This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-07-06
For those who believe Windows to be a multi-user system at the core, log into you Windows box twice as the same user - i.e., run two simultaneous sessions as the same user. Are you there yet? Even different users being logged in at the same time is done with "fast-user switching". The multi-user OS is an illusion. It is a hobby OS meant to keep track of your CD's and home checkbook. The current web-connected computer was not envisioned when it was created. Meanwhile, Unix was serving 1000's of simultaneous user sessions on a single box. Security was paramount from early on. I agree that Microsoft has done a pretty good job of bolting on fine-grained permissions, etc. with the NT kernel. But no matter how you spin it, processes in the Windows world "long to be free" and by nature tend to take over the computer. Only a massive harness-and-strap framework like we see in the Vista OS can try to prevent these processes from running wild. But just like "life" in the first Jurassic Park movie, they always find a way.
Now lets quit arguing, grab a nice BSD kernel, toss a few bucks at the kernel devs, close it all up for profit, and get to crackin' on that shiny new Winders!
Member since:2005-06-30
It's an intentional limitation in the customer versions of Windows. Windows Server can easily host multiple sessions with Terminal Services.
The multi-user architecture is definitely there. It's quite misused though.
I am looking for the day when that single box hosts so many connections with fully-featured GUIs. Joe Sixpack doesn't want to work with consoles.
Member since:2005-11-13
For those who believe Windows to be a multi-user system at the core, log into you Windows box twice as the same user - i.e., run two simultaneous sessions as the same user. Are you there yet?
No problem. Log into the workstation and hit the Run command off the start menu, use RunAs to launch any program you want with the same account. Done.
Even different users being logged in at the same time is done with "fast-user switching".
fast-user switching is only used for multiple logins at the local console. You can connect multiple users remotely including the loading of their entire user profile and desktop without fast user switching. On XP you'll need to hack a DLL as MS imposed an artificial limitation to protect terminal services licenses but the OS is otherwise fully capable of it.
The multi-user OS is an illusion.
Really? Sure seems to work with thousands of users at the company I work for.
It is a hobby OS meant to keep track of your CD's and home checkbook. The current web-connected computer was not envisioned when it was created.
The current web connected computer was not envisioned when any of our operating systems in use today were created. NONE of them. They have all had to undergo changes in order to handle todays connected world.
I agree that Microsoft has done a pretty good job of bolting on fine-grained permissions, etc. with the NT kernel.
They've been there since the first release of NT, included as part of the original design. It was the home user market moving to NT largely with XP and Microsoft touting the mindset that the user is the administrator that has created a large part of the mess we experience on windows.
Member since:2005-07-06
For those who believe Windows to be a multi-user system at the core, log into you Windows box twice as the same user - i.e., run two simultaneous sessions as the same user. Are you there yet? Even different users being logged in at the same time is done with "fast-user switching". The multi-user OS is an illusion. It is a hobby OS meant to keep track of your CD's and home checkbook. The current web-connected computer was not envisioned when it was created. Meanwhile, Unix was serving 1000's of simultaneous user sessions on a single box. Security was paramount from early on. I agree that Microsoft has done a pretty good job of bolting on fine-grained permissions, etc. with the NT kernel. But no matter how you spin it, processes in the Windows world "long to be free" and by nature tend to take over the computer. Only a massive harness-and-strap framework like we see in the Vista OS can try to prevent these processes from running wild. But just like "life" in the first Jurassic Park movie, they always find a way.
Now lets quit arguing, grab a nice BSD kernel, toss a few bucks at the kernel devs, close it all up for profit, and get to crackin' on that shiny new Winders!
Just to address the fine grained security you mentioned; there is also the obvious issue of complexity. Its all very nice having things incredibly fine grained, but through this complexity there are the obvious possibility of accidental misconfiguration. There is a line where one can be too flexible to the point that it can be detrimental to the health of the system
Regarding the BSD; I'd love to see a BSD Core + Amiga GUI, then I would be a happy camper. I'd move to it immediately. Too bad its a pipe dream given the lack of backbone Microsoft has when making decisions. Rather then being decisive like Steve Jobs, they remind me of my grandma as to whether she should buy loose leaf tea now or wait next week to see whether it is on special the following week.
Someone needs to have the backbone to stand up, make a grand vision for the whole company, and push it towards that goal - and those who stand in the way because of internal politics are given some cash, a pat on the bum, shown the door and told "best of luck in an economic down turn".
Edited 2008-08-09 04:05 UTC
Member since:2007-02-27
Member since:2005-07-06
Member since:2005-07-06
"Windows has a more fine grained permission system than the *nixes but no one uses them."
No one?
I don't think so.
Almost all IT and system administrators apply them.
If you apply Read Write and Execute Permissions to a root folder and a user deletes it you would understand why it should be done.
There are 2 different types of permissions:
1. Share Permissions
2. NTFS (or file system) permissions
Windows has more permissions control than Unix, which is true and windows is better in this regard but windows is vulnerable (and buggy recently).
Member since:2005-07-06
The simple problem is this; when Microsoft don't even code to the standards, how can things improve? I remember when Windows Terminal Services was released and the number of Microsoft applications that broke because they were never designed to run in that way.
Office 2003 on Vista being a recent example of when the licence 'accept/decline' keeps coming up because the settings aren't saved to a global location - why wasn't the installer right at the beginning put into administration mode so that all the necessary system wide things are set - such as accepting the licence?
But this goes beyond just mere security. Windows Vista, for example, not a single application bundled with it uses the new API's like WPF. Heck, there is still the font dialogue using widgets from circa Win 3.x; not a single bundled application are using the new and safe API calls that have been known about when Microsoft did the bit Windows XP SP2 development.
Microsoft needs to lead by example and start ensuring their own products actually work properly instead of getting up and lecturing the world on how 'third parties' were 'slow to release drivers/software'. It looks pretty stupid when an operating system vendor who has the operating system at their disposal, that they can't get their middleware functioning right on it. If they can't get it right, with the Windows source code and documentation in front of them - how on earth can the third parties get it correct?
Member since:
2007-02-17
The problem with Windows security has nothing to do with the core of the OS. It has to do with the core of MS themselves. MS has trained ISVs and their users to rely on having admin rights even when those rights are not necessary and are actually a detriment to the stability of their system. Windows has a more fine grained permission system than the *nixes but no one uses them. MS tried to rectify the issue with the AUC thing but because of the type of access most application are asking due to laziness, it fails in so many ways. It becomes annoying and instead of helping security it actually hurts because now the OS has trained users to ignore warnings. I think Ubuntu and OSX handle this much better.
I'm a linux and Mac, this is just my preference. However I do think that Windows gets a lot of flack for MS lack of balls when it comes to telling 3rd party developers to get their damn act together and also for not training uses properly from the get go. Something that Apple and Linux distros have been doing for years.