“Windows Vista Beta 2 includes a new defense against buffer overrun exploits called address space layout randomization. Not only is it in Beta 2, it’s on by default too. Now before I continue, I want to level set ASLR. It is not a panacea, it is not a replacement for insecure code, but when used in conjunction with other technologies, which I will explain shortly, it is a useful defense because it makes Windows systems look ‘different’ to malware, making automated attacks harder.” On a related note, Microsoft is having difficulties in reaching parity between the 64bit and 32bit version of Vista concerning the amount of drivers shipped.
this would be good for everyone, people who will be using Vista, and even Linux, Mac OSX users who will see less spam in their inbox because less WIndows machines will get pawned………
except
I learnt a long time ago, NEVER, believe things from a random blog site.
It’s not exactly a *random* blog site, though – blogs.msdn.com only (I think) has blogs of Microsoft employees.
If there’s ample ram this would be good, but if there isn’t then this would reduce performance by fragmenting memory. What’s worse is that either the memory space allocated will have to have uniform block sizes, or the OS is also going to have to find unoccupied spaces that are big enough for the memory blocks being allocated. The security advantage seems good, and hopefully, for the sake of Vista users, Microsoft has also worked this out so there’s a minimum impact on performance.
I’m just a little concerned that a map of the ram usage could end up looking very much like (or worse than) a map of a fat32 partition that’s long overdue for defragmentation. The security benifits could outweigh any performance speed decrease, especially if the speed decrease is too negligible to be noticed.
The address space layout operates on virtual addresses, not physical addresses. As such, they are already allocated using uniform block sizes (the system page sizes), and the physical memory map is already fragmented. Fragmentation in the physical memory map doesn’t matter a lot*, however, since the page tables can make discontiguous chunks of physical RAM appear as contiguous chunks in the virtual memory space (with no performance hit, except that imposed by the MMU mechanism to begin with).
*) For applications, anyway. Drivers can require large amounts of contiguous memory for buffers that need to be DMA’d to hardware, a process that usually bypasses the CPU’s MMU.
Seems a bit shifty to me.
Linux had this implemented long time ago. The true name for address virtualization is: PAX. And don’t forget about RICE! Vista does not impress me at all!!
Why everytime Windows implement something always some Linux and Mac fan say” Linux or Mac had this long time” so.
When linux or Mac has something new no one notice that, but when Windows take it everybody start talking about it.
Imagine if Windows take the best of Linux and Mac and then implemented in the OS? then there its no an excuse to use Linux and Mac.
Are you scare?
Well, imagine if Gnome implemented all the great stuff from Windows and OSX!
See, it would be nice, but it ain’t going to happen. MS is not going to produce a highly customizable operating system, Apple is not going to open-source OSX, Linux is not going to develop native compatibility with Windows binaries, and several dozen other things that would probably be nice are simply not going to happen, because they’d drain too much effort from other things, they’d be obsoleted by the time they were complete, they might turn out to produce problems outweighing their advanteges, or they’re simply not possible.
Edited 2006-05-28 02:09
Ignorance doesn’t surpise me anymore.
Why everytime Windows implement something always some Linux and Mac fan say” Linux or Mac had this long time” so.
It’s mostly because with every such implementation MS uses words like revolutionary, novel, unique, first time, and you name it. And when they say Linux et al. had this a long time ago, they just point out MS’s speed, which for them is nothing new, yet most Windows fanboys just don’t really think it’s important. But it is.
When linux or Mac has something new no one notice that, but when Windows take it everybody start talking about it.
Yes, because “new” features on Windows get plenty more advertisising (e.g. news sites, etc.). And the fact that Windows fanboys don’t know about a long time existant feature won’t make that feature less signitificant.
If you don’t get mad at MS and news sites bragging about “novel” features which you supposedly know are nothing novel inreality, then why do you take it as an offence when people point out that these are indeed not novel ? Oh, forget I even asked.
It’s mostly because with every such implementation MS uses words like revolutionary, novel, unique, first time
Actually, I think they do it just to evangelize, for no other reason than because it bugs the shit out of them that everybody is not using *their* OS. Thing is (at least for me anyway), their proselytizing has the exact opposite effect as what they intended. It’s like a Bible thumper who gets in your face and won’t shut the f**k up. I just don’t care to listen to anything they have to say simply because they are so annoying.
f you don’t get mad at MS and news sites bragging about “novel” features which you supposedly know are nothing novel inreality
I did read most of the first article (couldn’t pull up the second one) and I saw absolutely no mention whatsoever of this feature being ‘novel’ or ‘innovative’.
then why do you take it as an offence when people point out that these are indeed not novel ?
We don’t – it just gets old after awhile. Imagine if, when articles were posted in the past few years about Linux getting features on the desktop that other operating systems have had for over a decade, if every other comment was ‘But OS xyz had this feature eons ago ..’, eventually, you’d just want them to go away.
In other words, I don’t give a good goddamn if every new feature going into Vista has been in Linux (or any other OS for that matter), so give it a rest already.
Edited 2006-05-28 16:49
Linux had this implemented long time ago
When Linux implements SuperFetch, ReadyDrive, and ReadyBoost (http://www.microsoft.com/windowsvista/features/foreveryone/performa…) analogs, will you come back and yell about how they are ripping off MS? What an odd ‘argument’ to make.
“OMG MSDOS 1.0 used X86 architecture 11 years before Linux, Linux does not impress me at all!”. For gosh sakes, Linux is an OS based entirely on being derivative, even in its name, of UNIX.
When Linux implements SuperFetch, ReadyDrive, and ReadyBoost analogs
SuperFetch is just image pre loading coupled with process accounting data mining. The first system that appeared in was, IIRC, CP/V from Scientific Data Systems. IBM used to sell an add-on for MVS that would do the same thing. This ain’t “new”, it’s just coming to PCs for the first time.
ReadyBoost is just auto-mounting removable swap media. I believe that’s been around Unix since the first automounter, which was, IIRC, introduced about 15 years ago. It’s certainly been around Linux for a few years.
ReadyDrive is a good example of getting too specific in an implementation. Suspend to NVRAM has been around nearly as long as NVRAM has been around. Taking advantage of it in a hybrid drive is NoBigDeal(tm).
Linux isn’t particularly innovative, but these three things are more examples of CamelCased MarketingSpeak than they are of AnythingNew.
😛 . No arguments that the names are definitely Madison Avenue. No crime there though.
