Topic: Security

Vista passes one security test

Summary: Does the multi-layered security protection in Windows Vista work? It's too early to provide a definitive answer, but Vista's handling of the zero-day VML exploit offers some encouraging news.

By Ed Bott for The Ed Bott Report | September 22, 2006 -- 07:59 GMT (00:59 PDT)

Follow @edbott

Does the multi-layered security protection in Windows Vista work? As I pointed out yesterday, we won't have a definitive answer to that question until months after Vista is officially released. But one current exploit offers reason to be encouraged.

Security experts are buzzing over a zero-day exploit in Internet Explorer that allows an attacker to plant spyware on your computer if you visit a webpage that contains the exploit code, which takes advantage of a vulnerability in the VML Rendering engine. There are workarounds, but so far no official patch is available from Microsoft.

But what happens if you're running Internet Explorer 7 on Windows Vista? To see for myself, I logged on as a member of the Administrators group and used IE7 to visit a test site that hosts a harmless demonstration of the exploit code (courtesy of fellow ZDNet blogger Adrian Kingsley-Hughes). Here's what happened next:

First, the page refused to load, displaying a security warning that the page is attempting to call a previously installed ActiveX control. This is the so-called ActiveX opt-in feature, designed to prevent pages from exploiting newly discovered flaws in obscure controls that had been previously assumed to be safe.

I could have stopped right there. But instead I clicked the Infobar to tell IE7 it was OK to load the control. I got another warning dialog box.

I clicked Run in response to that warning as well, and finally reached a page that triggered this dialog box, in which the third party hosting the test confirmed that the exploit had failed to execute on my machine.

Now, it's important to note that the developers of IE7 clearly had no idea that this vulnerability existed in IE6. But their development process managed to block this particular exploit right out of the box, and the additional layers of security provided important clues that this page was potentially dangerous.

The initial security warnings are hardly perfect. I've seen similar ActiveX opt-in dialog boxes for other built-in ActiveX components. How is an unsuspecting user supposed to know which one is safe and which is dangerous? And the list doesn't work on a per-site basis. If I had visited a site that legitimately used the VML control last week, before this exploit hit the news, I would probably have approved it. And once I had done that, it would have been on the safe list for good. There's no way to undo that decision, as far I can tell. Once you tell IE7 that an installed control is OK, any site can try to use it.

Still, the cumulative effect of these changes is encouraging.

Update 22-Sep 2:15PM PDT: Dwight Silverman has a related story. Did Windows Vista's most irritating feature save my butt?

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments

Log in or register to join the discussion

Looks promising

Sounds good so far. It will be nice to see how Vista does in the months after it's release.

voska
22 September, 2006 09:58

Reply Vote
- Looks like they are working it out
  
  I am glad to see MS working out problems like
  these it is about time and will work for all.
  
  Linux User 1
  22 September, 2006 11:39
  
  Reply Vote
Even if it was vulnerable, it would still not have access to your system

Even if it was vulnerable, it would still not have access to your system or user files.

georgeou
22 September, 2006 13:10

Reply Vote
- Unless, of course...
  
  I decided that UAC and Protected Mode IE were just so annoying that I turned them off.
  
  ;)
  
  Ed Bott
  22 September, 2006 14:05
  
  Reply Vote
  - Well, then you would deserve any drive-by malware you get
    
    I know there are already websites poping up telling people how to disable protected desktop, but then the blame would no longer go to Microsoft.
    
    georgeou
    22 September, 2006 20:17
    
    Reply Vote
    - I'm not interested in blaming people
      
      And maybe if people see success stories like this they'll understand that the protections really work.
      
      Ed Bott
      23 September, 2006 06:03
      
      Reply Vote
  - Can you say Darwin?
    
    ;-)
    
    No_Ax_to_Grind
    23 September, 2006 11:43
    
    Reply Vote
Sorta wonder what took them so long to implement this.

I have had MLS for years (without needing Windows Vista). What is the big deal? They just copied something from Linux.

B.O.F.H.
22 September, 2006 14:30

Reply Vote
- What are you talking about?
  
  MLS (multi level security?). Exactly what has Microosft copied out of linux?
  
  toadlife
  22 September, 2006 16:00
  
  Reply Vote
  - MLS has been there since 2003.
    
    Don't you keep up with what Microsoft is cloning (inovating)? MLS is part of SELinux, not an origial idea or an inovation.
    
    B.O.F.H.
    22 September, 2006 17:44
    
    Reply Vote
    - Oh, you mean MAC
      
      Sorry, but I've never heard the term MLS in reagards to linux.
      
      I know all about SElinux. That thing that finally brought linux security model up to par with Windows NT. ;)
      
      I've read quite a bit about SELinux (never used it, as I am a *BSD user) and, while it sounds very cool, there is not much that it can do that can't already be done in the Windows NT line of OSs.
      
      toadlife
      22 September, 2006 20:43
      
      Reply Vote
      - Read up on SELinux (or SEBSD) and MLS.
        
