Windows security breaches on the rise

Windows security breaches on the rise

Summary: It seems like every year, near the closing of the year, Windows viruses and malware seem to creep up from nowhere. Late 2011 was no exception.

SHARE:
TOPICS: Open Source
18

It seems like every year, near the closing of the year, Windows viruses and malware seem to creep up from nowhere. Late 2011 was no exception. Beginning in November, Windows viruses and malware started to appear and we experienced a few get through on Windows 7 64-bit with full Symantec Endpoint Protection running, with users running Internet Explorer. Yep, they slipped right on through multiple layers of protection. Meanwhile others mentioned an increase of other popups and strange behaviour with fake "Windows repair" utilities and such. Needless to say, for those supporting Windows, it made for an ever increasing need for extra time to put out these fires. Things seem to have settled down after the new year.

Recently I came across an article mentioning the Windows malware outbreak within the U.S. Military. Apparently the systems used at ground control for the unmanned aircraft, became infected with some sort form of malware that was found to be stealing credentials (usernames and passwords). The reports claimed that the malware may have been installed with removable storage devices attached to ground control systems. Whatever the case for the malware may be, it is highly embarrassing. Mission critical systems should not see malware. And this is the very reason that the Windows systems were replaced with Linux. There are many followup stories available on the Windows to Linux replacements.

This is also the reason that I've replaced many Windows systems with Linux, not only for myself but many others that I know personally. I use the very same software that I recommend, as I have nothing to hide. When people approach me asking for opinions on new PCs, I explain that they have two choices, Windows or Linux, and that if they choose Windows I give them a firm warning that there can be potential malware that can get installed by simply browsing the web in Internet Explorer, which can result in lost data, broadcasting of confidential information on the PC, and much more. I also mention that there will almost assuredly be more maintenance calls back to me with Windows, which often times results in extra downtime or the computer being unavailable due to malware and other problems. Over the past few years, this trend has already been proven with an almost elimination of my personal supports calls because the users are now on Linux rather than Windows.

I've also started using the built-in PDF reader in GNU/Linux called Evince. It's much faster than Adobe Reader and won't be subject to all of the Adobe Reader vulnerabilities. GNU/Linux also has its own implementation of Java (OpenJDK), and the IcedTea plugin for Firefox that can guard against vulnerabilities within Oracle's Java plugin. However, I still have mixed feelings on IcedTea as some websites do not function with it, so for now we are all still using the Oracle Java plugin. And of course, Adobe Flash which we must continue to use as-is, even though vulnerabilities are mainly targeted at Windows anyway.

Symantec published its annual report outlining data collected in 2010. In this report, Symantec outlined the top malware attacks in 2010, which includes Stuxnet. Another one mentioned is Koobface, which roamed around via social networking sites and attempted to install fake antivirus software. But, further down in the report, it is stated that the volume of web-based attacks per day increased by 93% compared to 2009. Even though the report is careful about mentioning which operating systems were most vulnerable, the main malware titles mentioned all run on Windows.

All of the indications show that malware incidents will continue to be on the rise in 2012 and beyond. Thankfully we've already put up our defenses by migrating away from Windows and over to GNU/Linux.

UPDATE:

Additional reading on the trends for Windows malware:

http://www.gdatasoftware.com/information/press-centre/news/news-details/article/1886-hacktivism-and-malware-attacks.html

http://www.simplysecurity.com/2011/05/16/windows-7-malware-attacks-increase/

http://pandalabs.pandasecurity.com/2012-security-trends/

More can be searched for, of course.

Topic: Open Source

Chris Clay

About Chris Clay

After administering Linux and Windows for over 17 years in multiple environments, my focus of this blog is to document my adventures in both operating systems to compare the two against each other. Past and present experiences have shown me that Linux can replace Windows and succeed in a vast variety of environments. Linux has proven itself many times over in the datacentre and is more than capable for the desktop.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • I think all of us should be careful with these window viruses and malwares that keeps on popping up through websites. IT companies should continue to provide us with good ant-virus software's.
    IT Support23
  • How did that lauded Linux security work out for kernel.org. the very place where Linux is being developed? I seem to remember they had some problem with a total system compromise through a compromised user account.