Superfetching is not quite the same as what you are describing from 30 years ago. SuperFetch tailors application pre-caching on a per user basis, based on how the OS learns of your individual usage over time. It also adds the ability to do this in external storage, like USB (see below).
I’m no linux guru, but I can’t find any docs that state how to have an automounter create a dynamic USB based swap file without requiring any configuration by the user (I’m going off http://www.linux-consulting.com/Amd_AutoFS/autofs.html, but there’s probably a better reference out there). I’d say ReadyBoost as implemented in Vista is not possible in Linux or anywhere else. Yet.
The hybrid drives used by ReadyDrive have just been invented by Samsung – suspending to NRAM on a disk has never existed before. Disk caching has been around for ever for speeding up writes, but not with any way to suspend power and hold it indefinitely.
All three of these things are certainly new – in the sense that nothing is ever new, it’s just a new twist on an old idea that works far, far better than ever before. Linux lives by that concept – nothing totally new, just a new take on an old idea.
Open your miiiiinnd, Quaaaaiiiiddd. 🙂
Actually, both the CP/V and MVS tools tailored application pre-caching on a per user basis based on OS data mining; although in those days, we called it “job scheduling pre-optimization.”
You solve the USB problem with a hotplug script, or at least I do.
Disks with NVRAM have existed in the past. I’ve used them in high availability applications, although the NVRAM was accomplished by battery-backed RAM rather than flash.
All Samsung has done is change the packaging so that the NVRAM is in the same physical housing as the disk drive. In the past we put it in the housing with the controller.
and I’ll believe “far, far better” when I see real numbers.
In those days is right. You are sounding really, really old now. 😛 J/K. I’d love to see more on how the old 1970’s mainframes did it. Got any docs? Totally makes sense, since there was only one computer for everyone to share. I wonder why it took 30 years for the next iteration to occur?
Hotplug script? Tell me more.
I think you’re confusing high availability with laptop performance. Yes, there are plenty of RAID controllers that try to protect the write cache data, that’s old news. This system is designed for keeping performance-critical data from having to be written exclusively to disk when the system is off in order to make use of it more quickly when resuming a laptop system. This has never been done this way before (including what you said about this previously being the realm of a controller, but much more than that). Any reliability improvements are coincidental.
All three of these new implementations are about performance primarily in the laptop space – machines starved for memory and users needing to resume from closure faster. Pretty much everything you have described is for Mainframe reliability. I know you think it’s not new, but it is (see previous post about new twists on old ideas).
Good chat though, interesting. I still want to hear about the hotplug script.
I wonder why it took 30 years for the next iteration to occur?
The industry transitioned from mainframe to minicomputer to workstation to desktop. The transitions came too quickly, until this one, for a lot of the software technology to make the leap. It is, in part, because the desktop has been around so long without an equivalent transition to a “next generation” that the old technologies are starting to be revived.
The other part is that performance of desktops has finally caught up with performance of high end systems from twenty years ago, so people are now facing similar problems — although, as you point out, with a twist.
Hotplug script? Tell me more.
script takes the hotplug event for removable media attachment, filters on “is this a swap partition”, and invokes swapon if it is. It’s a trivial variation on the hotplug script that automounts a removable device when the device attaches.
I think you’re confusing high availability with laptop performance.
hardly. I’m fully aware that the reason for solving the problem is different. Doesn’t make the solution technology different though. The Microsoft thing is merely a variant on “suspend to nvram” – which PDAs have had since they’ve had nvram (C.F. PalmOS Garnet’s “NVFS”) – that happens to use a device where the nvram is in the same package as a disk drive.
The techonology is definitely not new. The application is more widespread, but it’s not new either. (We’ve been suspending systems parameters to NVRAM and then restarting for a long time.)
All good points.
The hotplug script is nifty, I’ve never heard of anyone using a USB drive as a ‘memory boost’ on starved Linux systems.
I still argue in the desktop/laptop space though, the use of a hybrid drive is a new direction – PDA’s didn’t have hard disks, they only had NVRAM/flash disks/<insert solid state memory of choice>, so they are not RAM-platter hybrids using this technology for fast resumption; they are using it for their existence as a storage mechanism. I’m going down fighting on this one! 🙂
Good chat Cloudy.
Edited 2006-05-29 23:36
I still argue in the desktop/laptop space though, the use of a hybrid drive is a new direction
It is. . . For Samsung
If Vista were my OS, I’d do the general suspend/resume to NVRAM, and treat the Samsung drive as a special case.
It’s been fun
i don’t think PaX is “included by default”. yes PaX is a great piece of kernel patch, but still it is not on the default.
so for now, openbsd and vista impressed me since they have the guts to put it on their base system, unlike linux.
Very nice. I am not a Microsoft fan (don’t use MS products), but what they are doing there is good.
I think it will be very hard for them to transform everything to use that kind of functions, but at least they are trying.
About the 64 bit drivres:
Phuu… This is something I don’t understand. They are now working years and years on Vista and they still have not managed the driver part (+/- 6 to 8 months before delivery? And the article does mention drivers in storage and networking. This is amazing! Do they not have proper project management and escalation?). I recognize that they are not the only one to blaim because of this situation, but they are one part of the problem. It would interesst me, where exactly they have failed. I mean: Was it the lack of 64 bit hardware, was it a problem in communication with the hardware producers, was it a problem in the availibility of a 64 bit Windows, etc… ?
The statement: … the company (MS) was currently being let down by some hardware vendors … is a to general statement. What does that mean?
I hope they have learned anything from that issue and are now improving their process regarding the drivers.
Anyway… Barry Gough is correct. I think there are far more 32 bit systems out there then 64 bit systems (where Windows will run as the main OS).
This statement surprizes me:However, in order for manufacturers to get a “Windows Vista Capable” logo on their product, they must produce 64-bit drivers, which will be a powerful incentive for new products, he said. Microsoft also unveiled a “Vista Get Ready” web site today which allows you to test the hardware in your PC and see whether it is supported in Vista.
WOW! Every manufacturer who wants the “Windows Vista Capable” logo, needs to produce 64 bit drivers? This is heavy. Microsoft is very demanding. If they would introduce “Windows Vista 32-Bit Capable” and “Windows Vista 64-Bit Capable” then I am sure, that alot of manufacturer will avoid producing 64 bit drivers. But I guess, Microsoft knows how to put manufacturers under pressure.
The driver problem, from the manufacturers side, is most likely due to bad practices from their programmers, or their managers (or lack of them).
