Apple's Unlikely Security Mentor: Microsoft

snydeq writes "Apple has much to learn about securing an operating system, and it could learn how from Microsoft, Roger Grimes writes in the wake of further evidence that Macs are more vulnerable to attack than Windows machines. 'It's taken Microsoft 10 years to turn security from a weakness into a strength. Apple can use the lessons learned by Microsoft to manage a quick turnaround. Apple has already hired one of Microsoft's former security leaders, Window Snyder, and it has adopted a modified form of Microsoft's Security Development Lifecycle programming practices. Apple has the benefit of seeing how Microsoft fixed its past mistakes.'"

Apple just doing what MS has done for years

[Registered Coward v2]

MS is the typical fast followers - let someone else test the market; then jump in and take advantage of the new market while learning from the pioneer's mistakes. then push big to capture the market and crowd everyone else out. Once you're in you can expand and improve your product. It's been pretty effective for them over the years.

Meanwhile

[CharlyFoxtrot]

Meanwhile actual hackers, like the guys who won the Pwn2own contests by beating OSX security, now say OSX Lion is more secure than Windows [macnn.com] (even though they previously freely admitted Snow Leopard was trailing Windows' [macobserver.com] latest offering in that department.)

"Both Miller and his co-author in the book The Mac Hacker's Handbook, Dino Dai Zovi of Trail of Bits said that from a security perspective, Snow Leopard was little better on Leopard, but that Lion is a "significant improvement." Zovi describes the level of security in Lion as "Windows 7 plus plus." Apple hired the inventor of the BitFrost security system for OLPC, Ivan Krstic, two years ago in an effort to beef up core OS security. Krstic's methods in BitFrost mirror closely what has now been implemented in Lion."

Re:

[goombah99]

sigh... windows security was highly compromised by a few very simple things. It encouraged users to be Admins by making simple tasks require admin, its registry required modifying system resource handles by untrusted apps, and it had no way to tag files as tainted after a download to warn users when they opened them.

Then the access controls that were implemented swung the pendulum too far too early. Unix permissions on a mac are useful while not being terribly difficult to maintain. The OS will take ca

Re:

[PickyH3D]

Because for every "big new hope" security feature that you described, except default sandboxing for all (it has been in IE for awhile), Microsoft brought into Windows starting with XP Service Pack 2, which came out in 2004.

Re:

[0123456]

Because for every "big new hope" security feature that you described, except default sandboxing for all (it has been in IE for awhile), Microsoft brought into Windows starting with XP Service Pack 2, which came out in 2004.

I presume that's their point? They're beneficial, but can't fix Windows' poor design and decades of backwards compatible security holes.

Re:

[LordLimecat]

Complex ACLs have been around since the inception of NTFS, and remain better than most other commonly used FS ACL options (someone is likely to make a fool out of me with such a broad statement, but oh well).

Re:

[AmiMoJo]

[Windows] encouraged users to be Admins by making simple tasks require admin, its registry required modifying system resource handles by untrusted apps, and it had no way to tag files as tainted after a download to warn users when they opened them.

...

I dont' see why anyone would think that Apple is a follower of MS.

Because IE6 introduced tagging files as downloaded so you get a warning when you open them. Vista defaults new users to non-admin accounts and even on admin accounts runs apps at user privilege level and asks for the admin password as required. It also had built in sandboxing (IE7 used it) and virtualised both the filesystem and the registry, on top of tightening up ACLs.

Apple has been introducing similar changes at a later time, which is the definition of "following". Not necessarily "copying" or "catch

Re:

[farrellj]

These people are definitely better informed about the internals of the operating systems in question. Too many security "experts" simply know now to read books and articles written by other security "experts", and a number of them are paid shrills for various operating system owners. If someone can Pwn your system, then go and tell you both how and why they were able to do it, I would trust their opinion more than someone who is a talking head at some Magazine, Website or TV program!

Re:

[Baseclass]

paid shrills

I wasn't aware there was a market for such a thing.

Re:

[farrellj]

There are many place where you can sign up to do "reviews" and/or run blogs that are actually supported by various companies. A person I know makes a living doing this. Similarly, publishers and authors use promo companies that will go and write good reviews for their books on Amazon, and bad reviews of their competitors...

ttyl
        Farrell

Re:

[sessamoid]

There are many place where you can sign up to do "reviews" and/or run blogs that are actually supported by various companies. A person I know makes a living doing this. Similarly, publishers and authors use promo companies that will go and write good reviews for their books on Amazon, and bad reviews of their competitors...

ttyl Farrell

You're missing the point of his post. The point is that you used the wrong word. The word you want is "shills", not "shrills".

