"Windows Vista Beta 2 includes a new defense against buffer overrun exploits called address space layout randomization. Not only is it in Beta 2, it's on by default too. Now before I continue, I want to level set ASLR. It is not a panacea, it is not a replacement for insecure code, but when used in conjunction with other technologies, which I will explain shortly, it is a useful defense because it makes Windows systems look 'different' to malware, making automated attacks harder." On a related note, Microsoft is having difficulties in reaching parity between the 64bit and 32bit version of Vista concerning the amount of drivers shipped.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-07-06
You can hardly define this as a problem - users actually want to be able to define which programs to startup automatically, taking away control of this is (for many people) worse than the cure.
No, users don't. At least, average users don't. I've never heard anyone say "can you configure my machine so AIM fills my screen with a page full of ads every time I start up?" Its a feature that Windows developers love, because they're assholes who enjoy torturing their users*, but it's not one that users are clamoring for.
In any case, anything that's locked-down can be unlocked. If a power user really wants crap to start with Windows, he can configure it that way. The average user shouldn't have to put up with more spyware because of it.
it cannot infect any other part of the system, allowing anyone to easily identify software as either part of the system (outside of any users' profile) or as not a part of the trusted system.
Since Windows (currently) doesn't really have any mechanism for seperating "trusted" and "untrusted" parts, this really doesn't help. In any case, "it can't hurt the rest of the system" isn't really a good excuse here. We're talking about single-user machines --- if the user's account is compromised, the system is as good as gone. Backing up all the data, nuking the account, and putting it all back, is something that works in a multi-user setting, but is an enormous PITA for a single-user machine. Things like startup items make it more difficult to clean out a compromised account in-place, and should be locked-down by default.
Then you configure Windows to automatically download and not install. Still, either way you use it there is no reason to use IE for automatic updates which is the thing we were talking about.
IIRC, if you want any control over the install process, you're still stuck using the horrible IE interface to Windows Update. My basic point is that auto-anything is not a good alternative to a good update UI.
Moreover, whatever tricks you're talking about won't make sense to the average user (hell, I don't even really know what you're talking about --- I have no interest in becoming a Windows security expert). On a stock Windows machine, the way the user updates the machine is to click the giant "Windows Update" icon in their start menu. This brings them to a shitty IE interface to Windows Update. Microsoft should make this default interface not shitty. That's it.
Not really - ActiveX is not tied to the internet in anyway, its just a delivering mechanism of a bunch of DLLs and hence in no way better than any other browser plug in system.
Other browser plug-in systems require the user to download a program and install it. ActiveX, instead, allows passive installation, with a mere verification at the end. Since the user will always click "yes" to whatever they see, this model is broken.
The simple fact is that installing executable code should not be as automated as ActiveX makes it. It should require conscious action on the part of the user. That's the root of the spyware problem. In Linux and OS X, if a process is running, it was either installed by the user or by the system. In Windows, lots of things (spyware), manage to execute without ever being installed by the system. Hell, how does stuff get into my Add/Remove Programs list if I never "Add"ed it? Microsoft needs to remove the mechanisms by which this installation of executable code happens without the user's intervention. ActiveX is one of those mechanisms, and regardless of whether it has other users, it needs to go. Other OSs get by fine without ActiveX, so it cannot be all that important.
or someone downloads "malicious.exe" and also gets prompted twice doesnt really matter.. If people want to see dancing pigs, they will.
No, there is a distinction between "push" and "pull" application installation. ActiveX allows "push" installation, only requiring the user's constent to complete the install. Other OSs only support "pull" application installation. The latter mechanism isn't fool-proof, but its far more robust. Users aren't complete idiots, but they do have a habit of not reading dialogs*. "Push" installation like that supported by ActiveX is a huge security risk in the face of such behavior.
Ultimately, the first line of defense in any system is minimizing the vectors through which arbitrary code can be executed. A well-designed system, where there is only one way to get executable code onto the machine with explicit user intervention is far superior to Windows's model, where there are any of a number of ways to get executable code onto the machine.
*) If any Windows developers are reading this and have ever implemented a startup item, systray item, or splash dialog that wasn't absolutely necessary for the survival of the species, that comment is directed at you. Go find an OS X box. Look at how many applications in that OS install crap into the notification area (hint: none). Look at home many applications start up with the system (hint: none). Look at how many applications ask you "do you want to update this piece of crap" when they start up. (hint: just Windows ports). Realize that you don't need that shit in your program, and all it does is piss off users.