Practices that make it hard or impossible to maintain the drivers properly.
Not having 64 bits drivers for a part of the hardware is somewhat not MS’s “mistake”, since they’re practically the only OS company that doesn’t write their own drivers, since every devicemaker will produce the drivers for them, for a very simple reason: don’t write a driver, and be unuseable to 90% of the market.
This works well when you’re the dominant OS..except if you want drivers to be written for 64 bits platforms, since those are just a fraction of the 32 bit market (for which the onus could partly be said to be with Microsoft, since they didn’t exactly encourage people to switch).
the company (MS) was currently being let down by some hardware vendors
Well, it won’t hurt them to see a tiny bit from the difficutlies open source OS coders have been facing for long long years. Still, I can imagine that at MS the wording “beign let down” doesn’t exactly mean no drivers at all, but mostly drivers with problems which those hw vendors have trouble correcting.
Now why the heck isn’t stuff like this DEFAULT in the Linux kernel?
(No, I am never going to shut up about Linux security, not until the devs stow their stupid “we are teh invulnerable” attitude.)
Linux had this implemented long time ago. The true name for address virtualization is: PAX. And don’t forget about RICE! Vista does not impress me at all!!
Looking at it that way, then not much things can impress anyone today. Alot of “new” stuff today is nothing more then old things in new cloths.
I use my self Linux and use the various stuff available for Linux to protect me against exploits. But you have to understand, that Microsoft is something else. They can’t just easy enforce stuff in that area. There are a gazillion of applications and drivers wich would not work any more if they would enforce it.
And why would they not magically work? Why are they not using the page-lookup-table?
(No, I am never going to shut up about Linux security, not until the devs stow their stupid “we are teh invulnerable” attitude.)
This is not about Linux here! It’s about Windows. (No, I am not a Windows user. I am a Linux user.)
Allow me to aks you, where the Linux kernel developers have this (stupid) attitude of “we are the invulneralbe”? If you had mentioned OpenBSD, then I would agree (not that they are stupid, but they have this “we are the invulnerable” attitude).
MAC not implemented by default in any form in common distros. Protection against forkbombs via PAM not used by default in any distros I’ve seen. PaX barely used by anyone, not stable with current kernels on architectures other than x86. Buffer overflows all over the place – VMS and several UNIXes have measures against those.
I’m not saying that Linux is a badly designed kernel, or that distros are poorly designed, or even that Linux is insecure; I just think that kernel devs and (much moreso) distro maintainers need to realize that Linux can have security issues, and will have more as it gets more popular. Developers aren’t just sitting there, sure, but I think a bit more needs to be done than just patch up vulnerabilities – innate measures against more common types of vulnerabilities (e.g. buffer overflows) are a good idea.
(BTW, while we’re at it… Why do all criticisms of Linux get modded down? Trollish “zomg linux sucks” ones deserve it, but it seems to me that criticisms which don’t constitute trolling lose points very often.)
“Trollish “zomg linux sucks” ones deserve it, but it seems to me that criticisms which don’t constitute trolling lose points very often”
it isn’t just linux, but criticism of just about any OS can get you modded down by some fanboy of said OS. I got modded down the other day for saying solaris is slow at compiling apps, and I actually _like_ solaris… (I just tend to prefer linux).
like someone else pointed out, the moderation system, while it can be fun, does unfortunately tend to encourage being overly conservative and cautious in your statements for fear of getting bad votes.
I agree, it’s a pity some folks can’t distinguish between criticism and trolling.
I don’t know what world you live in but this:
No, I am never going to shut up about Linux security, not until the devs stow their stupid “we are teh invulnerable” attitude.
is not “criticism”. It’s just as bad as your own words “kernel devs and (much moreso) distro maintainers need to realize that Linux can have security issues, and will have more as it gets more popular” since you just simply state Linux devs are ignorant folks with no grip on reality.
I guess Fedora isn’t a common distro, as it has MAC (SELinux) implemented by default and I believe other security features as well. Not to say they are perfect, as there is still no extremely easy to use GUI for managing the firewall, and thus, most people seem to have it disabled. I’m hoping the next version of Ubuntu gets a lot of these vital security features enabled as well, such as SELinux and a good firewall application, I believe its on the roadmap for Edgy.
as there is still no extremely easy to use GUI for managing the firewall, and thus, most people seem to have it disabled
Try Firestarter.
I just think that kernel devs and (much moreso) distro maintainers need to realize that Linux can have security issues, and will have more as it gets more popular.
It kinda depends on what distribution you are using. E.g. Red Hat is pretty proactive when it comes to security:
http://www.redhat.com/magazine/006apr05/features/security/
http://www.redhat.com/magazine/009jul05/features/execshield/
Unless you think FC5 isn’t a common distro flavor.It has RBAC (SELinux) instead of BAC and enabled by default (targeted policy).Unless you think SuSE Linux isn¶t a common distro.It has AppArmor included.
Practices that make it hard or impossible to maintain the drivers properly.
But who is maintaining the drivers? Microsoft or the manufacturer?
I think if the manufacturer maintains the drivers, then he knows very well that hardware without the drivers is useless.
Now if the manager is not recognizing the need for 64 bit drivers (and assume there is a real need for 64 bit drivers), then it’s okay that they are not producing the drivers since it looks like they are not real business man and it’s better they get out of the business today then tomorrow (I hate nothing more than hunting (unsuccessfull) the net for drivers of hardware wich is >=3 years old).
Yeah, I agree, blogs are peoples personal accounts. And this one, from an employee of Microsoft would be, lets say, tainted.
If the author gave too much truth, then he would be an ex-employee
It looks like Microsoft is definitely taking some good measures to make Windows Vista less of a seive than previous versions.
I just got back from spending an hour and a half getting spyware off someone’s machine. Those damn spyware kiddies are getting more clever by the day, and it seems to me like Microsoft is doing, at least as of Windows XP, everything they can do make the lives of spyware writers easier. I’ve got a list of a few things I wish they’d implement to make the lives of “friendly neighborhood computer geeks” easier.
1) Lock down startup items. A lot of spyware and adware depends on Windows starting it up via a registry key. Locking down the startup items once the machine is set up by the vendor would prevent such programs for getting started. Then, in order to get a program to run each time at startup, the spyware wouldn’t just have to compromise the user’s account, but would have to compromise the system account as well.
