If Microsoft thinks old Tor clients are risky, why not Windows XP?

If Microsoft thinks old Tor clients are risky, why not Windows XP?

Summary: Microsoft has been removing outdated Tor clients, stating that they pose a security threat, but if that's the case, what about other outdated software? Isn't that a threat, too?

TOPICS: Security, Microsoft

Earlier this week, Microsoft revealed that it has been going into users' computers and removing outdated Tor clients. At first glance, this might seem like a crazed, misplaced attack on the Tor network, not unlike a campaign by a certain Irish politician, but the issue runs deeper than first thought.

Editor's Note, January 24, 2014: According to a Microsoft spokesperson, "Microsoft Malware Protection Center (MMPC) has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.”

The problem begins with the Sefnit botnet, which uses the Tor network to conduct its communications. Dealing with a botnet is a tough problem, despite how noisy they can be. Even when security researchers identify a machine that is compromised and they technically have the ability to control it themselves, cleansing an infection is wrought with legal and ethical dilemmas.

Why not instruct each individual bot to clean itself? It has been done before. The US Federal Bureau of Investigation trialled doing so with the Coreflood botnet, but, according to Trend Micro, 10 percent of zombies in its test environment crashed. Aside from now potentially breaking the law by accessing a computer without authorisation, the well-intending party could have just crashed someone's machine.

And who knows what that machine was used for. Perhaps it's some college student working on their term paper. Maybe it's a server responsible for managing a small city's traffic systems. What if it's someone's life support system?

Instead, researchers use a more indirect method of sinkholing botnets — law enforcement agencies ensure that DNS requests for known malicious servers that control botnets aren't returned with valid results, cutting them off from their masters. Similarly, the Australian-developed iCode seeks to place infected machines in a walled garden at the ISP level.

While these issues are an important step in the right direction against botnets, they are solutions that are only effective on a network they have control over. Due to how Tor's network works (and in this way provides anonymity), sinkholing is ineffective, and walled gardens are impossible.

Logically, Microsoft is right to go about tackling the problem at the application layer, with its tools removing the Sefnit botnet infection. Sefnit has no positive purpose, so ethically, this should be OK, and Microsoft's removal tool requires the customer's permission, addressing the legal implications.

The dilemma that remains unanswered, however, is what happens when non-malicious software is installed at the same time. Sefnit uses an older Tor client to communicate, and Tor, by itself, is not malicious.

The Tor client used by Sefnit is version, which Microsoft points out has several vulnerabilities, including two buffer overflows and a heap corruption flaw. These could likely be used to remotely execute arbitrary code, leaving the victim's machine open to attack even if Sefnit is removed.

The argument that Microsoft now essentially uses to justify its actions is that if this software, which cannot be automatically updated, opens the user to attack through known vulnerabilities, it too should be considered something that should be removed.

The Tor Project worked with Microsoft, permitting it to update its signatures to remove old versions of the Tor service. This effectively means that the Tor Project found it acceptable for its older software to be marked as malicious, but it also does not speak on behalf of its users.

Where everything comes undone is when Microsoft's argument is extended to beyond the botnet. If the argument that the risks of old, outdated software makes it OK to mark it as malicious, why should Microsoft stop there? Why do we need to wait for a botnet to be present before taking action? If another piece of software opens the user up to attack, isn't it, too, malicious by Microsoft's argument?

It would improve things for Adobe, which has seen a huge improvement in the later versions of its Reader software. Its newer releases use sandboxing, which have halted attacks, but the feature isn't included in its older versions, where it has the most trouble with reports of customers becoming victims.

Its CSO Brad Arkin previously pleaded with users to "help us help you by running the latest version of the software", and had told ZDNet that his life would be so much easier if everyone did.

The answer is in how valuable a piece of software is, even if it is full of vulnerabilities. Users continue to use Java because they have to for web conferences or even for gaming (Minecraft, anyone?). Microsoft makes this decision on behalf of the user, unfortunately, which means it does not address the ethical side. It's not long before someone questions how useful a piece of software really has to be before its security flaws make it a candidate for automatic removal.

If you don't believe me, wait and see what happens once Microsoft's long-term support for Windows XP runs out on April 8. I don't see it turning around, marking its own operating system as malicious, and uninstalling it for users' greater good.

Topics: Security, Microsoft

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Really?

    So, Microsoft doing what needs to be done to protect the users of IT's software (yes, IT's, not YOURS) because Tor is either incapable of doing it, or just doesn't care, is offensive to you?

    If you have a better way of handling it, get a business license, hang up your shingle, and get to work, buddy boy! We really don't want to hear your whining because you are so paranoid you need to hind behind a service like Tor offers, and MS is interfering with that.

    Remember, you just RENT Windows, you don't, and never have, owned it. Aside from certain actions, MS is pretty much free to do as they see fit with it. Even if that includes deleting it from your system for violating it's terms of service.