Re:

[grcumb]

paid shrills

I wasn't aware there was a market for such a thing.

Come on! You mean you've never heard of the Sopranos?!?

Re:Meanwhile

[jimicus]

IMV, Apple products/features over the course of the last 5-8 years follow a fairly straightforward model which can be broken down into a few steps.

1. Release Not-Terribly-Shiny Version 1.0. It may not be the most sophisticated in the world, it may have a whole heap of issues. But it will be released. The rest of the world says "ho-hum". It probably won't sell spectacularly, but it won't be an abject failure. (See also: First generation iPod. First generation iPhone. OS X when first released.)
2. Release Shiny Version n+1. It fixes most of the issues of the previous version. Technologically it's unusual for it to do anything new, anything that the competition doesn't already do. But what it does it executes with so much style, so much polish that the rest of the industry is left looking rather pathetic and scrabbling to catch up. It sells spectacularly. (See also iPhone 3G)
3. Apple will rest on its laurels. There will be updates to their products, but by and large they'll be relatively minor increments rather than ground-breaking "my God that's amazing" ideas. These will be released as Shiny Version 3.0 and 4.0. (See also iPhone 3GS, OS X versions 10.3-10.4).
4. The rest of the industry will catch up. Products will appear that compete with Apple's equivalent on features, price and polish. Then, just as people are starting to seriously question Apple and wonder what they're doing...
5. Repeat steps 2-4.

If I'm right, the iPhone 5 won't be a huge breakthrough over the iPhone 4. It may have a few tweaks here and there, but it won't be "Steve, take me now!" fantastic. The iPhone 6, however, will probably be leaps and bounds ahead of the 5.

Re:

[timster]

Yeah but, on the other hand, talking to hackers, even information security experts, isn't really good enough. There are too many opinions out there and not enough facts.

The first problem is that we don't have any sort of useful objective metric to compare the security of various operating systems. "Number of vulnerabilities found" is unfair to the popular ones. "Severity of the worst vulnerability found" is useless because everyone has remote root exploits found from time to time.

And even an objective metri

Re:

[LordLimecat]

OSX Lion is also a whopping 3 weeks old, while Win7 is 2 years old. Want to bet that when Windows 8 comes out, it will be more secure than OSX Lion?

Regardless, you and I both know that when the next Pwn2Own comes along, the Probook is going down first. Where the money is, there will be the exploits.

Re:

[CharlyFoxtrot]

OSX Lion is also a whopping 3 weeks old, while Win7 is 2 years old. Want to bet that when Windows 8 comes out, it will be more secure than OSX Lion?

Regardless, you and I both know that when the next Pwn2Own comes along, the Probook is going down first. Where the money is, there will be the exploits.

Sure I hope every OS that comes out after Lion will be even more secure, I wouldn't mind a security arms race. I was just pointing out that Apple has (privately at least) acknowledged some of its shortcomings and is taking steps.

The next Pwn2own will certainly be interesting as the traditional attack vector, Safari, has had a lot of work done under the hood. Can't wait to see what they'll come up with.

what has Snyder achieved?

[Hazel Bergeron]

There are lots of "security professionals" who actually have very little technical knowledge, let alone technical knowledge specific to security.

Having vague ideas on a process doesn't mean having to hire a particular person.

What's actually going on here, Apple?

Re:

[synthesizerpatel]

I first met Window about 12 years ago, she was sharp and capable when it came to security. I doubt much has changed. In terms of achievement, not every achievement ends up being a big publicized event where implementors are handed plaques to commemorate the occasion. Security is a boring and incremental effort when you're trying to improve process.

So, I guess I'm a little biased with the (weak) personal connection, but don't hate just because you don't know who she is or what she's done.

Re:

[Hazel Bergeron]

It was supposed to be an expression of skepticism, not hate.

Not unlikely at all

[Anonymous Coward]

Most security professionals (and even famous hackers, like pwn2own winners) today acknowledge that Microsoft security development practices are very good, and so are their latest OS. Everbody who has not devolved into pure fanboism understands that this can be the case even if they still have a higher volume of issues than Mac have for now.