2) Visually segregate system tasks (and perhaps vendor-added daemons identified by a whitelist) from system tasks. Most users don’t know how to use the process manager, but looking for unusual running processes in the Task Manager is a key tool for people trying to root out spyware. Identifying system tasks clearly would make it harder for spyware that tries to hide behind a process name that makes it sound like its part of Windows.
3) Make Windows Update stop sucking. Keeping Windows updated is crucial for security. An updater application that is as confusing and obtuse as Windows Update is not condusive to getting users to stay on top of patches. Basically, just copy Apple’s or Ubunut’s update tool. Make it a seperate application, as Internet Explorer is an insecure piece of shit that shouldn’t be running on a ‘secure’ Windows machine. Make scanning for updates fast — as it is it takes too long even with a fast internet connection. Never make the user update the update application first before actually doing the update. All the updates should install at once, and there should only ever be one reboot during the whole process (at the end). Multi-phase updates, such as those required when installing a service pack, are crap. If Apple can install OS X 10.x.y in the same go as the other security patches, Microsoft can do the same thing with service packs.
With a good update tool, the whole process should be doable in only two or three clicks — one to open the tool, and one to initiate the update, and maybe one to perform the reboot. It should not require any reading! Windows Update is horrible in this regard — the user has to wade through a web-page full of text to choose the correct option. In OS X, all the user has to do is read the big, pulsating blue default button. As a side note: explanatory text is generally useless, and Windows uses it far too often. If something cannot be explained in a sentence or two, then newbie users won’t understand it, and advanced useres will know it anyway.
4) Ditch ActiveX and, remove the ability to add custom toolbars to Internet Explorer. At least by default. Nobody really *needs* Yahoo toolbar, and if losing it is the price of not getting a call from my mother asking how to remove a pornographic toolbar that installed itself onto IE, well, so be it.
5) Lock down the system tray after the vendor sets up the machine. If developers can’t make useful systray apps (and they have generally proven they cannot), instead just making annoying ones, then remove the ability so at least spyware writers cannot use it maliciously. If locking down the systray is too much to ask, at least allow tracing a systray icon to an executable process, and provide a mechanism for blacklisting the offending prcess.
6) Make a firewall that’s easy to use, and block everything by default. I want to be asked “would you like to allow the application Firefox to access the internet?” not, “do you want firefox.exe to be allowed to make outgoing TCP/IP connections?”
7) Lock down application installation. Get rid of installer executables, and make a standard installation package format that the system can verify and track. When I click “uninstall” in Add/Remove programs, I do not want the system to hand control over to the adware’s uninstaller! I want it to hunt down every single file that program ever created, secure wipe it from the disk, and send threatening letters to its creator! Do not make c:/windows writable to the even the system user (spyware and viruses like to hide things in c:/windows/system). There is no reason anything but Windows Update should be writing to that directory (yes, that means moving cache and prefetch files to a less stupid subdirectory). Don’t allow anything but the official installer task to write to c:program files. If allowing users to run applications from their desktop is deemed necessary, prompt the user about it, and start the application in a secure sandbox with only the ability to write to a temporary directory (which has executable permissions turned off).
As someone who doesn’t use Windows anymore, I couldn’t really care less if Vista is all it is cracked up to be. However, as someone who is stuck supporting Windows for other people, I hope to god that Microsoft takes security seriously in the next release…
1) Lock down startup items.
Yes.
2) Visually segregate system tasks
Yes.
3) Make Windows Update stop sucking.
Hell yes.
4) Ditch ActiveX and, remove the ability to add custom toolbars to Internet Explorer.
Meh.
5) Lock down the system tray after the vendor sets up the machine.
I don’t see why, as long as applications are managed better system-side.
6) Make a firewall that’s easy to use, and block everything by default. I want to be asked “would you like to allow the application Firefox to access the internet?” not, “do you want firefox.exe to be allowed to make outgoing TCP/IP connections?”
Oh god yes.
7) Lock down application installation. [snip]
Wow, you read my mind. This one is exactly how I imagine application-management. This is the one big mistake MS made with ’95 that was the most damaging.
1) Lock down startup items.
I agree – Windows has way too many places where you can configure items to run startup. Fortunately, most of these items need administrative permissions to configure themselves so basically not running as an administrator makes it a lot easier on anyone.
2). Visually segregate system tasks
Whitelisting is a bad idea – there is nothing preventing someone from naming their executable ‘lsass.exe’ for example. A better way is to not run as an administrator – that way you can pretty much safely assume that all executables from %Systemroot% and %ProgramFiles% (and downwards) are safe.
Then you can use ‘tasklist /v’ on a command prompt to safely identify programs which do not run from any of those configured locations (eg – the user profile).
3) Make Windows Update stop sucking.
…
Make it a seperate application, as Internet Explorer is an insecure piece of shit that shouldn’t be running on a ‘secure’ Windows machine.
Windows update already is a seperate application – just open up your control panel and navigate to ‘Automatic Updates’ – it allows you to configure Windows to fully automatically update itself without using IE.
This feature has been implemented ever since the first version of Windows XP.
Better even – since the introduction of XP SP2 (either a install on an pre-SP2 or a fresh SP2 install) a user is forced to explicitly tell the system to not autoupdate upon first boot of the system.
4) Ditch ActiveX
ActiveX is nothing more than an executable – nothing more than any other program being able to run. Saying IE should ditch ActiveX is like claiming Windows should ditch EXEs – it makes no sense and doesnt cure the actual problem.
Ever since SP2 running ActiveX’s for the first time makes people jump through several hoops – if people still choose to ignore it (and run as an administrator), people basically screw them selve.
5) If locking down the systray is too much to ask, at least allow tracing a systray icon to an executable process, and provide a mechanism for blacklisting the offending prcess.
I agree – not being able to trace easily which systray icon belongs to which process is very annoying.
6) Make a firewall that’s easy to use, and block everything by default.
I agree.
7) Lock down application installation. Get rid of installer executables, and make a standard installation package format that the system can verify and track.
Good idea. Lets call it something like Installer or something but prefix it with Microsofts brand name.. Microsoft Installer.. MSI .. sounds about right now doesnt it?
Do not make c:/windows writable to the even the system user (spyware and viruses like to hide things in c:/windows/system). There is no reason anything but Windows Update should be writing to that directory (yes, that means moving cache and prefetch files to a less stupid subdirectory).
