Tag: "windows vista"

Internet Explorer 8 is more secure, and why the Firefox fanboys and the media need a security lesson

So Internet Explorer has been the media's main victim this past week. With stories about how it is completely unsecure.

Of course having a vulnerability isn't a good thing, but why is this getting so much attention, especially considering it's not even being used to target individuals? Well I suppose the media have to knock Microsoft, it's about the only thing they can do when it comes to Microsoft so this will have to do.

Tech Radar recently interviewed Microsoft's head security guy in the UK Cliff Evans. And did a pretty bad job of it. So Evans was explaining how switching away from Internet Explorer 8 isn't a good idea - something I agree with.

"If you were to ask me 'what's the most secure browser?' I would say Internet Explorer 8 – we're talking about a single vulnerability," he added.

Ouch a single vulnerability that's bad right? Some guy called richmurrils seems to think so and comments:

That's the funniest thing I've read in ages. :D

Of course what he really demonstrates is how little richmurrils actually knows about technology or security, I expect he was one of the people telling people to turn UAC off /facepalm, and how Tech Radar can't report things in context. So I'll put things in context even if they can't be bothered to, Firefox 3.5 has had at least 35 documented security vulnerabilities. Linux based operating systems can have hundreds of vulnerabilities discovered each year, Windows historically has had the fewest usually at just a dozen or two every year discovered. A single vulnerability isn't anything unusual.

Of course nobody bothers reporting that this vulnerability can only be exploited on Internet Explorer 6, a 10 year old version and on Windows XP a 10 year old operating system. Do Mozilla even bother to support such old products? Of course not.

Alright sure the vulnerability still exists in later versions, but it cannot be exploited on newer systems because of the additional security measures Windows Vista and later provide. Namely Protected Mode made possible by UAC.

When using Firefox a hacker only has to exploit code in the browser to run code on the machine. Exploiting Internet Explorer not only requires them to find a vulnerability and exploit it but it also requires them to somehow break out of the Protected Mode sandbox. Charlie Miller a security researcher talks a bit about this back during the Pwn 2 Own contest:

Why Safari? Why didn't you go after IE or [Firefox]?

It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows (Vista and later -Paul).

It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.

With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.

Of course 3rd parties could use Protected Mode on Windows Vista and later like IE7 and 8 do. But Mozilla, Opera and others simply don't bother. They let the process run with the same rights as the user which is fundamentally less secure then running the browser in its own little sandbox where it can't get out.

In reality vulnerabilities like these are rarely what normal people come up against on the internet. The main problem is phishing and malware. Both of which are socially engineered to get the computer user to either hand over their data willingly or willingly install an application that's malicious. So how does Internet Explorer compare? IE8 blocks 83% of phishing websites completely, compared to Firefox which blocks 80%. While Internet Explorer 8 blocked 81% of malware before it reached the machine. Firefox blocked less than 30%, and other browsers scored even worse (source).

So not only is it more difficult to exploit vulnerabilities on Internet Explorer 8 on Windows Vista and up. The malware and phishing filters are also better on IE8, something that will protect most computer users.

One last comment is on how well Google and the media have spun this around from a story about how Google got broken into and people's personal data was stolen into a story about how a 10 year old browser on a 10 year old system has a single vulnerability, without even asking why Google are running such dated systems or without bothering to report that newer versions of IE aren't as susceptible. Nice spin department working there.

Update: Mark informed me that Chrome also runs in a sandbox.

Come on BBC, Gadgets can be moved anywhere in Windows Vista

So the BBC have been putting up a few articles on Windows 7, it is after all released on Thursday. But they've also made a few mistakes, usually when comparing it to Windows Vista.

What I'll cover here is the Gadget platform. If you recall in Windows Vista you could open the Sidebar on either the left or right sides of the screen which could hold all the Gadgets, or if you wanted to you could drag them off the Sidebar and place them where you wanted, and even close the Sidebar.

Myth: In Windows Vista desktop Gadgets cannot be moved.

False. Here's a picture I took during the development of Windows Vista showing the clock gadget, how you could have multiple instances open all with different settings and time zones, and importantly anywhere you wanted.

Lots of clock gadgets open in Windows Vista all over the screen

It's disappointing when so many people get this wrong and even worse when it is mentioned right at the start of a video covering Windows 7. If they can get one of the very first facts wrong it doesn't fill you with much confidence.