Re:

[bberens]

It takes a long time for "common knowledge" to change. Take for example American cars. Whether you think they're on par or not they have made a lot of progress in catching up with foreign manufacturers but are still largely considered inferior products.

Re:

[stewbacca]

That's because we Americans are cheap and actually prefer inferior cars to better ones because they are generally cheaper.

I'd love to buy an American car if they'd just make one that isn't engineered with bottom line choices taking priority over the choice to make a nice vehicle (even if it costs a little more to do so).

Security is a *strength* for MS? Really!? Who knew

[GSloop]

'It's taken Microsoft 10 years to turn security from a weakness into a strength"

Really? A strength? Seriously?

Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?....
Because Security is a "Strength" for Microsoft?

Honestly, while security *may* be better [and I'm not sure that's true] at MS, it certainly IS NOT a strength of theirs.

If that's the view of the moron who wrote this - I'll trust everything else written with the same level of massive skepticism. [i.e. It's clear a moron wrote this - so I'll trust everything else in here just as much as I'd trust any other moron.]

Re:

[PhrostyMcByte]

Really? A strength? Seriously? Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?.... Because Security is a "Strength" for Microsoft?

You'll notice a great majority of the exploits are found in old code. They've got quite rigorous security practices now, and their new code is benefiting greatly from it. I don't know if I'd say security is a strength of their products right now, as there's plenty of old code left to exploit. But they're certainly on the path to get there.

Re:

[GSloop]

Pardon me if I'm not overwhelmed.

MS: "Yeah, your home is like Fort Knox - no one will break in through the new stuff we built. Mumble mumble mumble"
Me: "What was that mumbling?"
MS: "Well, everything is really secure, except the old stuff - like, you know, the doors and windows. That's old stuff. You can't hold us responsible, even if we built it. Only the new stuff matters and it's like a rock! No one will break in through the roof or walls!"
Me: "Ah, yeah - I feel so much better already!"

Sheesh.

If the new s

sounds like doublespeak

[v1]

It's taken Microsoft 10 years to turn security from a weakness into a strength

The only thing "strong" about windows security is the botnets that grow to 100,000 computers strong

Until MS expunges the litany of windows-running botnets from my inbox I'm not buying that BS. If they can take down the botnets, I'll acknowledge they've taken security seriously from a consumer protection standpoint. They can trot around the ring all day long yelling "We're tough on security now!" and I'll sit back with an "I'll believe it when I see some results" attitude. Put up or shut up. Ya I know, fat chance, but that's my opinion on it.

Re:

[VGPowerlord]

And, of course, they have a program you can add to Windows (but can't ship with Windows for antitrust reasons (thanks Symantec!)) called Microsoft Security Essentials [microsoft.com] to actually help protect against user stupidity,

does this mean...

[roc97007]

...that now every new version of OSX will run slower and slower?

Weird

[iluvcapra]

I really can't think of two companies that approach the problem from such different directions:

• Apple has a very top-down developer/third party attitude about its relationship with developers. It loves them and everything, but they take the interpretation of their developer documentation very seriously, they don't give product or platform roadmaps, and they will change, deprecate and remove APIs such as their wont. To Apple, the computer buyer is the customer, and the developers are a sort of collateral operation. Microsoft sees developers as their main customers, and go to extraordinary lengths to make sure that if a program ran under some version of Windows, it will always run without the developer having to update -- if it runs once, Microsoft considers that a contract. This makes the platform much more stable and predictable but allows all sorts of bad behavior to go uncorrected.
• Apple leverages lots of open source projects to provide the middleware on their platform; granted they sometimes leverage quite old versions of open source projects. Microsoft is committed to in-house development of the complete system -- you'd never see Microsoft ship OpenSSH, KHTML, or a Ruby interpreter with their operating system, they're much more apt to ship their own tools to accomplish the same things, with all the benefit and risk that entails.
• Microsoft is committed to the PC as a platform for computing, and differentiating the "power" of a Real Computer to things like mobile devices or appliances, so they don't countenance things like sandboxes, curated app stores, the principle of least privilege -- they're much more deferential to developers. Apple is happy to impose much tighter restrictions system-level restrictions (in Lion, apps aren't even allowed to traverse the filesystem directly anymore, all of this happens outside the apps address space), and Apple is much less grandiose and much more practical about designing programming environments.
• Apple sees the ultimate security of the system as the vendor's responsibility. Microsoft sees the ultimate security of the system as the user's responsibility. Pick your poison.

