First of all, I want to welcome Mary Jo Foley to ZDNet blogs. I've had a blast debating some of her columns within the last few years correcting her when needed. Fellow blogger Ed Bott has also debated Mary Jo Foley in a recent post where he pointed out how absurd it was to claim that "Vista will NEVER run on a $1000 PC". This time, Mary Jo has pulled out the big bad Vista application compatibility boogie man Windows Vista preemptively breaks every Malware application to date and even referenced the time she blamed Windows XP SP2 firewall for breaking tons of applications when nothing could be further from the truth.
The problem is that Vista isn't complete and to be honest, those applications that break (mostly from UAC) really need to be broken for the sake of security. Microsoft has gotten criticism for giving root-level permissions to all users by default in Windows XP, but many of those same critics criticize Windows Vista for attempting to fix it. Part of the blame goes to Microsoft for not making it easy to seamlessly shift between a standard user and root user in pre-Vista operating systems but much of the blame goes to lazy software vendors who write sloppy applications that rely on root-level permissions. Now that UAC does go out of its way to make a locked down user permission model workable, it gets bashed for being too inconvenient and blamed for breaking applications. UAC isn't what's breaking the application, it's the sloppy risky coding of the application bumping up against a locked down Vista permission model that is to blame. Of course Microsoft isn't just sitting by telling the ISVs (Independent Software Vendors) it's there problem, they've provided simple to use tools like the Standard User Analyzer to help ISVs fix their code.
But there is an even easier way to make a sloppy legacy application work in Windows Vista and that's called shimming. An application shim is a compatibility layer that fools a legacy application in to believing it's running in an older operating system. For example, a shim will tell a legacy application that it is running in an 8-bit 256 color environment and that it's running with root privileges when it's not. If the application attempts to make modifications to the hard drive or registry that require root permissions, those requests are seamlessly redirected to temporary locations on the hard drive and registry. As a result, the unmodified legacy application will continue to work in Vista with the same sloppy coding but Vista security lockdown will remain intact because the user doesn't have to run with root privileges. Vista will ship with thousands of application shims to accommodate legacy applications.
Of course shimming has a down side that it allows ISVs to remain lazy and continue writing sloppy code. There are even those who will criticize shimming as some kind of sleazy hack but what solution would they offer? We are faced with the following choices.
- All the ISVs in the world will patch all their sloppy legacy code to not require administrative privileges (when pigs fly) and we won't need tricks like shimming. This is by far the "ideal" solution in a perfect world but we all know this won't happen for the most part.
- Turn off UAC and run everything as administrator and downgrade Vista security model to Windows XP. Some people are suggesting this and telling people to turn off UAC. This certainly is convenient, but people who do this have no one to blame but themselves when they get Malware.
- Run Vista with UAC and permission lockdown but use shimming to fool legacy applications in to thinking they're running with wide open permissions. This isn't the ideal solution but it works by protecting users and allowing legacy applications to function.
Windows Vista does break applications but it breaks applications that need to be broken. These are either sloppy applications that compromise the security of Windows or they're Malware applications that you definitely want broken. People need to realize the significance of a locked down permission model and UAC because Windows Vista preemptively breaks every Malware application to date. The same set of operating rules that apply to Software also applies to Malware and every piece of Malware that has been written to date will be incompatible with Windows Vista's default permission model and will need to be written. This mean Malware will no longer be able to permanently hook in to the operating system to gain persistence and will only be able to attack the user profile. The effectiveness of this solution isn't just theoretical because even Windows NT, 2000, or XP users who run their systems with a tight permission model have been protected all these years from Malware. What makes Vista different is that for the first time it will be practical for everyone to run with tightened permissions.
Malware will have to insert a loader in to the user's local startup folder but that's easily detectable and removed even without the help from antivirus software. At worst, the user profile will have to be deleted and recreated to remove a piece of Malware. The biggest remaining threat will be to user data where hackers will try to copy private data or use "ransomware" to encrypt the user's data and demand payment to unlock the files. The locked down permission model has been the key advantage UNIX, Linux, and Mac OS X has held over Windows but that's about to change. Windows Vista takes the permission model a step further. Internet Explorer 7 will run in Windows Vista protected mode which puts IE7 in a lower-than-user permission level. This means that even zero-day IE7 exploits will be contained because IE7 will not have access to the system or user files.
Vista even offers protection to administrative users because they are still covered by IE7 protected mode and because administrators no longer have root permissions since admin accounts behave more like sudo. Smart administrators can even allow users to run as administrators but prevent them from escalating unsigned code to root level. This would be the ultimate security model because only cryptographically verifiable white listed software will be hook in to the operating system with root permissions. One thing that Vista still needs to implement is a way for standard users to install software.