Windows Security wrap-up: praise for Vista and a historic first
Summary: At last week's Black Hat conference, a security expert who spent time "beating up Vista" talks about Microsoft's approach to security. Microsoft falls off a top 10 list. And you should visit Windows Update now to get a new Critical update for IE.
It’s not often that you hear the words “Windows Vista” and “world-leading” in the same sentence.
So security expert Chris Paget’s ringing testimonial for Windows at last week’s Black Hat conference is newsworthy. CNET’s Seth Rosenblatt covered the talk.
Paget and her team are among the few outsiders allowed to look at Microsoft’s code. She and her team contracted for Microsoft to review the security of Windows Vista before it shipped—“beating up Vista,” she called it. The work was covered by a five-year non-disclosure agreement that just expired, allowing her to finally break her silence.
“Vista was a giant leap in the right direction,” Paget said. And she lavished praise on Microsoft’s security processes:
"'World-leading' is entirely appropriate" when discussing Microsoft's security procedures, she said at the start of her talk. "Microsoft's security process is spectacular."
That opinion is buttressed by a new list of top vulnerabilities that represents a historic first for Microsoft.
As usual, the latest quarterly report on malware from Kaspersky Lab contains a top 10 list of vulnerabilities. But the new list doesn’t include a single Microsoft product:
For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found in Adobe Flash Player alone.
Kaspersky says the change is directly attributable to improvements in recent versions of Windows, especially Windows 7.
Microsoft products have disappeared from this ranking due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.
Paget’s talk supplies one explanation for the improvements in Windows 7: her group was only allowed to look at new code for Vista. “Recursion looked at code kernel and the user space but was told not to look at legacy code. Microsoft didn't add legacy code vetting until Windows 7.”
This week also included the second Tuesday of August. The Patch Tuesday bounty delivered included a Critical update for Internet Explorer that fixes seven vulnerabilities. Microsoft said it “expects to see reliable exploits developed within the next 30 days,” so you probably want to visit Windows Update and make sure this one has been applied.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I am sorry Ed. This is bait. And I'm not falling for it.
Hey wait. I think I just fell for it. Click. :/
I don't care and neither do my readers
Oh, and to everyone: PLEASE DON'T FEED THE TROLLS.
Please reread what I wrote
I use Windows, Linux, and Mac OS X.
We've been saying that to DTS for a while now.
Yet he continues to troll.
To repeat...
Ed you are correct
Ed as a dedicated Mac user, you are still right. There are always going to be people that refuse delivery of the truth.
RE: Windows Security wrap-up: praise for Vista and a historic first
As usual, you missed the point. You brought up the subject of security. And it was stated that yes, Microsoft did improve their security, but it has a long way to go, and linux/Unix was used as an example of an OS with much better security. So good in fact, that the "Pawn to Own" challenges failed to break into the Linux systems, and they no longer try linux.
You opened that door and now you want to close it after the fact. Yes, you write about Windows, but when you compare Windows with any other product, or introduce a general subject such as OS security, you better be prepared to support your arguments. Otherwise, you are one who comes off as the troll. Sounds like it is your turn to go on a diet.
You blew your own argument out of the water...
You can't argue that your readers don't care about Unix derivatives in one sentence and then in the very next sentence say they care about OS X. Sorry Ed, but that is borderline stupid, hold the "borderline".
RE: Windows Security wrap-up: praise for Vista and a historic first
Now I don't JUST use Linux, sure... I use Mac and Windows too. But I'm a reader too, and you'll notice I don't always argue with you (often we agree - it's kinda like the relationship with Dietrich).
Getting back to the actual article (rather than focusing on some mythical article you've not written [wink]), I think this is EXACTLY right (and I've said so) it is Vista that deserves the real credit and not Windows 7. Windows Vista was "doing the right thing" when it was hard (making that application that skirted around the official API crash - you know, the one you loved, or that your business depended on). Now the applications have either been rewritten or discarded (Alas poor "Inventory Management App" I knew him, Horatio, a fellow of infinite jest, of most excellent fancy. And directly writing to the port without going making the proper calls).
So sure, it was a total pain when the thing you needed didn't work, UAC was constantly in your face, and that super-fancy GPU's driver was a big ball of suck - but let's hear it for Vista, for blazing a trail, and making Windows 7 look good (given that by the time it shipped we'd given up with those misbehaving applications, and ATI/Nvidia had actually managed to ship drivers that actually worked).
However, I too want to call for another article (sorry). Can we take a look at security and Flash? It does seem to be the new "bad boy". Specifically, can we compare running Flash as a browser plugin and Chrome's embedded Flash? I strongly suspect Chrome's implementation will be far safer - but I'd like something to back up that hunch.
The fact is...
If someone posted a reply referring to Linux with a point that had some direct relevance it would be quite understandable why they brought Linux up, but in fact that hardly ever seems to happen, if ever.
What usually seems to be the theme in the posts people make about Linux in relation to a Windows based article is to iterate in some form that Windows has some serious problems that can only be cured by way of making Windows into something that would be much like, if not exactly like Linux.
And thats a problem , yes.
Its a problem because the posters who say things like that are operating under some kind of a weird misconception of what the vast majority of the worlds experience with Windows has been like.