Normal (non-admin) users dont have the privileges to write to the Windows directory. IE Cache isnt written to the Windows directory – its written in the users’ profile
Whitelisting is not a bad idea, if the combine it with digital signatures. Here is an example: All windows services ar signed with a cert from MS, the publick jkey for that sert i stored in the whitelist. I know this is not a perfect solution but it at least eliminates the rename problem.
PS: I’m not a PKI ekspert nore an expert on encryption so if I’m wrong please tell me.
If jo feel the need to mod me down, go ahead but drop me a ceommentt telling me why, so I can avoid the same misstake(s) again.
Or ship Vista with gpg/md5 and let the installer mandatory check all the signatures.Which is a 2nd nature in unix world.The only download sites that have windows apps too with verifiable signatures are sites like sourceforge.
Or ship Vista with gpg/md5 and let the installer mandatory check all the signatures.Which is a 2nd nature in unix world.The only download sites that have windows apps too with verifiable signatures are sites like sourceforge.
Most (if not all) Windows system files are digitally signed, just run ‘sigverif’ on your XP box to create a report wether they are still valid
Most (if not all) Windows system files are digitally signed, just run ‘sigverif’ on your XP box to create a report wether they are still valid
That’s true.However i meant the MS culture is a bit different from the unix world when regarding the download and install of 3rd party apps.Ever saw zdnet or other populair windows sites publish gpg public keys or md5 checksums to increase the package integrity:)?.
Whitelisting is not a bad idea, if the combine it with digital signatures.
Well, that would ‘reserve’ some filenames specific to Microsoft and that would be a very bad idea
Imagine Microsoft creating a new Picture programming naming it “Windows Picture” – wp.exe for friends – imagine WordPerfect liking it that its program is now being flagged as malicious …
“Reserving” some filenames as specific to Microsoft (actually, specific to the vendor-installed suite of software) is exactly what is desired here. You need some way of segregating potentially malicious software from known-safe software.
An executable called ‘wp.exe’, if it’s not part of the system, is potentially malicious software. It should be flagged as such, regardless of whether it hurts Corel’s feelings…
“Reserving” some filenames as specific to Microsoft (actually, specific to the vendor-installed suite of software) is exactly what is desired here. You need some way of segregating potentially malicious software from known-safe software.
A system is already in place for identifying an author – an executable can define a vendor in a resource record and this will be viewable from the default Windows shell. Unfortunately – this vendor string can be chosen by the author of the program so it is not temper proof.
Of course, this means that using filenames for distinguishing between ‘Microsoft’ and non-Microsoft programs is far for temper proof either: filenames are also programmer (vendor) chosen and hence ultimately unreliable.
Flagging executables as trusted or not trusted is best done using digital signatures which can be lead back to a actual physical author – Windows allows for this already in their driver model and this should be possible in the normal executable model as well.
I’m not saying filenames should be depended on to distinguish trusted from non-trusted executables. I said that trusted and non-trusted executables should be distinguished. How Microsoft implements this, I really don’t care.
Fortunately, most of these items need administrative permissions to configure themselves so basically not running as an administrator makes it a lot easier on anyone.
The problem isn’t things that start up as the system user. The problem is things that start up as the current user. Ultimately, the startup item list is stored in a registry sub-tree, and protected via registry permissions. Users have the right to write into their local subtree, which means that spyware can modify per-user startup items, even if the user is not running as an administrator. This gives spyware a way to be restarted when the system restarts, without having to compromise any system binaries. True, the spyware cannot damage any system files, but that’s no consolation to the user who is stuck with some program recording their credit card numbers in the background!
Whitelisting is a bad idea – there is nothing preventing someone from naming their executable ‘lsass.exe’ for example.
Whitelisting should work through a secure mechanism, such as hashes of system binaries.
Windows update already is a seperate application – just open up your control panel and navigate to ‘Automatic Updates’ – it allows you to configure Windows to fully automatically update itself without using IE.
No! Automatic update is a very very very bad thing. Updates have a habit of breaking things. Especially ones from Microsoft. At least if you teach a user to run MS update once a week, and something breaks, you can narrow down the possible suspects. With an auto-update mechanism, an update can break things silently without the user ever knowing. There is a reason neither OS X nor any varient of Linux auto-update by default. Messing around with the user’s setup behind their back is a big no-no!
ActiveX is nothing more than an executable – nothing more than any other program being able to run.
No, ActiveX is a framework and an API for allowing executable code to be run from the internet. Executable code should not be run from the internet. There is no good reason for it. Unfortunately, some people have decided to use ActiveX controls for things like banking sites. That’s the thing about poorly thought-out OS features — eventually someone important will use it, and then you can’t turn it off like you should. Getting rid of ActiveX would force these people to do the Right Thing (TM), and not depend on the ability to run arbitrary code on the user’s machine.
No! Automatic update is a very very very bad thing. Updates have a habit of breaking things. Especially ones from Microsoft. At least if you teach a user to run MS update once a week, and something breaks, you can narrow down the possible suspects. With an auto-update mechanism, an update can break things silently without the user ever knowing. There is a reason neither OS X nor any varient of Linux auto-update by default. Messing around with the user’s setup behind their back is a big no-no!
Auto Update is not enabled by default on Windows. Users must choose to enable it on first boot. Even with it enabled, you can choose to have it only check for updates and let you verify them before downloading them, or download them automatically but not install without your consent.
In Vista, the above applies as well, but Windows Update itself is also now a control panel applet so users don’t need a browser for checking for updates manually.
According to the person to whom I was replying:
Better even – since the introduction of XP SP2 (either a install on an pre-SP2 or a fresh SP2 install) a user is forced to explicitly tell the system to not autoupdate upon first boot of the system.
This is what my comment was directed towards.
According to the person to whom I was replying:
Better even – since the introduction of XP SP2 (either a install on an pre-SP2 or a fresh SP2 install) a user is forced to explicitly tell the system to not autoupdate upon first boot of the system.
This is what my comment was directed towards.
Yes. Xp explicitly asks whether you want autoupdates or not.
The problem is things that start up as the current user.
You can hardly define this as a problem – users actuall y want to be able to define which programs to startup automatically, taking away control of this is (for many people) worse than the cure.
What i meant with my ‘only able by administrators’-remark is that as long as malware is constrained to a limited user account, it cannot infect any other part of the system, allowing anyone to easily identify software as either part of the system (outside of any users’ profile) or as not a part of the trusted system.
Whitelisting should work through a secure mechanism, such as hashes of system binaries.
