I've not heard of any security issues in any linux repos, doesn't mean there aren't or won't.
Oh, and in case you missed it, Microsoft does have it's own app store already...
These Utopian repositories work well with Linux, but it just doesn't fit in with the Windows mentality and the horse has bolted a long time ago. It's not a technical problem, more a commercial one.
Anything close to a repository for Windows either has "store" or "market" in the name, has several fake "Download" buttons, or provides it's own installer with bundled "offers".
I don't think users are empowered enough on Windows or, really, on any platform. We are not sandboxing by default, leaving the gatekeeper (of which there should always be more than one) to define only the recommended default set of minimum privileges an app needs. Nor can users specify alternative gatekeepers or no gatekeeper at all, with different capabilities and entry requirements. And users have no power to bypass the sandbox selectively, with user interfaces that leave no room for ambiguity about what exactly is being permitted and why. We should get that first, then we can judge the appropriateness of various distribution models. Sadly, every vendor seeking to build a perfect app utopia always has an economic incentive to hold the keys to the kingdom, except FLOSS distributions of software, which may have different incentives but which are at least innumerable and provide enough scrutiny to be useful.
Windows users can check out Ninite and Chocolatey. Mac users can try Get Mac Apps, in addition of course to the FLOSS package managers such as MacPorts, pkgsrc and Homebrew. Apple themselves, of course, have long since failed to deliver a Mac App Store that actually delivers what people want.
These Utopian repositories work well with Linux, but it just doesn't fit in with the Windows mentality and the horse has bolted a long time ago. It's not a technical problem, more a commercial one.
That's because Microsoft (and Apple) are two wrapped up in their corporate greed to make a viable app store that would let such an ecosystem flourish.
Rather than let you provide the user with a link (either directly, or maybe embedded in a small text file) that can be loaded into the app store pointing it to applications in your repository, they insist on it only talking to their repository, which they then charge money to host applications.
There is no reason why the model used in open-source projects couldn't work for commercial offerings, just the big players don't want to consider it as it means they can't price-gouge developers for hosting applications.
Rather than let you provide the user with a link (either directly, or maybe embedded in a small text file) that can be loaded into the app store pointing it to applications in your repository, they insist on it only talking to their repository, which they then charge money to host applications.
I personally don't have a problem with the Apple model, because that gives me a second layer of security checking. It's not perfect, but I prefer two layers over none. Where I am confident, I can still install directly from a supplier without going through the App Store - I do that, for instance, with products from the Omni Group, and even there is a second layer at work because you can reject applications that do not have a correct Apple developer cert.
Where I feel more adventurous I can use Macports to install software such as "nmap" - I can even compile things from source, all without any need to sponsor Apple for the favour.
I think the main problem with software distribution for Windows is not that users don't have access to curated binary repositories, it's that the repositories that are available are curated by some really shady mofos. Debian, Ubuntu, Red Hat; they all maintain repos that I trust enough to download a binary without a second thought. What do Windows users have? CNET, Sourceforge and Softpedia; with their advert laden pages with fake download buttons, executables that must be downloaded just to download the program you actually wanted, and worst of all the preselected bundled value added software malware.
This post has been deleted by its author
You mean, like one of my favourite depictions of flawed security? :)
Security could be a lot better on Windows and other OS if program developers would actually manage to stick to some sane programming methods.
For example, why on earth does most software want to install for use by all users instead of giving the users the choice? Adobe is an exceptionally good example of that - if Adobe Reader and Flash were contained to one user, you could set up a safe user to use the Net and a Flash infection would not have too many rights to make a mess.
Instead, the very first thing an Adobe installer asks is admin rights, even before it has downloaded the actual program (because clearly we are not allowed to have any ability to virus check what comes down).
It may sound trivial, but that exact need to have admin rights when software has no business installing at that level is what annoys me. It's different if we talk about installing a driver or a kernel extension, but for normal user land software I think there is still FAR too much software on the market that is written in a way that needs far too many rights, which has as direct consequence that you already have a backdoor installed for whatever containment you seek to set up.
Do we need to educate users? Yes - always. But if we undo that education by making it a habit to grant admin rights to whatever install, then we shouldn't complain if they don't get suspicious if that new fancy toolbar they got from dodgy.com wants the same.
As I said at the beginning, this is not just a Windows issue. The choice to install at user level or system wide is one that belongs with the user, not with the software author - system wide installs of anything should IMHO be exception rather than rule.