If anything the Gadget platform in Windows 7 is weaker than in Windows Vista. Here's why. With the Sidebar in Windows Vista you could configure it to always be on top, when it was set like this any windows would maximize to the edge of the Sidebar enabling you to always see any Gadgets contained in the Sidebar. In Windows 7 there is no way to achieve the same thing. You have to tell individual Gadgets to be on top, and when that happens they'll obviously cover up areas of any maximized windows, as maximized windows will fill the screen as usual.

What features Windows 7 has lost from Windows Vista

With it looking like Windows 7 is just days away from being completed.  I thought it might be an idea to go over the applications and features that are absent from Windows 7, a lot of stuff is missing, and it will no doubt surprise people how much stuff has been stripped out compared with Windows Vista.

Windows Mail - gone

The most backward step in my opinion is the removal of Windows Mail formally Outlook Express.  In seemingly utter stupidity we now have a mainstream operating system that doesn't include an e-mail client, nor a newsgroup client.  The last operating system I used which didn't have an e-mail client built in was RISC OS 3.5.  People expect to be able to hit their POP3 and IMAP servers with Windows.  People are now expected to download the Windows Live Essentials pack to get Windows Live Mail.

Windows Photo Gallery - gone

One of the best new features of Windows Vista was the included photo gallery application.  It was, frankly stunning and had all the features you'd expect, cropping, colour correction the works, and best of all its tagging features were second to none.  But its gone.  The leftovers can be seen in Windows Photo Viewer in Windows 7 which is an image viewer, and that's it.  People are now expected to download the Windows Live Essentials pack to get Windows Live Photo Gallery.

Windows Movie Maker - gone

Windows Movie Maker was often dismissed as junk, of course by people that were spending hundreds of pounds on Adobe software.  For almost all users Windows Movie Maker was ideal for putting together home videos, it was easy to use and had enough advanced features to satisfy most people's needs.  People are now expected to download the Windows Live Essentials pack to get Windows Live Movie Maker.

Web Filtering and Activity Reports from Parental Controls - gone

Windows 7 still includes parental controls, but they lack any web filtering, and the really awesome activity reports are gone.  Unlike the above applications, the Family Safety pack from the Windows Live Essentials suite doesn't plug into this at all and fill this hole, if it did it wouldn't be so bad.  But it doesn't, it does its own thing completely seperately, which can only be described as /facepalm.

Advanced Tag Editor from Windows Media Player - gone

Windows Media Player has seen some welcome changes, but its also seen some dumb changes.  Like the removal of the Advanced Tag Editor which was a godsend for people who edit a lot of song information.  It's gone, if you want to edit songs now you'll have to do it from within Explorer or the Library page (with limited scope).

Mini player toolbar from Windows Media Player - gone

The mini player toolbar sat in the old taskbar and provided the basic play controls for Windows Media Player.  With the new taskbar its been removed, instead we get a more limited controls in the preview display, which are back, next and play/pause, there's no slider like there was before.  Annoying for music listeners.

Quick Launch from the Taskbar - gone

The new taskbar merges the Quick Launch toolbar with the regular part of the taskbar.  This has several downsides including it being more work to launch a second instance of a program, and requires and additional mouse click, others include the extra space required, even with small icons if you pin programs to the taskbar they take up considerably more space.

Internet Explorer - gone in the European Union

If current plans go through the European Union will be saddled with an 'E' edition of Windows 7, and unlike the 'N' versions we had to put up with, we won't have the option of buying the proper version of Windows.  Instead system builders will have the extra hassle of installing Internet Explorer separately, wasting a good 15 minutes on every machine.  This is insane, 2009 and we're getting an operating system that doesn't include a web browser.

As I think of more things missing I'll update this post.

I think Redmond was already onto something

Tom Gromak wrote up a post detailing his experiences with Windows 7.  However, almost everything he mentions positive of it, is present in Windows Vista, which he seems to dismiss out of hand.

Windows 7 is everything Vista was not: Sleek, stylish and speedy.

Sleek and stylish?  It looks pretty much the same as Windows Vista.  If it wasn't for the new less-efficient taskbar it would be almost indistinguishable.  Speed is hotly debated.  On my high-end systems there's no noticeable difference between them, even on low-end systems like my Tablet PC there's no difference.  Sure it might have a lower memory footprint, but who has any systems with 512MB of RAM in them these days?

[A]n easy-to-use screen magnifier, snipping tools [.] lots of ways to view the data on your disks

All the same as Windows Vista.

But it's also got features that, frankly, make OS X start to look a little dated. Some are big, like the many ways you can handle your digital media in Windows Explorer (hint to Apple: I know you want me to use iTunes to manage all my music and movies, but I really want to be able to do meaningful file management in Finder, too).

Identical to Windows Vista.