This is already done by using sigverif – a program cannot name itself ‘lsass.exe’ and place itself in %Systemroot%System32 without sigverif (or SFC) noticing it. Combine this with my above statement and you already have a pretty ‘fool proof’ way of determing valid and potential malware.
No! Automatic update is a very very very bad thing. Updates have a habit of breaking things. Especially ones from Microsoft. At least if you teach a user to run MS update once a week, and something breaks, you can narrow down the possible suspects.
Then you configure Windows to automatically download and not install. Still, either way you use it there is no reason to use IE for automatic updates which is the thing we were talking about.
No, ActiveX is a framework and an API for allowing executable code to be run from the internet.
Not really – ActiveX is not tied to the internet in anyway, its just a delivering mechanism of a bunch of DLLs and hence in no way better than any other browser plug in system. Of course its best known for its “ActiveX Controls” that are enabled by IE, but ActiveX components are also used by many other programs not related to the web in anyway, hence ‘getting rid of ActiveX’ as one suggested would not only be impossible, but also a very, very silly idea.
Wether being able to install executable code on your system using a webbrowser is a good idea is up for another discussion, just remember that wether one downloads “malicious.cab” and gets prompted twice wether to install something, or someone downloads “malicious.exe” and also gets prompted twice doesnt really matter.. If people want to see dancing pigs, they will.
You can hardly define this as a problem – users actually want to be able to define which programs to startup automatically, taking away control of this is (for many people) worse than the cure.
No, users don’t. At least, average users don’t. I’ve never heard anyone say “can you configure my machine so AIM fills my screen with a page full of ads every time I start up?” Its a feature that Windows developers love, because they’re assholes who enjoy torturing their users*, but it’s not one that users are clamoring for.
In any case, anything that’s locked-down can be unlocked. If a power user really wants crap to start with Windows, he can configure it that way. The average user shouldn’t have to put up with more spyware because of it.
it cannot infect any other part of the system, allowing anyone to easily identify software as either part of the system (outside of any users’ profile) or as not a part of the trusted system.
Since Windows (currently) doesn’t really have any mechanism for seperating “trusted” and “untrusted” parts, this really doesn’t help. In any case, “it can’t hurt the rest of the system” isn’t really a good excuse here. We’re talking about single-user machines — if the user’s account is compromised, the system is as good as gone. Backing up all the data, nuking the account, and putting it all back, is something that works in a multi-user setting, but is an enormous PITA for a single-user machine. Things like startup items make it more difficult to clean out a compromised account in-place, and should be locked-down by default.
Then you configure Windows to automatically download and not install. Still, either way you use it there is no reason to use IE for automatic updates which is the thing we were talking about.
IIRC, if you want any control over the install process, you’re still stuck using the horrible IE interface to Windows Update. My basic point is that auto-anything is not a good alternative to a good update UI.
Moreover, whatever tricks you’re talking about won’t make sense to the average user (hell, I don’t even really know what you’re talking about — I have no interest in becoming a Windows security expert). On a stock Windows machine, the way the user updates the machine is to click the giant “Windows Update” icon in their start menu. This brings them to a shitty IE interface to Windows Update. Microsoft should make this default interface not shitty. That’s it.
Not really – ActiveX is not tied to the internet in anyway, its just a delivering mechanism of a bunch of DLLs and hence in no way better than any other browser plug in system.
Other browser plug-in systems require the user to download a program and install it. ActiveX, instead, allows passive installation, with a mere verification at the end. Since the user will always click “yes” to whatever they see, this model is broken.
The simple fact is that installing executable code should not be as automated as ActiveX makes it. It should require conscious action on the part of the user. That’s the root of the spyware problem. In Linux and OS X, if a process is running, it was either installed by the user or by the system. In Windows, lots of things (spyware), manage to execute without ever being installed by the system. Hell, how does stuff get into my Add/Remove Programs list if I never “Add”ed it? Microsoft needs to remove the mechanisms by which this installation of executable code happens without the user’s intervention. ActiveX is one of those mechanisms, and regardless of whether it has other users, it needs to go. Other OSs get by fine without ActiveX, so it cannot be all that important.
or someone downloads “malicious.exe” and also gets prompted twice doesnt really matter.. If people want to see dancing pigs, they will.
No, there is a distinction between “push” and “pull” application installation. ActiveX allows “push” installation, only requiring the user’s constent to complete the install. Other OSs only support “pull” application installation. The latter mechanism isn’t fool-proof, but its far more robust. Users aren’t complete idiots, but they do have a habit of not reading dialogs*. “Push” installation like that supported by ActiveX is a huge security risk in the face of such behavior.
Ultimately, the first line of defense in any system is minimizing the vectors through which arbitrary code can be executed. A well-designed system, where there is only one way to get executable code onto the machine with explicit user intervention is far superior to Windows’s model, where there are any of a number of ways to get executable code onto the machine.
*) If any Windows developers are reading this and have ever implemented a startup item, systray item, or splash dialog that wasn’t absolutely necessary for the survival of the species, that comment is directed at you. Go find an OS X box. Look at how many applications in that OS install crap into the notification area (hint: none). Look at home many applications start up with the system (hint: none). Look at how many applications ask you “do you want to update this piece of crap” when they start up. (hint: just Windows ports). Realize that you don’t need that shit in your program, and all it does is piss off users.
*) Partially because Windows asks far too many stupid questions and banging “next” and “okay” without reading the (usually pointless) dialog text is ingrained into the behavior of Windows users.
No, users don’t. At least, average users don’t. I’ve never heard anyone say “can you configure my machine so AIM fills my screen with a page full of ads every time I start up?”
Hihi – no they never ask for that particular setup, true
What they do ask for is “Can you make Outlook, Messenger and my stocks watcher start when i turn on my computer”? In order for users to do that, the user has to have control over what their system will and what system will not start hence taking this particular feature away is not possible without really affecting a lot of the ‘above your (or mine) grandma’ users
Since Windows (currently) doesn’t really have any mechanism for seperating “trusted” and “untrusted” parts, this really doesn’t help. In any case, “it can’t hurt the rest of the system” isn’t really a good excuse here. We’re talking about single-user machines — if the user’s account is compromised, the system is as good as gone.
You are right – having malware wreak havoc on once profile is of course disasterous to a user.
However, users are already warned by their browser of choice that the program they are installing is potentially malicious, despite this they choose to install the program anyway – this is the dancing pigs problem and will not be cured by an eaven heavier message saying a program might be potential malware – they already have that kind of messages and they choose to ignore it.
