Guest post by “Sunday marks the tenth anniversary of Bill Gates’s trustworthy computing memo, which made securing applications from the ground up a key priority at Microsoft for the first time. The directive followed a period during which Redmond took a sustained shelling over the instability and insecurity of its software, especially in Internet Explorer and Outlook, highlighted by the damage caused by high-profile malware outbreaks such as the rampaging Love Bug, Melissa and Nimda nasties.”
So much for 10 years worth of work. My sister has made a business out of cleaning the infestations off peoples home computers and my niece just got hit by a mail virus last week. Sent out emails to everyone in her outlook address book. They will never secure the system until the are willing to make security priority one, even if it breaks compatibility.
Some of their monumental mistakes, like allowing email to run as admin and execute code, and not enforcing a non-privileged user environment will continue to dog them.
For years, I’ve worked around this mentality with many Windows desktop support personnel and software developers that everyone must run with “Administrator” privileges. You hear, “software XYZ won’t run unless they have administrator rights!”. I’m fairly certain that the lack of usable security in Windows 95/98 contributes to this problem.
This is usually due to the appropriate permissions on directories, files, and/or the Windows registry not being set correctly for plain users. When we’ve brought this is up in the past, there is either a lack of understanding or just laziness on the desktop support side.
While things are slight better than 10 years ago, until you enforce and change this view, a lot of malware will continue to infect/compromise PCs at the system level. Perhaps, with Windows 8, this will finally change?
That will not be fixed in Windows 8. It got fixed in Windows Vista! That was the main reason for User Account Control (UAC).
Actually, nothing was broken in the first place in the operating system as it was perfectly possible to work as a normal user in Windows 2000 and Windows XP but Vista made it easy to change into admin mode when needed only. As you could see from all those popups UAC threw there were just a lot of applications that required admin rights for no good reason except “easier for the developer that only runs/tests as admin anyway”. The worst example of requiring admin-rights for no good reason is to double-click on the clock in XP (SHOWING the time+date actually required admin rights)
As I said, this got fixed in Vista because people complained about too many UAC-prompts and all developers finally started to test software as a normal user.
MS announced Trusted Computing and put a ton of work into it. But until they change their perception of the trade-off between security and usability, Windows will continue to have security issues.
Examples — Today you plug an unknown USB stick or DVD into your computer, and Windows eagerly runs whatever program happens to be on there via autorun. Another example of this, Outlook has message Preview on by default. These simple examples show how MS weighs security vs user-friendliness. Their defaults are wrong if security is the goal.
Actually it didnt. While the OS itself may not have had problems, software did. I have run into countless software including some from Microsoft themselves that does not work correctly without being the admin user. Microsoft also failed miserably to promote this standard to all the developers out their.