*) Partially because Windows asks far too many stupid questions and banging "next" and "okay" without reading the (usually pointless) dialog text is ingrained into the behavior of Windows users.
Member since:2005-06-29
No, users don't. At least, average users don't. I've never heard anyone say "can you configure my machine so AIM fills my screen with a page full of ads every time I start up?"
Hihi - no they never ask for that particular setup, true 
What they do ask for is "Can you make Outlook, Messenger and my stocks watcher start when i turn on my computer"? In order for users to do that, the user has to have control over what their system will and what system will not start hence taking this particular feature away is not possible without really affecting a lot of the 'above your (or mine) grandma' users
Since Windows (currently) doesn't really have any mechanism for seperating "trusted" and "untrusted" parts, this really doesn't help. In any case, "it can't hurt the rest of the system" isn't really a good excuse here. We're talking about single-user machines --- if the user's account is compromised, the system is as good as gone.
You are right - having malware wreak havoc on once profile is of course disasterous to a user.
However, users are already warned by their browser of choice that the program they are installing is potentially malicious, despite this they choose to install the program anyway - this is the dancing pigs problem and will not be cured by an eaven heavier message saying a program might be potential malware - they already have that kind of messages and they choose to ignore it.
IIRC, if you want any control over the install process, you're still stuck using the horrible IE interface to Windows Update. My basic point is that auto-anything is not a good alternative to a good update UI.
No, fortunately this is not true. On Windows XP you have an option (outside of IE) to either auto install, auto download but choose to install, only notify or dont auto update at all. Look at http://www.updatexp.com/image-files/automatic-updates.gif for a screenshot of this particular UI in XP SP2 (the program is found under the control panel with the name 'Automatic Updates').
This user is also being forced to make this choice (in a slightly different UI with a bit more explanation) upon their first boot after servicepack 2 is installed, making it very easy and appealing for a user to do the right thing. This automatic update thing really is something the user has made an active choice in.
Other browser plug-in systems require the user to download a program and install it. ActiveX, instead, allows passive installation, with a mere verification at the end. Since the user will always click "yes" to whatever they see, this model is broken.
Actually this is not what happens on a normal XP SP2 install. Upon the viewing of an ActiveX control embedded on a webpage, the user is shown a big yellow bar at the top of their page explaining them what is going on. The user has to click on this yellow bar to continue. If the user clicks on it, another warning is given - if the control is not digitally signed a different and more cautioness text is being displayed telling the user to be very careful. If the user - after these two warnings - then choose to install the software anyway, all hope is lost anyway.
This is not much different from any other form of software distribution - a simple redirect to a download of an .EXE file will turn up an "Open or Save" dialog, which is the first click. Once the user confirmed Open and the file is not digitally signed, another warning is stated in IE that the file is not digitally signed and warns the users of this.
Basically, wether you use ActiveX or a plain executable doesnt really matter, hence the 'witch hunt' on ActiveX is plain silly.
Member since:2005-07-06
In any case, anything that's locked-down can be unlocked. If a power user really wants crap to start with Windows, he can configure it that way.
This is the one of the main problems.
The average user shouldn't have to put up with more spyware because of it.
The user explicitly agreed to run the code in the first place.
Since Windows (currently) doesn't really have any mechanism for seperating "trusted" and "untrusted" parts, this really doesn't help. In any case, "it can't hurt the rest of the system" isn't really a good excuse here. We're talking about single-user machines --- if the user's account is compromised, the system is as good as gone. Backing up all the data, nuking the account, and putting it all back, is something that works in a multi-user setting, but is an enormous PITA for a single-user machine. Things like startup items make it more difficult to clean out a compromised account in-place, and should be locked-down by default.
Single-user systems still have the built-in Administrator account which you can log into to do backups/maintenance. Also, internet-originating executables (in XP SP2) are marked such that they require user confirmation each time before executing unless the user disables this notification on a per-exe basis.
IIRC, if you want any control over the install process, you're still stuck using the horrible IE interface to Windows Update. My basic point is that auto-anything is not a good alternative to a good update UI.
Not true. You can configure AU to notify you of available updates, then you can choose which ones you want to install.
Moreover, whatever tricks you're talking about won't make sense to the average user (hell, I don't even really know what you're talking about --- I have no interest in becoming a Windows security expert). On a stock Windows machine, the way the user updates the machine is to click the giant "Windows Update" icon in their start menu. This brings them to a shitty IE interface to Windows Update. Microsoft should make this default interface not shitty. That's it.