IIRC, if you want any control over the install process, you’re still stuck using the horrible IE interface to Windows Update. My basic point is that auto-anything is not a good alternative to a good update UI.
No, fortunately this is not true. On Windows XP you have an option (outside of IE) to either auto install, auto download but choose to install, only notify or dont auto update at all. Look at http://www.updatexp.com/image-files/automatic-updates.gif for a screenshot of this particular UI in XP SP2 (the program is found under the control panel with the name ‘Automatic Updates’).
This user is also being forced to make this choice (in a slightly different UI with a bit more explanation) upon their first boot after servicepack 2 is installed, making it very easy and appealing for a user to do the right thing. This automatic update thing really is something the user has made an active choice in.
Other browser plug-in systems require the user to download a program and install it. ActiveX, instead, allows passive installation, with a mere verification at the end. Since the user will always click “yes” to whatever they see, this model is broken.
Actually this is not what happens on a normal XP SP2 install. Upon the viewing of an ActiveX control embedded on a webpage, the user is shown a big yellow bar at the top of their page explaining them what is going on. The user has to click on this yellow bar to continue. If the user clicks on it, another warning is given – if the control is not digitally signed a different and more cautioness text is being displayed telling the user to be very careful. If the user – after these two warnings – then choose to install the software anyway, all hope is lost anyway.
This is not much different from any other form of software distribution – a simple redirect to a download of an .EXE file will turn up an “Open or Save” dialog, which is the first click. Once the user confirmed Open and the file is not digitally signed, another warning is stated in IE that the file is not digitally signed and warns the users of this.
Basically, wether you use ActiveX or a plain executable doesnt really matter, hence the ‘witch hunt’ on ActiveX is plain silly.
In any case, anything that’s locked-down can be unlocked. If a power user really wants crap to start with Windows, he can configure it that way.
This is the one of the main problems.
The average user shouldn’t have to put up with more spyware because of it.
The user explicitly agreed to run the code in the first place.
Since Windows (currently) doesn’t really have any mechanism for seperating “trusted” and “untrusted” parts, this really doesn’t help. In any case, “it can’t hurt the rest of the system” isn’t really a good excuse here. We’re talking about single-user machines — if the user’s account is compromised, the system is as good as gone. Backing up all the data, nuking the account, and putting it all back, is something that works in a multi-user setting, but is an enormous PITA for a single-user machine. Things like startup items make it more difficult to clean out a compromised account in-place, and should be locked-down by default.
Single-user systems still have the built-in Administrator account which you can log into to do backups/maintenance. Also, internet-originating executables (in XP SP2) are marked such that they require user confirmation each time before executing unless the user disables this notification on a per-exe basis.
IIRC, if you want any control over the install process, you’re still stuck using the horrible IE interface to Windows Update. My basic point is that auto-anything is not a good alternative to a good update UI.
Not true. You can configure AU to notify you of available updates, then you can choose which ones you want to install.
Moreover, whatever tricks you’re talking about won’t make sense to the average user (hell, I don’t even really know what you’re talking about — I have no interest in becoming a Windows security expert). On a stock Windows machine, the way the user updates the machine is to click the giant “Windows Update” icon in their start menu. This brings them to a shitty IE interface to Windows Update. Microsoft should make this default interface not shitty. That’s it.
The user has to setup AU on their first boot of Windows, so they should already know about it. There’s even info about it on the WU/MU sites. If they really want an alternative to the WU website, they have one in AU. Also, as mentioned earlier, in Vista, the AU control panel is now WU and adds functions for invoking manual updates so you don’t need a browser to get full access to WU. The website is replaced with the applet.
The simple fact is that installing executable code should not be as automated as ActiveX makes it. It should require conscious action on the part of the user.
In fact AX does require concious action on the part of the user. The user has to confirm whether they want to run a particular control. They have to click the information bar in IE, choose to run the control, and again confirm it’s installation. As someone else said, whether it’s a cab or an exe, if a user deems the value of the content higher than the risk to security, they will do what’s required for the content even if it’s made clear that the content is from an untrusted source.
That’s the root of the spyware problem. In Linux and OS X, if a process is running, it was either installed by the user or by the system. In Windows, lots of things (spyware), manage to execute without ever being installed by the system. Hell, how does stuff get into my Add/Remove Programs list if I never “Add”ed it? Microsoft needs to remove the mechanisms by which this installation of executable code happens without the user’s intervention. ActiveX is one of those mechanisms, and regardless of whether it has other users, it needs to go.
The situation is no different on Windows. If something is in A/RP that you didn’t specifically add, it was likely added implicitly as part of an application you did explicitly install.
Other OSs get by fine without ActiveX, so it cannot be all that important.
Other OSes have similar frameworks that seek to solve the same issues as AX.
No, there is a distinction between “push” and “pull” application installation. ActiveX allows “push” installation, only requiring the user’s constent to complete the install. Other OSs only support “pull” application installation. The latter mechanism isn’t fool-proof, but its far more robust. Users aren’t complete idiots, but they do have a habit of not reading dialogs*. “Push” installation like that supported by ActiveX is a huge security risk in the face of such behavior.
Both mechanisms require the user to take manual steps to initiate the install. AX just saves clicking on a couple of links to hunt down the necessary code. An ignorant user will be compromised in either case.
Ultimately, the first line of defense in any system is minimizing the vectors through which arbitrary code can be executed. A well-designed system, where there is only one way to get executable code onto the machine with explicit user intervention is far superior to Windows’s model, where there are any of a number of ways to get executable code onto the machine.
There are many ways to get code on the system in any major OS. Code introduced to Windows systems (XP SP2 and up) must be consented to execute by the user whether it’s from a disk or from a network. The problems are whether you can trust the source from which the code was obtained, being able to verify what the code does, and having a user that can make basic trust decisions, especially in the case of having unverifiable code originating from the internet.
No! Automatic update is a very very very bad thing. Updates have a habit of breaking things. Especially ones from Microsoft. At least if you teach a user to run MS update once a week, and something breaks, you can narrow down the possible suspects. With an auto-update mechanism, an update can break things silently without the user ever knowing. There is a reason neither OS X nor any varient of Linux auto-update by default. Messing around with the user’s setup behind their back is a big no-no!
Eh, I can’t agree with this. MS Updates come once a month. All updates are noted in the System event log. Between those two facts, it is trivial to see if a problem correlates with a recent update.