Obvious point here

[1s44c]

'It's taken Microsoft 10 years to turn security from a weakness into a strength.

Microsoft security isn't a strength, it's mediocre at best. This statement is just blatantly false.

Apple have problems but they are fixable because they started with a solid proven design, UNIX. Microsoft never had that advantage.

Obvious? Not so much

[benjymouse]

... because they started with a solid proven design, UNIX. Microsoft never had that advantage.

Yeah, good UNIX proven design

Like setuid servers (not!) where even simple bugs allow an attacker direct root access

Like the hopelessly inadequate me-us-world security coarse-grained security which requires proper ACLs to be bolted on top.

Like you cannot set up proper inheritance of security from parent folder, leading admins to design strange processes to wake up and chmod files.

Like the almighty root to rule them all. No separation of duties there. (Windows has proper separation of duties based on privileges. Even admin does not own all privileges, for instance the admin *cannot* write to or clear the security log).

Like the UNIX idea of a "token" which are just UIDs hard-wired to user accounts. (Windows has *real* process tokens which can be manipulated per process, e.g. stripping certain privileges from a process even if it runs under an admin account).

Windows security design is not perfect, but it is a god deal better designed and more capable than the "UNIX proven design". Why do you think SELinux was developed by the NSA? Because Linux with its "proven design" was woefully inadequate for government work - a task for which Windows is certified but only few Linuxes - those with SELinux).

We keep hearing about this "superior" Unix security design. But it is always referred to in the abstract with no details. Maybe it is some magical fairy or Apple dust?

Yes, a good admin can lock down a Linux with apparmor or SELinux pretty tight. Both apparmor and SELinus are solutions which compensates for the initial inadequate design.

Re:

[yuhong]

Yea, this myth is old, and I am surprised that people continue to spread it today, even though MS had not release any DOS-based Windows versions since 2001.

Yes MS would be a great security retsaM

[140Mandak262Jamuna]

restaM is a security teacher. restaM is Master written backwards. To learn from a restaM you do everything the opposite way. If they do A you do !A. If they advice you to do B you do !B. This is how Apple can learn from Microsoft the security lessons. oops sorry. snossel !

It figures

[Trogre]

Given that Apple have now revealed themselves to be every bit as evil as Microsoft (as opposed to just wanna-be evil, as the more perceptive of you will have known for at least the past decade) it's not surprising that these two scum-infested megacorps are now talking.

Re:

[gubers33]

Apple is still on safe due to obscurity, the corporate world almost strictly uses MS, while Apple has grown its user base in recent years, they have not touched the corporate market. Anyone will attempt to go after corporate before personal users because the reward is greater. MacOS is still the most vulnerable OS on the market. Yes, you can lock it down changing a lot of settings, but you can do additional configuring on Linux and Windows machines. MacOS doesn't lose Pwn2Own the quickest every year for no

Re:

[BasilBrush]

Yes, you can lock it down changing a lot of settings, but you can do additional configuring on Linux and Windows machines. MacOS doesn't lose Pwn2Own the quickest every year for no reason.

Well in part because Pwn2Own doesn't test Linux.

No, really they don't. Check it out:
http://en.wikipedia.org/wiki/Pwn2own [wikipedia.org]

Re:

[gubers33]

True, I forgot they don't do Ubuntu anymore. However, in the phone part of the contest, Android is a Linux based OS.

Re:

[similar_name]

From your link

In the 2008 contest, a successful exploit of Safari caused Mac OS X to be the first OS to fall in a hacking competition. Participants competed to find a way to read the contents of a file located on the user's desktop, in one of three operating systems: Mac OS X Leopard, Windows Vista SP1, and Ubuntu 7.10 . On the second day of the contest, when the rules were loosened and allowed attack surfaces expanded to include Web browsers, Charlie Miller compromised Mac OS X through an unpatched vulnerability of the PCRE library used by Safari.[4] Miller had been aware of the flaw prior to the beginning of the conference and worked to exploit it unannounced.[4] The exploited vulnerability was patched in Safari 3.1.1, among other flaws.[7] At the end of the contest, only the Ubuntu system remained unexploited.

But yeah, that's the only reference to Linux I saw. Emphasis mine.