For the vast majority of the world, Windows has not been the unending series of BSOD's and viruses and frozen screens that many Linux users claim the Windows experience is like. In fact, in recent years I suspect the very few BSOD's that some Windows users might have experienced in the past are probably long gone for good.
Its clear by the kinds of posts we see from the Linux users perspective that they get no particular enjoyment out of using Windows while again the vast majority of Windows users are typically quite happy With the way Windows looks and performs. Making critical comments of Windows that flies right in the face of what the typical user experience is truthfully like, is a pointless waste of time.
And finally, the major thing that so many Linux "advocates" cannot seem to get out of their mind is that there is zero reason to consider switching operating systems if you have had a good experience with Windows and you like the way it works and you do not experience all these negative things that some people love to 'claim' happen all the time. No interest in switching. None.
So indeed if a Linux user has a good relevant point to make that is right on topic and isn't involving nothing more then their strictly personal views on how bad Windows is and why it has got to be more like Linux, then sure, but it doesn't seem too likely.
I for one have tried Linux a few years ago and thought it was a pretty decent OS, just not for me in the long run. I certainly concede that if Linux works for you, then you should certainly use it, its free and it works fine if its meeting your needs. Its just too bad we can never seem to get one of the Linux users to ever concede that there is nothing wrong with Windows and that if its meeting our needs there is likewise no reason not to use it. That would be truly refreshing because that would be the truth.
Very glad
RE: Windows Security wrap-up: praise for Vista and a historic first
RE: Windows Security wrap-up: praise for Vista and a historic first
Same.
Not any difference if you use best practise
Best practise is to use limited user accounts for normal use, although that sometimes doesn't work for some LOB apps. UAC is not a security feature - it's an ease-of-use feature. Users want to have full control over their PC, but much to their detriment, they often click on things they shouldn't. UAC was brought in to confirm to admins that they are doing something they want to. It's the users that don't have a clue and mindlessly click on things that are dangerous with admin rights, but that's how most home users want to run, and so UAC was brought in. Microsoft has to rely on users reading what's on the screen to confirm that what they are doing is important. IMO, they need to word it more clearly, as in "The current process has been temporarily halted because it requires changes that can damage your computer", or words to that effect. Alas, some users still just click through it. It not only prompts, but also remember that admins don't actually get full admin access all of the time - it would be dangerous to run with full admin rights during an entire session. When something requires admin access, UAC prompts to raise the privilege level ONLY ON THAT EVENT. Another thing it does is it allows a limited user to initiate an admin privilege escalation, but an admin has to authenticate their credentials for it to proceed. In XP, you have to sign a limited user out and sign in as an admin for the same effect.
UAC just makes these processes easier.
There are actually far more important security features in Windows than UAC, but UAC is the most apparent change because of the UI elements.
I do agree with "zipping up" the UAC slider though. If you agree, make a shirt and wear it proudly: http://msmvps.com/blogs/bradley/archive/2009/05/29/get-your-uac-defense-in-depth-slider-shirts-here.aspx
RE: Windows Security wrap-up: praise for Vista and a historic first
I agree with most of what you wrote, however I do believe it could be called a security feature, as it strips the admin token (being a member of the administrator group) from the user, which means that without elevation, the administrator runs with mere user rights.
Also uac handles the ie sandbox, and provides file and registry virtualisation, which first and foremost is a compatiblity feature, but it prevents badly coded apps from accessing ceetain parts of the file system and HKLM, such an event would then of course raise a consent prompt.
You didn't read what I wrote
You clearly didn't read through what I wrote.
Go ahead and re-read it. I clearly stated that UAC isn't just a prompt as it is a nice UI to facilitate privilege escalation.
However, what you state as far as files being "blocked": that was introduced in Windows XP SP2, and ACL has been around for years.
UAC is NOT a sandbox.
If you run Windows Vista/7 as you were meant to run: with limited user account access for normal usage, and admin for admin-only usage, the difference to XP is that limited users are prompted for privilege escalation in Vista (with admin credentials), whereas they can't raise it in XP. For admin logins, user credentials are at low by default, UNLESS a process requires privilege escalation - to which it prompts to raise it. XP runs processes under an admin login with higher credentials than Vista normally would, but the difference is in the prompt. FYI: there are still user-level processes in Windows XP, and they can't communicate with system-level processes either.
UAC doesn't explicitly block anything that a conventional user can't (and most often, doesn't) bypass, therefore I stand by my comment that it isn't a security feature.
RE: Windows Security wrap-up: praise for Vista and a historic first
You don't know what UAC is
UAC? You mean that annoying prompt that pops up all the time asking if you really want to do this? ever heard of the boy who cried wolf? well how is a normal user supposed to know what is malware and what isn't when that annoying prompt pops up all the time?
sudo is a kludge
sudo is not the operating system either. It is a set UID program with root as the owner. When run sudo runs with root privileges. If there's a bug in sudo then you've got root privileges. If you run a program, such as vi, which has a shell escape feature (":!bash" for example) you've got a root shell.
sudo's granularity is a function of sudo and not UNIX. If sudo is broken then you've got a security problem.
sudo is one of those programs people who do UNIX security have always been told to avoid: set UID. Especially as root.
RBAC, built in to Solaris, is a much better implementation than sudo.