I’d also like to hear about these updates that habitually break things – I can name only one from the past year (MS05-019, and it mainly broke AD and FRS replication between domain controllers, when crossing firewalls; not typically something a home user would care about). Can you name any (there are some, so let’s see how much you really want it. My point was that habitual is a poor choice of words)?
XP SP2 complains about WU being turned off so vociferously for a reason – blaster, sasser, nimda, etc. never would have happened if cutomers had patched their systems when the updates were released- years before the worms hit. 0-day exploits are *incredibly* rare (contrary to the hype). A home user does not know how to regression test patches – just install them immediately and move on with your life.
Some of those are great ideas. Honestly, you should forward them to MS. Post them in blogs that you know get read. Newsgroups. Get heard at least.
With vista coming closer and closer and so many driver problems, windows users are finally going to understand what’s like not having drivers for your specific feature because your “old” drivers were binary blobs for another os/version/arch with no specs, and discover that:
a) the manufacturer just doesn’t care about updating older model hardware to work with vista, or any other os
b) the manufacturer just doesn’t care about 64 bit
c) the manufacturer just doesn’t care now that they’ve got your money
d) they might even be gone when you go look for them.
This is exactly why binary drivers along with no specifications for the hardware are bad, for ALL OS’s! It limits the OS to not evolving or just dumping those old drivers, and it screws the users both ways, and I don’t see microsoft reverse engineering drivers like linux/bsd/etc kernel developers do. So welcome to the world of binary drivers. I hope you keep enjoying the show.
I want to level set ASLR. It is not a panacea, it is not a replacement for insecure code
So you’ll still need to write insecure code? I thought the best replacement for insecure code was secure code. They obviously haven’t eliminated the need for insecure code in the windows platform just yet.
I’m not saying that MS writes the most secure code, but in this case I believe ASLR is targeting 3rd party code as well as MS’s code.
What makes you think the situation with drivers will be worse than when the transition from Win9x to XP happened? It’s true some users were left out in the cold with unsupported drivers, but I don’t think things will be as bad as you claim.
Besides, the fact that a driver is open source might be helpful, but does not guarantee by itself anything. If we take Linux as an example, and if I remember correctly, didn’t Andrew Morton say recently that kernel developers working for corporations (lots of them these days) don’t care about fixing bugs in out of date hardware drivers?
Just a couple of replies:
3) Replace the online update complete – that damn web based updating tool has caused more problems that it has fixed; the constant hanging of the browser, the lack of restarting downloads, the constant stalling and lack of local mirrors.
Why don’t they just provide a locally hosted update application, like Solaris/Red Hat Linux/MacOS X etc. etc? launch, check, and download; simple and fast.
4) ActiveX should be removed completely, along with COM/COM+ and other crap; quite frankly, its a bad implementation of an even worse idea.
As for those toolbars, quite frankly, I would love to see GWB sign into law a provision that makes those tool bars not only illegal, but those who make, distribute, sell etc. them are sentenced to death for their crimes against computing.
7) There is a standard installation package, its called MSI – the problem is, there are idiots out there from Adobe, Macromedia, Corel and the likes who INSIST on using their own in house application installation tools.
Its stupid, it doesn’t make any sense, and yet, we have these *IDIOTS* in these companies, pushing their broken installers onto the masses.
Well SELinux and Novell AppArmor lock down the system to prevent these vulnerabilities from getting access to critical parts of the system. I just dont see Microsoft doing ANY of this but only using a UNIX like security model. Both SELinux and AppArmor are at kernel level so it’s not just patching in Linux by any means.
We can see the picture very well; a patch here and a patch there to solve several design and engineering problems existing since windows existance. So, Vista will not target major defects in the previous XP but will continue to create solutions around the problem.
Windows Vista will be like a mummy with many patches and ropes around it,thus it will never be alive again.
Besides, I don’t see windows vista so different than Windows XP/2003 to justify naming it to v 6 (windows XP/2003/2000 are all v 5; NT4, WME, W95, W98 are v 4).
Windows 2000, XP were very good OSs ONCE, but as the time passed huge amount of viruses and the likes existed leaving Internet Users specially in psychosis; Which makes me again predict that windows vista will be immune for months untill the OS vulnerabilities are uncovered and start to trash the OS networking functionality. There is no way out of this except with breaking compatability an redesigning windows again.
As a user of ASLR (Address Space Layout Randomization) amongst other things in Hardened Gentoo Linux ( http://www.gentoo.org/proj/en/hardened/ ), I can certainly say its a good direction to be headed: http://slashdot.org/comments.pl?sid=184054&cid=15201935
PAX ( http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml ) is a hardened Linux kernel using ASLR (Address Space Layout Randomization) to support applications built as a PIE (Position Independent Executable) and to provide non-executable memory (NX).
This kind of thing in MS Windows Vista will certainly make it a more credible OS. Until hearing this news, I hadn’t even considered giving it a try given MSs reputation for providing low quality and insecure software.
Other features in Hardened Gentoo Linux are:
PIC (Position Independent Code)
PIE/SSP (Position Independent Executable)/(Stack Smashing Protector)
MAC (Mandatory Access Control)
Other features in Hardened Gentoo Linux are:
PIC (Position Independent Code)
PIE/SSP (Position Independent Executable)/(Stack Smashing Protector)
MAC (Mandatory Access Control)
These all features are available by default in FC-5, too
(ASLR is done by Exec Shield)
http://fedoraproject.org/wiki/Security/Features
And it’s all there by default.you don’t have to compile anything:)
“The things that come to those who wait are the things left behind by those who got there first.”
You can look at this two ways.
1) Linux/OSX invents something but sucks at execution.
2) Windows picks up Linux/OSX scraps.
You decide.
“between the 64bit and 32bit version of Vista concerning the amount of drivers shipped.”
Amount is for uncountables only. If somethng is countable use number. I just got a user account because that pissed me off so much (then i realised that you could post anon).
Idiots, I don’t think so, just businesses.
Each product’s native installer is going to create it’s own development, testing and support costs. With your in-house solution large chunks are common across multiple platforms: development, testing and support needs are subsequently reduced. Hence it’s cheaper if you support more than one platform, or want to keep your options open (so to speak).
If you want to support multiple versions of the same OS (as most do) it also makes sense. Because it tends to be easier and cheaper to port your installer than it is to port you product to use various versions of a native installer (development, testing and support again).