The weirdly obvious Windows security flaw no one ever seems to talk about

The weirdly obvious Windows security flaw no one ever seems to talk about

Summary: The flaw is right there, right on the first page that IE launches, the default page as it's shipped from Microsoft.

TOPICS: Windows, Security

UPDATED: See end of article. UPDATE #2: See Windows 8 discussion below.

The other day, I was installing Windows 7. This is no surprise, since I've probably installed Windows 7 about a thousand times over the past few years. But this time, I wasn't in my normal work environment, and I didn't have my magic thumb drive filled with my normal tools, like antivirus installers, pre-downloaded service packs, and the like.

I was at a friend's house and all I had was a store-bought copy of Windows 7 Home Premium, which I'd convinced him to finally install after his years in the Vista wilderness.

I like to do a clean install, so rather than worrying about his old files, he spent $69 on a replacement 320GB laptop hard drive (he's not a big file hoarder, so the small drive was fine). We had a fresh drive and a fresh copy of Windows.

So I set about doing the install.

As is usually the case with Windows 7, the install went smoothly. I did a bunch of Windows Updates, and those went smoothly as well. But before I was going to let him go out onto the Internet, I wanted to install antivirus and get him a better browser than IE. He was torn on whether to use Chrome or Firefox, so I planned to install both.

Microsoft offers a pretty reasonable kit of antivirus software in its free Microsoft Security Essentials product. Plus, since I didn't have AV already installed, I didn't want to take my friend's browser off the safety of Microsoft sites until I had antivirus installed and updated.

So, I launched IE to go get MSE. And what did I see on first launch? This:


Yep, IE defaults to MSN. Now, I've known that for years, but I've generally ignored it. I usually install antivirus and Firefox off my magic thumbdrive, so I almost never just launch IE straight out of the box.

But here's IE, as shipped by Microsoft, going to MSN -- which is chock full of ads.

So do you see the security flaw yet?

The flaw is right there, right on the first page that launches, the default page as it's shipped from Microsoft.

Yep, it's the ads on MSN. Now, while ads served by third party ad companies today rarely have malware, they have been known to contain malware, as this InformationWeek article by my Internet Press Guild colleague George Hulme describes. It was years ago, but even with a fully-updated AV, I once got hit with nasty malware on an XP machine, straight from an ad on the DrudgeReport.

There is no guarantee that future ads posted on MSN (or Bing, for that matter) will be malware free. Exploits are discovered every day.

The point is, because Microsoft is defaulting to MSN and MSN is serving up unvetted ads on its home page, users with new Windows installs are being subjected to an unpredictable Web browsing experience before they have a chance to download any antivirus product.

This is a surprisingly big security flaw in Windows.

There's still time to fix this with Windows 8 -- and even still time to change thing with Windows 7.

Update #2: Adrian Kingsley-Hughes reports that Windows 8 will ship with AV, but in a follow-up email discussion about this issue, Adrian told me, "I haven't tested it yet, but I'm told the Win 8 AV has a grace period before switching on to give you a chance to buy AV." If that's the case, and there's still a chance someone can go to the Web before having running AV, the risk might still exist.

All Microsoft has to do is detect whether there's AV installed on a machine. If there isn't AV, redirect IE to the Microsoft Security Essentials page. If that's too scary from a big, bad Justice Department perspective, just simply display a page that recommends installing antivirus before going on the Internet.

But sending unprotected Windows users straight into the wild, wild world of the MSN home page? That's a weirdly obvious Windows security flaw no one ever seems to talk about. And it needs to be fixed.

UPDATE #1: After I published this, my editor asked a question that I think needs to be considered. He asked, "What if Microsoft is monitoring the ads?" I honestly don't know if they are, or not. But the risk still exists. Hackers are constantly looking for exploits, and so it's entirely possible (not probable, but possible) that an ad on a site as large as MSN might be a target. It's also possible that a programming error might not catch an exploit or hack attempt. 

Microsoft is filled with very smart people who are quite obviously working extremely hard to fight the malware threat against their own OS. The point of this article is that here's a place that just doesn't have to be a risk -- even if the risk is small. There's just no major upside to pointing unprotected systems to MSN, so even if the hack potential is small, why take that chance?

Let's do our absolute best to keep people safe out there, and avoid unnecessary risks when possible.

Topics: Windows, Security


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The MSN Install Security Flaw

    On top of the intrusive advertising, is the fact that MSN is such a useless website full of trash.
    Brown Dog
    • That is Sad, Truly Sad

      Got the popcorn, watching the show.

      Protect the hive.
    • on a windows install

      The first smart thing to do is disable hide and hatch the registry so IE is basically disabled. Second you ensure that none of MS "forced down your throat" products and services are available.

      I don't let any of our clients use MS products and services with the exception of MS Office, unless they explicitly request it. It basically hits support time. Those that do use MS products and services end up with more problems always.
      • Like Apple and Google

        don't do the same thing . . .
        • Actually...

          Apple don't.

          Apple's default homepage when you first load the built in browser is which (like the rest of the Apple site) contains no third party ads.