Mr Soft has strengthened the fencing around the henhouse and I can now sleep safely at night. Nice man Mr Soft, but he has changed lately - his teeth seem longer and I'm sure there's what looks like a red bushy tail poking out behind him. But he has my best interests at heart, I'm sure.
Actually, this is a gripe of mine that dates back further than Windows 7. I can recall arguing about this back in my Unix days, the only difference being that NT was comparatively new, all the works PCs ran Windows 98 and I was running RISC OS exclusively outside work.
In other words, "same shit, different packaging." Microsoft never did seem to have a total grasp of security, hence (for example) UAC. You could do a better job by stopping users logging in as an admin user by default rather than having an easily bypassed nag screen which many users tend to switch off anyway.
For example, the very machine I am typing on at the moment is a Linux system, set up from installation so that the default user is not an admin. It works well. I have set Windows systems up in the same way in more than one case, though the complete refusal to run some things rather than querying admin credentials (or at least allowing you to do this - some items will completely omit this option) can be annoying.
Mind you, I believe that the core problem with any version of Windows is that the whole system was never originally designed to be multi-user and while it has been retrofitted over the years to allow for this, every so often a design flaw will show exactly where the system came from - a stand alone computer.
(Don't take this as a Linux fanboy's gushing either. I have plenty of criticism to go around and Linux, Unix, RISC OS and so forth have their own flaws. I might like to look back at older systems but I'm a realist at heart).
As far as I can see, this particular report just backs up an earlier report which concluded... Meh.
They did finally add the 'run as admin' options to the context and start menu but its still a pia having to remember to do it for apps that dont ask for elevation. There are enough of them to be annoying and most fail silently to add a sense of adventure to the game. I have no idea how ordinary users ever get their systems configured... Apart from calling us!
They did add this but it's a pain to get to and it doesn't always appear, especially if the item you are selecting is specifically associated with certain functionality. And yes, I agree that some applications are real buggers when they insist on trying to get admin rights part way through. While you can't totally blame Microsoft for that, the design of the system does lend itself to having things like that happen.
But then that's a bear of another bug - the insistence by some programmers that admin rights are always needed and the production of broken code. I could wax critical about that, but I'll save that for another day.
"User account control is a pain-in-the-ass and Forshaw's "ultimate bug bear". It appeared to have been downgraded from a security technology to "'something you just put there to annoy the user'"."
The number of so called security experts that keep saying this, yet none of them actually explain why or what a viable alternative would be. You don't get linux people saying "Oh my God Sudo is a pain in the ass! It's just here to annoy me!". I find UAC supremely useful for making it simple to run a STANDARD account on Windows and not have to change to my admin account every time I want to do some systems admin tasks.
Yes I realise that default UAC settings aren't the most secure, but that's largely come about because of whining like that and "oh there's too many prompts" etc. Microsoft just can't seem to win on this one (though I suppose it's their own fault for the mess in Windows XP that got everyone used to the idea of no UAC prompts when installing their malware).
"though the complete refusal to run some things rather than querying admin credentials (or at least allowing you to do this - some items will completely omit this option) can be annoying."
Just saw this so sorry for the edit, you know who seems most guilty of this? MICROSOFT! I haven't really come across any third party software that refuses to UAC into admin that I can remember, but there's a few things you can't do through MS's own fancy "modern" interface without actually logging in as admin. So yeah I suppose they shoot themselves in the foot with that one.
I see where you're coming from, but I think the problem with UAC is that while it does prevent nasties being able to run silently it doesn't fix the fact that once that app has been given permission to run it can do anything it wants to the system.
The registry for example is basically a one-stop-shop for everything on the system and has no concept of restricting apps access to their own area. The entire registry is there for the taking. Likewise there's no jailing an app to its own directory or preventing it overwriting files or programs in other areas of the disk.
UAC is less of a security feature and more of a button to absolve MS of any responsibility if the program you're running messes your system.
While it would break compatibility with loads of applications I think MS should look at moving away from the registry and start jailing apps to their own install directory. Sure there will be plenty of times where apps will need access to external resources but I think that could work a bit like Android/iOS where you can decide what features an app can access like the camera or contacts.
"The registry for example is basically a one-stop-shop for everything on the system and has no concept of restricting apps access to their own area. The entire registry is there for the taking. Likewise there's no jailing an app to its own directory or preventing it overwriting files or programs in other areas of the disk."
Log on to a default-config Windows 7 machine as a non-admin user, and try to modify files in C:\Windows\System32 or edit any registry setting in HKLM\SOFTWARE or its children. You won't be able to....