Re:

[Daniel Dvorkin]

Three years ago is forever in security terms. "Pwn2Own doesn't test Linux," in present tense, is a true statement; and knowing the relative vulnerability of Leopard, Vista, and Ubuntu 7 tells you next to nothing about how Lion, Windows 7, and Ubuntu 11 stack up against each other today.

Re:

[next_ghost]

Actually, the last time Ubuntu was in Pwn2Own (2008), it was the only system that didn't get pwned. Oh, and see those Androids listed under Mobile Phones? That's Linux too. (Cue flame about Android not being Linux...)

Re:

[ceoyoyo]

"Anyone will attempt to go after corporate before personal users because the reward is greater."

What? Most infections are aimed at creating bot nets and the payoff is WAY higher outside of corporations. They usually monitor traffic and are pretty good at cleaning up infected machines. Home users? Not so much.

Marketshare was a reasonable argument when Apple had 2% and shrinking. Now that they've got 10%+ and growing, it doesn't hold so much water. Not to mention that Darwin runs zillions of iPads and i

Re:

[gubers33]

For malware, yes it is better to target a home user. For exploiting a machine to gain access to their network and steal information, corporate. Not all exploits are malware related.

Re:

[shmlco]

From Ars, "In Lion, the sandbox security model has been greatly enhanced, and Apple is finally promoting it for use by third-party applications. A sandboxed application must now include a list of "entitlements" describing exactly what resources it needs in order to do its job."

Then there's privilege separation, which breaks up a complex application into individual processes, each of which requires only the few entitlements necessary to perform a specific subset of the application's total capabilities. Video

Re:

[VGPowerlord]

From Ars, "In Lion, the sandbox security model has been greatly enhanced, and Apple is finally promoting it for use by third-party applications. A sandboxed application must now include a list of "entitlements" describing exactly what resources it needs in order to do its job."

Then there's privilege separation, which breaks up a complex application into individual processes, each of which requires only the few entitlements necessary to perform a specific subset of the application's total capabilities. Video decoding, PDF decoding, and HTML decoding are already handled this way in Lion. (Not to mention sandboxing Flash into it's own tiny little world.)

Windows doesn't have such fine-grained security controls (as least not to my knowledge), but there is a public API that a process can use to lower its privileges. IE is actually one of the programs that uses it.

The problem is, most programs (including things like Firefox) don't use this lower privilege mode.

Re:

[Kalriath]

There'll be a giant shitstorm coming in November too, since word is that Apple is declaring sandboxing as mandatory, which will destroy entire swathes of application categories.

Also, Chrome also runs Low Integrity in Windows 7. Sadly, Opera and Firefox both run in Medium integrity. You can still use ICACLS to drop the integrity level if you feel like it though.

Re:

[Mongoose Disciple]

Corporate vs home? Are you nuts? Home computers are much more likely to have credit card numbers and passwords and back account numbers floating around.

Uh.

If you hack some home user's computer, you may get A credit card number.

If you managed to hack one of the financial services companies I've worked at, you'd get more of them in one score than you'd ever need.

Some of those companies did security updates at a glacial pace, incidentally. At one, seeing e-mail viruses going around was hardly uncommon.

Even many small businesses will have hundreds if not thousands. They shouldn't be storing that information, you say? Well, people shouldn't install Bonzi Bud

Re:

[Daniel Dvorkin]

Wow. Thanks for proving why it's impossible to have a rational discussion about the relative security of different OS's.

Re:

[show me altoids]

It's a she, and her real name is Mwende.

Re:

[rubycodez]

hey, celebrity's moms aren't fair game, leave Blooscreena out of this.

Re:

[gubers33]

I think it is pretty bad ass honestly. Apple better counter and hire some guy named Lion.

Re:

[rubycodez]

almost, it's Löwe.

Leon is french for lion.

Re:

[rubycodez]

The french took the latin leo for lion and made names Léon and Léo

Re:

[cashman73]

Well, if he's going to be named after a Microsoft product, at least, for the most part, Windows is generally successful. Apple never would've hired him if he was named after Microsoft Bob,. . . We all know that Bobs don't make good consultants [imdb.com],. . .

A brilliant observation since

[Kupfernigk]

Her first name is actually Mwende

Wow

[ArundelCastle]

People automatically assume it's a guy? That's chauvinistic.
Also, she has been head of security at Mozilla. I guess the summary didn't want to throw a third party into the debate.
http://www.usatoday.com/tech/news/computersecurity/2008-06-17-mozilla-window-snyder_N.htm [usatoday.com]

Re:

[Zaiff Urgulbunger]

I only skimmed the summary and was trying to figure out how Roger Grimes could be the name of an OS.