          It doesn't even include things like third party twitter or Facebook widgets, instead choosing to simply link to the sites themselves, and even it's iTunes links eschew the normal trade doubler/doubleclick/whatever (depending on your territory) tracking links in favour of direct links.

          Apple isn't perfect, and nor is Safari, but at least, short of compromising Apple's website entirely, malware shouldn't be injected simply by loading ad's on the the default page, at least giving you a chance to download malware protection / a different browser first if you so choose.
          • could be done better

            Microsoft could have done the same by just having the first page that comes up be MS own page which has no adds. They just happen to get a few extra bucks did this, just goes to show what they think of the consumer.
      • Sure

        If what you've said is true, then you're an amateur who doesn't know the first thing about how to properly configure and use Microsoft's products and services. More likely than not, YOU are the cause of your users' problems if you're locking out all these capabilities (which you'd have to do via GP). Microsoft's products and services in 2012 are exceptionally good, and if you're unable to figure out their value, you're a poor IT person and should be fired. If you worked for me (16 year Systems Engineer) you'd be out on your ass.
        • On the other hand...

          ...if you wanted to engage in vendor lock-in and wed my business to Microsoft, it'd be your ass hitting the pavement. I don't even care about 2012.. I care about things like it's taken over ONE DECADE to fix certain statistical functions in Excel (some so bad they return ZERO digits of accuracy on benchmark tests) and one Mathematics Professor who's written paper after paper about these problems over the years finally stated that the people employed to code these functions in Excel are incapable of performing the task in his last published paper. Microsoft put out a statement that said something to the effect that they couldn't have expected things like Six Sigma to catch on (one process affected by Excel's poor implementations of distributions), as if they only test or code to high quality the parts they think will be used the most.
          Any company that let these problems exist release after release... and worse, in some cases "fix" them by implementing new solutions that traded one set of problems for another and in Excel 2007 announce fixes to some functions that turned out to have not been fixed at all, and all while accurate algorithms exist in the standard literature for these routines and the open source Gnumeric spreadsheet blew away Excel in accuracy benchmarks and fixed its few problems with six weeks rather than ten years... I wouldn't let a Microsoft product near my machines that wasn't an absolute necessity (if any actually are nowadays).

          • One more, an actual paper

          • Sad

            What's sad is that I just ran some of the same tests on my iPad run Apple Numbers and the results were as floored as MS Excel. It's a shame that the benchmark has been set so low.
    • And when you log out of Hotmail...

      ...the page redirects back to the MSN junk page as well. It's worse than AOL's home page and THAT'S pretty bad.

      Fortunately I use Firefox's Redirector plug-in which goes to any other webpage of my choice after Hotmail log off. Great stuff.
    • ?

      If the news around the world is trash then I guess your comments apply to all news sites. I personally like MSN. It's a good format and has easy access to usable information.

      One problem I think MS would have with a re-direct to the Security Essentials home page is EU would tear them apart. Users should have a choice for AV Right? The EU would eat them for breakfast just like they did over the lame browser selection menu.
      • That MSN homepage has more fluff on it

        than a roll of Charmin. Squeeze it and mostly Tinsel Town flotsam drips out.
    • Why didn't the editor ask the question *before* the piece was published?

      From the article:
      "After I published this, my editor asked a question that I think needs to be considered.
      Rabid Howler Monkey
      • You maybe haven't noticed

        But ZDNet is essentially run by Apple whores who try and publish any tiny SLIVER of Anti-Microsoft bigotry.
        • Gewirtz has admitted his preference for Windows...

          ...any number of times in the past year. He has even stated that it is a requirement for doing any useful work on a personal computer. He's clearly not an MS-cultist, but his criticisms of MS should be taken as friendly (much like Ed Bott's).
          John L. Ries
        • Sure...

          ..that's why the comments are filled with Windows trolls who have their own personas like pro wrestling characters. That's why Ed Bott writes the Microsoft Report and calls Linux users "lunatics". Just where do you see this site as being run by Apple users? And "bigotry" is a ridiculous word to use, all the more so given that Microsoft is a giant monopoly rather than a poor, oppressed small home business or something. In fact, now that I think about it, this author wrote a rant against Linux servers and switching back to Windows that was heard 'round the Internet. Yet he points out one problem with Windows and you accuse him of being an Apple shill? I hope you realize the irony that you are actually the user so filled with passion for your OS of choice that you view anything less than complete praise for it as conspiracy and oppression.
  • Perhaps you need to rework your installation routine...

    If it were me, I would have used Windows 7 built-in upgrade
    mechanism to search for need to fire up any
    web browser. Use Security Center instead.
    • Perhaps, but that's not the point of the article.

      He could have gone to Internet Properties and changed the home page to Google before opening IE also. But a security flaw that can be circumvented by trained IT personnel and power users does not become less of a concern for the average uninformed home user.
      • David might not appreciate being called "uninformed"...

        However, I also take issue with this "home page" fiasco...the last few times I've
        fired up any version of IE for the first time, instead of any "home page", it opens
        a "Welcome to Internet Explorer" page, where you add whatever add-ons the
        user desires, sets up a home page, etc. So, in this instance, I suspect Mr. Gerwitz
        did not do a clean upgrade and instead copied over the users preferences.