    How did it work out for Linux Foundation, the very organization tasked with overseeing Linux promotion? Did they have a problem, too? Oh yeah, even *their* Linux servers were *totally, completely and utterly root'ed*.
    honeymonster
  • Do you have statistics on thenumber of incidents on Windows rising at the end of 2011, or is it just an assertion?
    toast171
  • @toast171

    You're asking for *facts* about Windows on a blog called "The open source revolution"? ;-)
    Jack Schofield
  • servermanagement :
    Agreed. I highly recommend using a non-Internet Explorer browser, if you are using Windows, like Firefox or Chrome. And in those, enable addons like Flashblock or NoScript. These are great tools for blocking Flash and Java from running unless you purposely tell it to allow.

    honeymonster :
    Yep, it happens. Those sites are also faced with very heavy traffic. It's not unheard of for sites running Windows or Linux, to be hacked. I am by no means saying Linux is immune to attacks. But it is much safer than running Windows for clients where data is pulled inward from the Internet all of the time, and is not prone to the hoards of malware circulating about.

    toast171:
    I don't have numbers in front of me, but yes, it is both from seeing feedback around as well as personal observation as I mentioned in the post. The Symantec article I pointed out was well after Windows 7 was released.

    A search for "Windows malware trend 2011" or similar should bring up additional articles. I was blocked from putting in URLs in this comment but updated the original post with a couple.
    Chris_Clay
  • kernel.org and linuxfoundation.org are run by the people *most* knowledgeable about Linux and security. You do not find anyone anywhere who knows more about Linux. These are the guys *developing* Linux. And yet, their Linux servers became so thoroughly rooted (multiple sites) that some of them haven't even been brought back up here 6 months later.

    The really, really embarrassing fact is that according to kernel.org themselves the attack was probably not even very sophisticated. Yet, the attackers has the systems compromised for almost a month (they're unable to tell exactly how long) using an old phalanx rootkit.

    And this is the system you expect us to trust on security? They have neglected to publicize a post-mortem, but I am willing to bet that the systems were compromised using a SUID privilege escalation vulnerability. SUID is the *single* *most* *stupid* design decision in Unix/Linux. It has been the root cause for *many* compromises. Regrettably it is built right in to the very security model of Unix/Linux (a design flaw) where the security model naively centers on a single user account having ominous power and everyone else running as this user (with unchecked power) even if they just need to perform a single operation, like ping a computer on the network. Talk about flawed security design.
    honeymonster
  • Malware stats are subject to the law of large numbers; the huge market share of Windows makes it the platform to attack. If we ever see the year of the Linux desktop, it will be attacked in the same way and both vulnerabilities and user gullibility will be an issue.

    Security is hard. When Symantec was hacked in 2006, it apparently wasn't able to detect that source code respositories had been compromised. RSA was infiltrated through a recruitment consultant. You need a more stringent root cause analysis than 'Windows 7 and Internet Explorer' (presumably not IE9 with built-in SmartScreen?) to actually explain your infections if you're not going to replicate the problem on the next popular platform.
    M
    Simon Bisson and Mary Branscombe
  • "They have neglected to publicize a post-mortem..."

    I am sure that more granular details of the attack will eventually come out, if they are not already. Based on what I've seen, the servers were hit and services interrupted, but no kernel code was compromised. And it was from a trojan on a user's PC that had direct access to kernel.org servers, so it wasn't truly an outside attack on the public interface of the servers.

    "And this is the system you expect us to trust on security?"

    You bet. Because it doesn't have hoards of malware floating about that can easily be sucked in from basic PC use. I do NOT trust Windows and IE for any personal information whatsoever.

    "...the security model naively centers on a single user account having ominous power and everyone else running as this user (with unchecked power) even if they just need to perform a single operation, like ping a computer on the network."