Re:

[Talderas]

I certainly can't believe that Microsoft had a security leader named "Window".

Re:

[arbiter1]

Look at MS as been aggressive at fixing things since XP, even providing free security software. Also look at end users MS has been for most part educating end users that they have to do preventive measures to keep their computers safe. Mac users generally think their OS is safe right outta the fox. I know i will be called a troll for saying this but its a fact and Leo Laporte for people who know who that is pretty much said that and yes he uses mac most the time.

Re:

[donaldm]

No Operating System is secure right out of the box. At least with Linix/Unix there is a huge difference between the System admin and an ordinary user and it is fairly common for most people who use *nix (this include Apple's OS) to login as a normal user. Were MS Windows differ's is the fact that most people grant themselves System admin privilege right out of the box and that makes a MS Windows OS less secure then a *nix OS. Any user who is logged into a *nix machine as a system admin for non system admin

Re:

[kakyoin01]

Considering the phenomenal market share Windows holds in the computer usage domain, no doubt there will be problems. Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.

Re:

[Alex Belits]

Considering the phenomenal market share Windows holds in the computer usage domain, no doubt there will be problems.

NO.

Ex: Apache, the most popular and very secure web server.

Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.

There is nothing to learn there. Windows "security" consist of kludges built on top of unworkable model -- it's best when it is least consistent. Apple just has to consistently use security model it already has.

Re:

[shutdown -p now]

Ex: Apache, the most popular and very secure web server.

Ironically, Apache is, in fact, a very good example proving GP's point, since it has more known exploits [slashdot.org] than the less-popular IIS.

Re:

[man_of_mr_e]

Really? Care to prove that? Didn't think so. I'll do you the favor and show the real statistics.

IIS 6 has had 11 advisories in 8 years. Of which, none were Extremely critical, most of which are not exploitable by default, and require specific services to be enabled.

http://secunia.com/advisories/product/1438/?task=statistics [secunia.com]

IIS 7.x has had 6 advisories in 4 years. Of which, none were Extremely critical, most of which are not exploitable by default, and require specific services to be enabled.

http://secu [secunia.com]

Re:

[MobileTatsu-NJG]

Ex: Apache, the most popular and very secure web server.

Apples != oranges, people don't sit in front of Apache all day who can be tricked into making exploits available.

Re:

[Kalriath]

Apache. 22 Advisories, comprising 40 Vulnerabilities. 2 Unpatched [secunia.com].
IIS. 6 Advisories, comprising 6 Vulnerabilities. 0 Unpatched [secunia.com]. To be fair to Apache, which has been stuck at 2.2.x for some time, I'll even merge IIS 6 [secunia.com] with IIS 7. That makes it...

IIS. 17 Advisories, comprising 17 Vulnerabilities. 1 Unpatched. Apache still loses, especially considering Apache 2.2.0 is actually 3 years newer than IIS 6.

Re:

[man_of_mr_e]

Apache is not the most popular web server in the way you suggest. More websites are hosted on Apache than anything else, but that doesn't translate to more apache servers than anything else. Windows web servers tend to be run by corporations, and as such tend to have only a small number of sites on them. Apache tends to be run by ISP's, and other hosting companies who put large numbers of sites on them.

Website != server

By the way, Apache runs on Windows as well. And it's used quite a bit actually, parti

Re:

[CheerfulMacFanboy]

http://www.zone-h.org/news/id/4737 [zone-h.org]

Re:

[Goaway]

Broken how?

Re:

[0123456]

Broken how?

For a start:

"Application Helly Kitty Screen Saver wants to: Do crap you don't understand"

Do you press 'OK' or 'Cancel'? (Or whatever buttons Windows puts up in the UAC box, I haven't used it in months)

Re:

[Gadget_Guy]

So what should Helly (sic) Kitty Screen Saver do as an alternative then? I suppose it could split up the program into two separate processes running with different credentials, just like other programs do to avoid UACs.

But how is some badly written third party software a symptom of a broken security model?

Re:

[0123456]

But how is some badly written third party software a symptom of a broken security model?

Because Microsoft has encouraged such behaviour in the past ('sure, feel free to write any old crap in the program files tree'), and now continues to support it so as not to break those badly written applications.