        There was a paper on SELinux and MLS in 2006 (See: [url=http://66.102.7.104/search?q=cache:Xat1RRmZQ80J:selinux-symposium.org/2006/papers/03-SELinux-and-MLS.pdf+selinux+mls&hl=en&gl=us&ct=clnk&cd=1&client=firefox-a]SELinux and MLS: Putting the Pieces Together[/url] or the [url=selinux-symposium.org/2006/papers/03-SELinux-and-MLS.pdf]PDF version[/url]. As of FreeBSD6, this should be available for BSD also (at least SE extnsions). There are other sources that you can look at (use your favorite search engine).
        
        Windows NT security is derived from DCE security, so there is nothing revolutionary about it. Windows 2000 added some features but mosly via directory services. This is a bit beyond (as in, higher level) what the SEL/SEBSD and MLS is, as it is not kernel level (LDAP is hgher up the stack than kernels). Windows does not have (yet) Type Enforcement (TE) or Mandatory Access Controls (MAC) though it can do (at a primitive level) Role Based Access Control (RBAC) through Active Directory and some other aspects. This is not kernel level security, though.
        
        B.O.F.H.
        22 September, 2006 21:13
        
        Reply Vote
      - Thanks
        
        But I've allready read quite a bit about SELinux. I realize that it goes above and beyond what the NT security system does. I was just jabbing at the fact that BEFORE SELinux, linux used the standard UNIX security model, which is much less flexible that the NT security model - Thus SELinux was the thing that finally brough linux "up to snuff" compared to NT. :) This always get the linux fanboys' goat.
        
        [url=http://www.trustedbsd.org/]TrustedBSD[/url] is what I would want if I wanted all these goodies on FreeBSD. SEBSD is only the Type Enformence component of Trusted BSD. Not that I would want that. The need for this kind of security is not very
        
        toadlife
        22 September, 2006 22:11
        
        Reply Vote
  - Yes what exactly did they copy from Linux do tell
    
    I respect Linux folks, I find most Apple users laughable so please do tell how these type of features are built into Linux?
    
    jimk_z
    23 September, 2006 01:43
    
    Reply Vote
    - MLS (Multi Level Security) from the NSA SE LSM.
      
      Back in 2003, the SELinux LSM (Loadable Security Module) included MLS (Multi Layer Security). This made the kernel (and all things running above the kernel) more secure (presuming one runs SELinux with MLS on). This is not a new idea and like many products from Microsoft, it came from somewhere else (exampels: SQL Server is derived from work by Sybase and Microsoft, MS Word started life as a wrapper for WordStar, etc.)
      
      LSM is the security architecture compromise that Linus wanted when there were many kernel level security implementations (all good in their own rights, others include [url=http://directory.fsf.org/RSBAC.html]RSBAC[/url]) and he wanted to allow for the user/implementor to have the option of which one to use without having to do a kernel rebuild. SELinux tends to ship with the kernel, though there are other LSM's.
      
      Apple MacOSX is BSD based (though the kernel is Mach) and a commercial product of only 1 company (as is Windows), though there is a difference between someone who uses a desktop (Windows, MacOS, GNOME, KDE, etc.) and one who manages networks of systems.
      
      B.O.F.H.
      23 September, 2006 08:14
      
      Reply Vote
- XP had no firewall and all services enabled...
  
  Aw, c'mon.
  
  XP shipped with no firewall and all services enabled...you could pop up little message windows on *any* machine, <b>by design</b>!
  
  Compared to that level of stupidity, admitting that ActiveX was a big mistake is a million years more advanced.
  
  jinko
  23 September, 2006 08:52
  
  Reply Vote
  - Sorry, you're wrong
    
    Windows XP shipped with the Windows Firewall, although it was disabled by default. In SP2, the Firewall was enhanced and turned on by default.
    
    The pop-up boxes you're talking about were delivered by the Messenger service, which was disabled by default beginning with SP2.
    
    And "all services enabled"? A serious distortion. You can make a case that some default services in the original release of XP were enabled and shouldn't have been, and the Messenger service would be Exhibit A in that case. But your statement displays a lack of knowledge of how operating systems work.
    
    Ed Bott
    23 September, 2006 08:57
    
    Reply Vote
But all you have done is show that Vista doesn't share this bug with XP.

It's good to know that Vista's Vector Graphics Renderer doesn't have the same bug as XP's version. But I strongly suspect that an average user would click through all those "security" dialog boxes as blindly as an EULA agreement, so I don't really think that this qualifies as much of a test.

Zogg
22 September, 2006 17:00

Reply Vote
- No, not at all
  
  Vista's code was extensively reviewed using new tools specifically designed to eliminate potential buffer overflows. As I noted in my piece, Microsoft was not aware of this vulnerability until it was disclosed in the past two weeks. So the fact that it is not triggered in Vista is evidence that the code review process was effective.
  
  Ed Bott
  23 September, 2006 08:59
  
  Reply Vote
  - One datapoint is not statistically significant.
    
    And you are implicitly raising a very disturbing point. If Vista's Vector Rendering DLL [b]is[/b] the same as XP's version after all, except with the benefit of bugfixes from an internal review, then MS has been aware of this buffer overflow in XP for a long time. And has done nothing about it.
    
    Zogg
    23 September, 2006 13:51
    
    Reply Vote