    If you are talking about root, it provides an efficient way for an administrator to "just get things done". In Windows you have the same thing, a single user with full permissions to the system called "administrator". However, the Linux kernel has extra levels of security that apply to EVERY user, even root. The Linux kernel supports SELinux which helps block malicious activity at the kernel level. AppArmor is another similar feature. Windows lacks this type of kernel level security, other than DEP which is not quite the same thing. Also, not sure what you mean about "unchecked power". Users can be allowed to run certain commands with sudo. But other than that, users run in a restricted mode and can escalate privileges if they have the root password.
    Chris_Clay
  • "I am sure that more granular details of the attack will eventually come out, if they are not already."

    They have not offered any granular details. But maybe some day...

    "If you are talking about root, it provides an efficient way for an administrator to "just get things done". In Windows you have the same thing, a single user with full permissions to the system called "administrator". "

    Wrong. Windows has granular privileges, not a hard-coded omnipotent single user. A Windows administrator account only holds the privileges actually granted to it. The only reason it is an administrator is because of the *default* grants. But unlike Linux/Unix the privileges and access rights can be taken away, or that can be granted in a granular fashion to other accounts.

    "However, the Linux kernel has extra levels of security that apply to EVERY user, even root. "

    No, not by design and not by default. There is a kludge bolted on the side which allows "loadable security modules". But all sorts of problems crop up, such as incompatibilities, dual (or even triple) security models and no central or consolidated way to audit a user's capabilities and access rights.

    "The Linux kernel supports SELinux which helps block malicious activity at the kernel level. "
    "AppArmor is another similar feature. "

    If you can live with that abomination. Most of us cannot. Security is not absolute, it a balance between usability and protection. SELinux is such a nuisance that most users turn it off or bypass it, undermining the security. How many of the popular distros use (and enable by default) SELinux/apparmor? Ubuntu installs apparmor, but it is not enabled for Firefox.

    "Windows lacks this type of kernel level security, other than DEP which is not quite the same thing."

    No, DEP is not the same thing. What Windows has got *in the kernel* is process tokens (missing in Linux/Windows). Tokens support MIC which prevents processes from "writing-up" to a higher integrity level. Chrome and IE uses it to sandbox any internet facing processes. DEP on the other hand is intrinsically linked to ASLR. Linux has very weak DEP/ASLR.
    honeymonster
  • "Users can be allowed to run certain commands with sudo."

    Example of the naive thinking which led to SUID in the first place. What is the effective user of the process when run with sudo? That's right - it is *root*. Even the slightest bug or unforseen usage can lead to an attacker running as root. The "password" protection is laughable - a feverish attempt at preventing complete embarrassment. It cannot hide the problem that this design is just like ActiveX: You hand over the keys to the kingdom and *hope* that the visitor will be well behaved and can perform his duties with no error. This is NOT a theoretical threat; it is THE most common cause for Linux/Unix and Mac compromises. And it owes directly to the stupidly simplistic, inadequate and naive security model of Unix.

    "But other than that, users run in a restricted mode and can escalate privileges if they have the root password."

    Yeah. And then you have the root password floating around. Great security you've got there. Great. In Windows you can assign specific privileges and rights to individual users, also "administrator privileges". When the user logs on he receives a token with the powerful administrator rights *stripped* from his token. Any process he launches will *not* have those rights. When a process needs the privileges it has to "elevate". This is where the UAC elevation prompt comes up. The user is prompted to acknowledge that his (otherwise stripped) privileges will now be invoked. But Windows *never* give the user more privileges as happens in Linux/Unix when "elevating" to root. And no need to share passwords.
    honeymonster
  • > "everyone else running as this user (with unchecked power) even if they just need
    > to perform a single operation, like ping a computer on the network."

    That's not true. Look:

    $ ls -als /bin/ping
    44 -rwxr-xr-x. 1 root root 40840 Nov 10 09:32 /bin/ping

    $ getcap `which ping`
    /bin/ping = cap_net_raw+ep

    The ping tool is not SUID anymore; your information is out of date.
    Zogg
  • There ia great war between the Google application and Microsoft's application for offices and business use, But I think the Google apps are the best for business use.

    google calendar security
    carolkatie
  • "Windows has granular privileges, not a hard-coded omnipotent single user."

    So if the "administrator" account becomes compromised, it has access to do anything it wants on the system. Sounds the same to me.