And because UAC messages are absolutely useless in most cases. The most common one seems to be 'Access Hard Disk'. What does that mean? Is it trying to write a config file to its own directory or install a rootkit? How am I supposed to tell?

Re:

[Gadget_Guy]

Because Microsoft has encouraged such behaviour in the past ('sure, feel free to write any old crap in the program files tree') and now continues to support it so as not to break those badly written applications.

That is incorrect. To get Windows certification you had to save your settings under the user's profile. Doing this lets software run under limited user accounts and allowed for roaming profiles so users could login on any workstation and have their configuration follow them.

Since Windows NT 3.1, Microsoft have proper permissions system so you did not have to run as Administrator. In all the API documentation they told developers what they had to do to work correctly. Unfortunately because Windows 9x was the

Re:

[yuhong]

Since Windows NT 3.1, Microsoft have proper permissions system so you did not have to run as Administrator. In all the API documentation they told developers what they had to do to work correctly. Unfortunately because Windows 9x was the more popular OS developers could ignore Microsoft's pleas.

Even though NT 3.1 was released before Windows 95!

Re:

[oji-sama]

Never seen an "Access Hard disk" prompt. Then again, I skipped Vista completely. Almost changed to using Ubuntu on my desktop, but then I actually enjoyed using 7. Now using OpenSUSE in a virtual machine for my Linux needs.

Re:

[gumbi west]

yeah, it should totally say, "the software: foo wants to install a rootkit. If you do this, your system will be fubar."

Re:

[Kalriath]

UAC doesn't automatically pop up in response to the program trying to do something. UAC pops up because the program specifically told Windows "I need to elevate" - there's no facility for it to tell Windows WHY. Perhaps there should be, but that's why it can't do it now.

Re:

[Alex Belits]

There should never be such a question in the first place. If "Deny" is not the only possible answer, security model is broken.

Please note that Microsoft imitated Unix/Linux sudo (and PolicyKit) prompt, that serves a completely different purpose there -- ask a user to confirm that he really intends to perform a system administration task. Untrusted software can't trigger those things in the first place.

Re:

[Gadget_Guy]

There should never be such a question in the first place. If "Deny" is not the only possible answer, security model is broken.

I disagree. Any security model that makes things that hard to use would fail in the broader community because people would just turn it off. Look at how many people disabled UACs now because they seemed annoying. Imagine how many people would just run as Administrator all the time if it seemed impossible (and not merely annoying) to use all your old software under your proposed security model.

Actually, you do not have to imagine. You just need to look at Windows 2000 or XP for that exact user experience. Ho

Re:

[Gadget_Guy]

That's because you do not understand how computer and network security works.

No, you are just a rabid Microsoft basher who can't comprehend doing something in a way that you are not used to. But feel feel free to address any of the points that I raised.

Re:

[stewbacca]

This is an example of how OS X is inherently superior to Windows for security, without even arguing the technical underpinnings.

Windows developers can't even write a dialog box that doesn't confuse the user (and Microsoft does nothing to help them conform, like Apple does). It's all downhill from there.

Re:

[Vancorps]

Uhhh... Windows does require them to enter their password unless you're logged in with an admin account.

Re:

[next_ghost]

Let's see... The NT family of Windows has full security infrastructure based on user accounts and access privileges. However, that security infrastructure was completely turned off by default when Microsoft decided to merge the WinDOS family into Windows XP so that you could run legacy WinDOS software and software written by idiots without any additional setup. And now, starting with Vista, we've got yet another security infrustructure built on top of the first one which is supposed to emulate access restri

Re:

[shutdown -p now]

And now, starting with Vista, we've got yet another security infrustructure built on top of the first one which is supposed to emulate access restrictions inside otherwise unrestricted administrator account

You're confused. That is not how UAC works, at all. The underlying security system is the same that has always been in NT OS family - changed are the defaults (no longer root by default), and UAC is really nothing more than sudo.

Re:

[jcupitt65]

UAC is not much like sudo since it is not a security feature. It is not supposed to stop bad software doing bad things (since it can't, it's trivial to bypass), it's supposed to let users know that good software is doing system-level things.

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html [pretentiousname.com]

If you have a separate admin account UAC does work more like sudo. But that's not the default, sadly.