I don't think that was his point. If you start to install software, and click YES on the UAC prompt, I'm sure that a Sophos (just as an example) installer can delete any and all other AV files, directories and registry entries. I know it can because there's a check-box for it.
> The registry for example is basically a one-stop-shop for everything on the system and has no concept of restricting apps access to their own area.
The registry has access control list (ACLs) on each key. You absolutely need to have been granted access to read, write etc. for each key in the registry - albeit it inherits parent ACLs by default just like the file system.
This would be akin to each *line* of a config file in *Nix having it's own ACL. So there is absolutely a way to restrict apps access. And it commonly done.
> UAC is less of a security feature and more of a button to absolve MS of any responsibility if the program you're running messes your system.
UAC is a security feature (it helps keep a system secure) but not a security *boundary*. The same way that because of SUID root, *Nix security is also not a security boundary (unless SELinux or similar is applied).
> While it would break compatibility with loads of applications I think MS should look at moving away from the registry
Through support for ACLs, the registry already has full support for app containment. Windows "modern" apps run in app containers, and because the security model (with an extensible token) allowed it, it fits nicely with the existing model.
UAC is less of a security feature and more of a button to absolve MS of any responsibility if the program you're running messes your system.
Spot on!! This totally absolves MS of any responsibility. This allows every idiot who thinks they have a clue to totally screw up their system and then make that call to one of us. I'm getting old and cranky and want to tell users (and friends and relatives) "you screwed it up.... you unscrew it."
You don't get linux people saying "Oh my God Sudo is a pain in the ass! It's just here to annoy me!".
Maybe. Maybe not. Actually I find sudo to be a pain in the arse but then it doesn't annoy the hell out of me. Instead I use su when I need it and make damn sure that I don't log in as an admin under normal usage circumstances, something that (as I said above) can be done in Windows but is ignored, especially by home users, when they buy or install a system. This isn't new to Windows 10, nor Windows Vista, nor even to Windows 95.
Just saw this so sorry for the edit,
No problem!
you know who seems most guilty of this? MICROSOFT! I haven't really come across any third party software that refuses to UAC into admin that I can remember, but there's a few things you can't do through MS's own fancy "modern" interface without actually logging in as admin. So yeah I suppose they shoot themselves in the foot with that one.
Heh! I've seen some third party software that does this though I suspect that it is possibly because they include certain bits of Microsoft code that they do it! But yes, Microsoft are rather adept at ascending chicken syndrome.
There are several post-market enterprise solutions doing much better implementations around UAC (Avecto, AppSense et al). Mainly around allowing definitive whitelisting and blacklisting of what can and cannot be elevated, when it can be elevated, by whom, whether they need to justify that directly, or whether it happens automatically. Problem is they are usually using mini-filter drivers to implement it rather than it being a part of the UAC sub-system. Even throwing in the idea of trusted ownership- that a file that has not been downloaded/copied/created by someone without appropriate credentials- will stop it from even executing.
Microsoft could do a lot here- they could either acquire, or just copy the concept and bake it in directly. Heck- sudo could do with some of those concepts baked it- it's far from a perfect ideal of security, loads of places where a well-meaning admin can make a fatal mistake.
ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha .
Oh, btw, $72billion revenue from giving away stuff to the unwashed masses for free, don't bother your little heads with it though, ooh a cat video......
Funny - discussing the security of Windows 10 now seems to be a bit like talking about how strong the deckchairs are on the Titanic ...
The one thing that I've noticed about this thread is that it's less about W10's security problems and more about Windows security problems overall and how W10 has failed, more or less, to address these problems. More like comparing the strength of the deckchairs on the Titanic to those on the Lusitania...
If one service gets split into two and properly isolated then that is surely better?
"Surely" is too strong - this could certainly be done in a way that adds new vulnerabilities, for example by introducing a vulnerable communications channel between the new services.
But your broader point, which I take to be that the count of running services doesn't tell us jack shit about the attack surface, is spot on. If Microsoft combined all those services into a single giant one (you might call it "systemd"), that wouldn't reduce the attack surface at all. In fact it'd make it more cumbersome for a system administrator to pare down the surface by disabling services.
Process or service count is a lazy, pointless metric, and Forshaw should be ashamed of using it. Alas, we can't expect Reg article writers to apply a bit of critical thinking when reporting this stuff.
10 seems as bad as ever. Users are as stupid as ever. Been to 4 this week, along with just as many botched upgrades.
Bizzarely the press would have me believe android was just as bad, however yet to see a single Android device ever to have a malware problem.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