    "What is the effective user of the process when run with sudo? That's right - it is *root*."

    That is the point of sudo. And Windows UAC is the same concept, you are escalated to run the command in question as an administrator. This means you must authenticate with an account, that has administrator rights (be a member of the Administrators group). In Windows, you cannot do a granular permissions escalation ahead of time per program as much as you can with sudo.

    "And then you have the root password floating around. Great security you've got there."

    Again, going back to sudo, is the purpose of it so that users do not need the root password, and permissions can be granted in advance.

    "In Windows you can assign specific privileges and rights to individual users, also "administrator privileges". "

    To some extent, but you are limited to what's available in Local or Group Policy. You cannot get more granular and do a per-program or per-process escalation like Linux sudo, or better yet for those that are not in a domain you are even more limited. What you are saying is essentially the same thing as sudo accomplishes: to allow an ordinary user to perform an admin task.

    "The user is prompted to acknowledge that his (otherwise stripped) privileges will now be invoked. But Windows *never* give the user more privileges as happens in Linux/Unix when "elevating" to root. And no need to share passwords."

    Yes they are prompted, and also prompted for credentials of a user that has admin rights. There is no magical prompt for automatic escalation without getting confirmation by the user of an account that has admin permissions. By the way, Linux does have PolicyKit which is commonly used in escalating permissions in Linux in the desktop environments, although with this the root password is usually used.

    Generally speaking, those that need to handle admin tasks are usually admins themselves, which is normally a team. That's where sudo comes in to play to allow an ordinary user to run a specific program that is not normally allowed. Unless you are talking about a home user where sharing the password among one user is not an issue.

    "But all sorts of problems crop up, such as incompatibilities, dual (or even triple) security models and no central or consolidated way to audit a user's capabilities and access rights."

    Please, please provide details of these cases.
    Chris_Clay
  • "SELinux is such a nuisance that most users turn it off or bypass it, undermining the security. How many of the popular distros use (and enable by default) SELinux/apparmor?"

    I mainly use Fedora and SELinux is enabled by default. General practice is to leave SELinux enabled on servers, but many do disable it on their workstation because there are many more processes and access that must be done and sometimes it's not worth the effort to fine tune it. If it is disabled on a server then I would have to say that the admin asked for it. It does not take much effort on most servers to get it running and configured. Eventually, I think it will come out of the box so that the user doesn't need to tune it. But again, it's more geared at servers.
    Chris_Clay
  • "So if the "administrator" account becomes compromised, it has access to do anything it wants on the system. Sounds the same to me."

    Missing the point. Under Windows the privileges are *delegatable* (like what Linux strives for with capabilities). There is no single account which you must use to perform admin tasks. You can delegate the backup privilege to backup operators and not delegate the right to take ownership or change permissions. You know, principle of least privilege? If you compromise a user with the right to backup all files on the system you can backup all files, but you cannot *write* all files.

    "And Windows UAC is the same concept, you are escalated to run the command in question as an administrator."

    Your understanding of Windows doesn't run very deep. No, it is not the same thing: You can hold administrative privileges, but when logging on those privileges are *stripped* from your token, i.e. you do *not* have those privileges by default. Elevation is the process of aquiring those privileges back. But you *do not* acquire more privileges than what is explicitly granted to you. Unlike elevating to root under Unix/Linux.

    "In Windows, you cannot do a granular permissions escalation ahead of time per program as much as you can with sudo."

    Run as...

    "and permissions can be granted in advance."

    Permission to run certain commands, not permissions to resources or system operations. Hard shell, soft core. Not intrinsic level security as in Windows.

    "... although with this the root password is usually used."

    QED

    "Generally speaking, those that need to handle admin tasks are usually admins themselves, which is normally a team."

    Yeah, Linux is not designed for principle of least privilege.

    "Please, please provide details of these cases."