Re:

[shutdown -p now]

UAC is a security feature. The article you have linked to describes the consequences of a bad (insecure) default configuration of said feature. UAC will still be active and do checks and elevate processes as required - it will just use the whitelist to suppress elevation prompts for specific processes. But process security still remains in full force, it's not all smoke and mirrors.

Even the article itself correctly states that, if you move the UAC slider to its highest setting (which is what it was in Vista

Re:

[jcupitt65]

Mark Russinovich says UAC is not a security feature:

http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html [networkworld.com]

The whitelist trick is just one of many mostly unfixable holes in Windows that make win7 UAC in default mode trivial to bypass. As you say, pushing the slider to maximum gets you Vista-level security: better but still not secure. You need a separate admin account to get something close to sudo.

As vendors make their software more UAC friendly, MS will eventually be able to

Re:

[shutdown -p now]

Can you give an example of how to circumvent UAC with slider on maximum and an "admin" account? (i.e. no password entered in UAC prompt, just OK/Cancel).

The reason why sudo asks for a password (even for user's password, like in Ubuntu by default) is to prevent input injection attacks. UAC doesn't do that because it relies on an OS mechanism to prevent input injection (isolated desktop). I'm not aware of any known ways to exploit this. Hence I'm claiming that UAC in this mode is exactly as secure as sudo is

Re:

[jcupitt65]

The elevations people usually cite involve cases where things can be written by an unprivileged process which are then used by an elevated process. For example, there are various registry keys which a low-priv process can write which are executed by an elevating command prompt. The Ubuntu equivalent would be appending "alias sudo /my/sneaky/attack" to someone's .bashrc. Though this Windows once is a little worse since you can't (as far as I know) as a user inject things into gtk-sudo, which would be the mai

Re:

[yuhong]

And NT never supported completely turning off it's security infrastructure, let along did so by default (sure, there was the Administrator default that made it mostly ineffective, but that has been always the case in the NT family before and never was new).

Re:

[next_ghost]

Well, what do you call forcing the user to always work with administrator privileges because Microsoft didn't have balls to stand up to idiot developers 10 years ago? I call it throwing the whole security infrastructure out of the window.

Re:

[Vancorps]

WTF? This is not a Windows default, never has been in the past and certainly isn't now. I'm not sure why any Administrator would do that.

Re:

[next_ghost]

"Mostly fixed"? Excuse me, but which company just recently made a big ugly hack to at least partially patch the huge security hole caused by stupidity of third-party software vendors whose software without any good reason requires administrator privileges to run?

Re:

[next_ghost]

Exploitable bugs are one thing. Building complete security infrastructure and then basically throwing it out the window and building another much weaker and completely superfluous one on top of it is quite another.

Re:

[MobileTatsu-NJG]

Apple currently has major security problems that will only grow if their OS gains more market share.

Small pointless nitpick: You mean 'installed base', not 'market share'.

Re:

[1s44c]

Comment away, maybe that'll make Linux relevant on desktops.

Ubuntu works better than windows on desktops. It's more secure, it's free, doesn't need a virus scanner because it's designed properly, and it comes with bucket loads of great software at no extra charge.

But if you like expensive, slow, and bug ridden OS's that team with viruses feel free to use windows. It's totally up to you.

Re:

[1s44c]

There is a typo in the summary and here is the correction:

  "It's taken Microsoft 100 years to turn security from a weakness into a strength and it is still not as good as Unix."

The important part being it's not as good as _ANY_ Unix, free or non-free.

I think the writer meant 'shambles' but spelled it wrong and it somehow it got spell checked to 'strength'.

Re:

[the linux geek]

And Unix still isn't as good on security as mainframe platforms from IBM or Unisys. Your point?

New?

[dbIII]

Buffer overflow was a 1960s problem.
The software industry in general has a very short attention span but Microsoft really dropped the ball on that and many others where they could learn from the mistakes of the past. People are generally pissed off when they see something for sale that obviously has very little in the way of QC and large flaws in the design. The Zune leap year bug is another example of not taking the time to test for the completely and utterly fucking obvious.
People shake their heads beca

Re:

[CheerfulMacFanboy]

Buffer overflow was a 1960s problem.

http://www.google.com/search?hl=en&q=linux+kernel+buffer+overflow+2011 [google.com] - not even in the Linux kernel it was a problem.

Re:

[dbIII]

It's not the Matrix. We had Dick and Bush in the Whitehouse.

I think that means we're stuck in Beavis and Butthead.