    Chew on that awhile.
    • More facts

      Usage of the Tor network at araund the time the botnet sprang into action (Sept 2013):

      Number of total Tor users, across all versions of the client combined, multiplied by 6.. If someone's got the specific outdated version of the Tor client used by the botnet, it's extremely likely that PC's an infected bot.

      The question of the author is if it's ethical to remove outdated software, after approval by the user, if well over 90% of the users of the software had that software installed by malware. Some people believe there are no stupid questions.
    • Pretty sure I've bought my Windows XP licence

      You rent Windows what a load of nonsense. Microsoft couldn't remove it remotely even if they wanted to.
      • Own?

        Sorry. Read the EULA. And they don't need to delete it, simply revoke the activation.
    • Interesting perspective.

      When people buy a Windows® operating system, they pay for the right to use it, not for some temporary rental agreement dictating its use. Somewhat like a right of access across land. It remains in effect, until you violate the agreement. It can only be deactivated if someone has a pirated copy, which technically was not activated correctly in the first place, thus no legal defence there. Even if you commit crimes with it deliberately, or knowingly allow it to be compromised, that does not violate the EULA, (in its current form). If you recompile the code, or reverse engineer the compiled code, you are in violation of the EULA, and you may be prosecuted accordingly. Even that will not give cause for your paid licences to be deactivated, though they may use their technology against you, to find you and prosecute you, as I would. If you have a legal licence, and you hack Microsoft directly with it, they cannot deactivate your licence. They can have you charged with computer crime though, and likely will.

      I would amend the EULA, if I were them, to make the user 100% legally responsible for any problems not derived directly from coding errors. Ignorance is not a valid defence in the court. It is not the fault of the system if someone is stupid, unless you can prove they made you that way, which opens a lot of worm cans with the current methods of education and government doesn't it? I would also suggest government licences for people to be online with their equipment; an Internet Driving Licence. At least require equipment pass certain security standards before obtaining a valid network address. Users should have security certificates verified at the first point of connection, like banks and other institutions do. Of course this would not stop competent hackers. Crime always has the upper hand. We try to limit stupid or illegal people driving, why should they be online?

      I am curious about your motives here. Are you a shill for one of Microsoft's competitors, a Linux fan perhaps, or just angry with the world? Perhaps, just someone who likes to anonymously stir up trouble and play on people's paranoia and fears online? It is my opinion you may have some social issues. I am interested in aspects of personality disorders and psychology. If you wish to discuss these with me, purely for my own interests and curiosity, I am available.
      Kieron Seymour-Howell
    • 'Remember, you just RENT Windows, you don't, and never have, owned it'.

      well, um... bulls..t...

      ... and I wouldn't chew on that
  • Why not seriously talk about updated M$-software and ...

    ... criticize them too. If software was updated does it really mean it's really secure? Then there's another issue: blunder update processes of Microsoft. Many professionals are actually claiming that normal user is more in danger with M$ software updates than even with those malware (some harmless though not all). Pathetic updates was one of the main reasons why i stopped using Windows (another was of course Windows getting slower and slower when more application installed).

    One study some years ago was claiming that there was correlation between Windows botnet machines and non-update software (or lack of updated AV) but not at all so strong than former believed.
    • Facts

      Important facts missing from the article:

      Users of the Tor network increased more than five fold within half a month, while being extremely stable before that. At the same time, Sefnit was activated.

      So 4 out of 5 Tor users are due to the malware. Since the Tor version used by the malware is outdated, I'd guess at least 19 out of 20 users of that version are infected.

      If 19 out of every 20 installations of Windows were infected with malware, I'll bet Microsoft would take drastic measures there too.
  • Hang on, This version is not risky

    They are quoted as saying "While no high-severity security bulletins have been issued affecting Tor v0.2.3.25"
    So currently there is no risk with this version.
  • um, what?

    You're suggesting.... Microsoft remotely uninstall Windows XP? I don't think that's actually feasible. What a strange, bizarre article.
    • Activation

      They can deactivate your copy at will. No need to physically delete it...
      • Perhaps they're able to, but on what grounds?

        They can revoke the license "if you do not abide by the terms and conditions of this EULA", but there's nothing to even suggest that they can do so at their own discretion. When Genuine Advantage started, people were up in arms over apparent false positives. Imagine that happening to hundreds of millions of customers and try to picture how people would react to Microsoft shutting off hundreds of millions of XP installations without clear grounds to do so.
        Third of Five
  • Uninstalling XP remotely?

    "I don't see them turning around, marking their own operating system as malicious and uninstalling it for user's greater good."

    The implications of that would be significantly more dire than with Tor. I'm fairly sure that "we no longer support this product" does not constitute reasonable grounds to revoke a license that was already purchased.
    Third of Five