    Ok. How do you audit who has write access to a critical file? Some users may have direct write access through ownership or group access. But what about those who have access through SUID utilities? Do they show up on your report? A SUID utility does not declare what it does in a tool-readable format; you simply have to *know* what it does. How do you generate such an audit report? Under Windows this is trivially easy since noone else than those mentioned in the ACL have access. If the administrators group does not have access, even administrator members cannot write to the file. Not so on Linux where any number of SUID utilities may provide non-discoverable access.
    honeymonster
  • "I mainly use Fedora and SELinux is enabled by default. General practice is to leave SELinux enabled on servers, but many do disable it on their workstation because there are many more processes and access that must be done and sometimes it's not worth the effort to fine tune it."

    Aha! Enter Windows where services have individual SIDs in addition to the SID of the account they are running under. A service *only* has access to resources which where *both* the account SID and the service SID have been granted access. So even if a service is running under the SYSTEM account, it does not have access to everything SYSTEM has. It only has access to objects to which it has explicitly access. This is what you achieve with SELinux. But Windows SIDs and tokens allowed this *without* the SELinux kludge bolted on top of an inadequate security model. This service security is always there, on both servers and workstations. And home systems. No need to fine-tune or accept lower security level for workstations.

    Oh, and Windows always allowed more than file system objects to be secured. Processes, threads, windows, etc - everything with a handle is securable. Firewall ports and URLs have ACLs as well.
    honeymonster
  • I think the clear answer here is that there are proponents and opponents for both eco systems including Windows (which does have the monopoly on the desktop - hence target for malware) vs linux which has a minor share of the general desktop user base. There is no single clear winner on either desktop, you are still entrusting administrator rights (root/administrator) to a non-techy user who probably just elevates to higher level without awareness.

    It is awareness that needs to be raised, you dont need full admin access to access facebook, but that is how the masses log in using an administrator account, which Windows Vista/7 have sort of addressed now.

    I am sure that if the malware writers really wanted to take a stab at linux then it would be vulnerable in just as many ways as windows, and possibly ways which we dont even know about yet :-)

    Security is not just about robust system design, its also about user access control, configuration, and above all awareness. If a popup appears offering "free stuff just click here" to an elevated user on windows, then they just install something without questioning it, they have given permission to install under full rights anything it wants. And the user will still click "Ok" when warnings appear....because they want "free stuff".....

    So lets no bash each other regarding whos got the "biggest and bestest"...lets just all work towards raising awareness and in a lot of cases killing the problem at source.....the user!
    anonymous
  • "Run as... "

    Yes, that is only the first piece. RunAs is only good as long as the user has a higher privileged account they can authenticate as.

    "There is no single account which you must use to perform admin tasks. You can delegate the backup privilege to backup operators and not delegate the right to take ownership or change permissions. "

    The various levels of access you describe is only because Microsoft has created a bunch of groups and assigned various permissions to each group via a policy and ACLs. But what if you want to grant access that doesn't match what the pre-defined groups have? For example, what if you want to provide a regular Windows user only specific rights to run the command "ipconfig /release", which requires administrative rights, without messing with knowing additional passwords? In Windows, you would have to search through Local or Group Policy and hope there is a setting to allow this for the user, or a group that the user is a member of. Sometimes there is not, which is why 3rd party products are on the market that fill in the gaps where Microsoft left off. In Linux? Add the user to /etc/sudoers allowing the user to run the command in question and you're done.

    "A service *only* has access to resources which where *both* the account SID and the service SID have been granted access. So even if a service is running under the SYSTEM account, it does not have access to everything SYSTEM has."

    You mention the local System account, which according to Microsoft's own documentation: "Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects." Again, SELinux accomplishes this as well. Many services in Linux have predefined contexts already assigned to them, and with various levels (readonly, write, etc.). Each service in Linux has permissions ONLY to the files that it needs (i.e. config files, data, etc.), and any additional shared files that it may need, and that's generally all.

    I could just as easily say that Windows UAC is "kludged" as well as you mention for SELinux; each OS has its own security mechanisms that accomplish the similar goal: to allow processes to run with the least amount of privilege, but grant more privileges if needed. And, if there is a compromise, to limit the damage that can be done to the system.


    Carl White :

    I agree! We'll be here indefinitely. It is a good security information exchange though.
    Chris_Clay