The user has to setup AU on their first boot of Windows, so they should already know about it. There's even info about it on the WU/MU sites. If they really want an alternative to the WU website, they have one in AU. Also, as mentioned earlier, in Vista, the AU control panel is now WU and adds functions for invoking manual updates so you don't need a browser to get full access to WU. The website is replaced with the applet.
The simple fact is that installing executable code should not be as automated as ActiveX makes it. It should require conscious action on the part of the user.
In fact AX does require concious action on the part of the user. The user has to confirm whether they want to run a particular control. They have to click the information bar in IE, choose to run the control, and again confirm it's installation. As someone else said, whether it's a cab or an exe, if a user deems the value of the content higher than the risk to security, they will do what's required for the content even if it's made clear that the content is from an untrusted source.
That's the root of the spyware problem. In Linux and OS X, if a process is running, it was either installed by the user or by the system. In Windows, lots of things (spyware), manage to execute without ever being installed by the system. Hell, how does stuff get into my Add/Remove Programs list if I never "Add"ed it? Microsoft needs to remove the mechanisms by which this installation of executable code happens without the user's intervention. ActiveX is one of those mechanisms, and regardless of whether it has other users, it needs to go.
The situation is no different on Windows. If something is in A/RP that you didn't specifically add, it was likely added implicitly as part of an application you did explicitly install.
Other OSs get by fine without ActiveX, so it cannot be all that important.
Other OSes have similar frameworks that seek to solve the same issues as AX.
No, there is a distinction between "push" and "pull" application installation. ActiveX allows "push" installation, only requiring the user's constent to complete the install. Other OSs only support "pull" application installation. The latter mechanism isn't fool-proof, but its far more robust. Users aren't complete idiots, but they do have a habit of not reading dialogs*. "Push" installation like that supported by ActiveX is a huge security risk in the face of such behavior.
Both mechanisms require the user to take manual steps to initiate the install. AX just saves clicking on a couple of links to hunt down the necessary code. An ignorant user will be compromised in either case.
Ultimately, the first line of defense in any system is minimizing the vectors through which arbitrary code can be executed. A well-designed system, where there is only one way to get executable code onto the machine with explicit user intervention is far superior to Windows's model, where there are any of a number of ways to get executable code onto the machine.
There are many ways to get code on the system in any major OS. Code introduced to Windows systems (XP SP2 and up) must be consented to execute by the user whether it's from a disk or from a network. The problems are whether you can trust the source from which the code was obtained, being able to verify what the code does, and having a user that can make basic trust decisions, especially in the case of having unverifiable code originating from the internet.
Member since:
2005-06-29
The problem is things that start up as the current user.
You can hardly define this as a problem - users actuall y want to be able to define which programs to startup automatically, taking away control of this is (for many people) worse than the cure.
What i meant with my 'only able by administrators'-remark is that as long as malware is constrained to a limited user account, it cannot infect any other part of the system, allowing anyone to easily identify software as either part of the system (outside of any users' profile) or as not a part of the trusted system.
Whitelisting should work through a secure mechanism, such as hashes of system binaries.
This is already done by using sigverif - a program cannot name itself 'lsass.exe' and place itself in %Systemroot%System32 without sigverif (or SFC) noticing it. Combine this with my above statement and you already have a pretty 'fool proof' way of determing valid and potential malware.
No! Automatic update is a very very very bad thing. Updates have a habit of breaking things. Especially ones from Microsoft. At least if you teach a user to run MS update once a week, and something breaks, you can narrow down the possible suspects.
Then you configure Windows to automatically download and not install. Still, either way you use it there is no reason to use IE for automatic updates which is the thing we were talking about.
No, ActiveX is a framework and an API for allowing executable code to be run from the internet.
Not really - ActiveX is not tied to the internet in anyway, its just a delivering mechanism of a bunch of DLLs and hence in no way better than any other browser plug in system. Of course its best known for its "ActiveX Controls" that are enabled by IE, but ActiveX components are also used by many other programs not related to the web in anyway, hence 'getting rid of ActiveX' as one suggested would not only be impossible, but also a very, very silly idea.
Wether being able to install executable code on your system using a webbrowser is a good idea is up for another discussion, just remember that wether one downloads "malicious.cab" and gets prompted twice wether to install something, or someone downloads "malicious.exe" and also gets prompted twice doesnt really matter.. If people want to see dancing pigs, they will.