There's a vastly improved Windows Media player

Up for debate - its got some nice new features like internet streaming and remote play.  But the new interface isn't as smooth, there's an awkward jerk between the now-playing mode and the library, the rip tab has been hidden and you have to hunt around to see how to rip a CD, the advanced tag editor is gone as is the mini-player for the taskbar.  I'd kill to get the advanced tag editor and mini-player back - I'd probably even trade internet streaming for them.

better movie- and dvd-making

There is no movie making, Movie Maker was removed as was Photo Gallery.  You're expected to download the Windows Live Essentials pack to get all that stuff back, the Live version of Movie Maker is still in beta and even worse than Movie Maker was 10 years ago.

re's one example that I stumbled upon that seems so intuitive: Grab a window by the title bar and pull it to the top of your screen, and it maximizes. Pull it back away from the top, and it returns to its original size. Drag it right or left and it auto resizes to a width about a third of your screen's width

Yeah that's nice.

Oh, and unlike Finder (still, Apple? Really?), you can still grab and resize a window from any edge or corner you might like or need to grab.

How Windows has worked for as far back as I can remember.

Minimize a browser window, and you get a nice preview when you hover over its button

In Windows Vista.

Minimize a browser window with multiple tabs open, and you get a preview of each tab and the ability to pick which tab you want opened when you un-minimize IE.

Yup that's nice.

Windows Explorer, the venerable file manager, has new ways to quickly get to commonly used folders and places and, for the first time in a long time, actually works quite well with my home network. XP was always a little spotty in its ability to communicate with my other PCs, and Vista was downright hostile in its overbearing and underperforming ways.

Windows Explorer is the same as in Windows Vista, the only difference being the colour of the button menu, and how the navigation pane is laid out, which is a bit neater.  Networking is the same.

When Vista came out, I had just a short period of time to give it a test drive. But Windows 7? I get a year. A whole year.

Not quite.  Firstly you don't have a year, in March the RC will start shutting itself down automatically every 2 hours, it won't bomb out until June, let's call that 12 months minus the annoying constant shut downs which will drive you insane, and is really only there to enable you to get any data off before it time-bombs.  For Windows Vista however, Beta 2, RC1 and RC2 all time-bombed on the 1st of June 2007, the Beta 2 version was released in May 2006, so again about 12 months.  Comparing pre-release versions to trial versions is also unwise.

All in all a pretty positive article, its just a shame that most of the features he liked we had three years ago in Windows Vista which gets dismissed off the bat as being terrible.

Security Intelligence Report for 1H08 released

The 5th Security Intelligence Report has been released this covers January to June 2008. The full report can be downloaded here. Here's a quick look at it:

First up we see the percentage of browser exploits on Windows XP vs Windows Vista. We can see on Windows Vista only 5.7% of the exploits are targeting Microsoft code, while on Windows XP that figure is 42.3%.

A break down of the security vulnerabilities on Windows XP looks like this, a mix of Microsoft and 3rd party vulnerabilities.

On Windows Vista however none of the top 10 vulnerabilities being exploited effect Microsoft code. We see a make up of RealPlayer, Apple's QuickTime and several browser toolbars and plugins instead being responsible for the exploits.

Lastly we see the infection numbers for Windows XP and Windows Vista. The most secure client version of Windows being Windows Vista SP1 x64, followed closely behind by the 32-bit client.

What can we draw from this? If you want to keep your system secure 1) Use Windows Vista 2) Don't install any Apple software, RealPlayer, or any dodgy toolbars or plugins on your computer.

Why you should never disable UAC

Question: These UAC prompts are annoying, can I get rid of them somehow?

Answer: Disable UAC.

WRONG.

If any so called "expert" gives you this advice, ignore it.

If you don't like the prompts you should put UAC into silent mode, it should never, ever under any circumstances be disabled by normal computer users.

Microsoft exposing the ability to disable UAC in the UI came quite late in development, as late as one of the release candidates if my memory serves me, much to my disappointment. Previously it had been hidden away on one of the tabs on mcsonfig. Now anyone can find it on the User Accounts page in the Control Panel.

Pros of disabling UAC:

  • No more prompts?

Cons of disabling UAC:

  • All applications run with full privileges.
  • Internet Explorer loses protected mode, and also runs with full privileges!
  • Compromised applications can change anything on the system, with no prompts.
  • Application state can be lost as applications look for data in Program Files.
  • Requires a system reboot.

Pros of silencing UAC:

  • No more prompts.
  • Applications continue to run as standard user.
  • Internet Explorer runs in Protected Mode, and has fewer rights than a standard user.
  • Applications writing data into Program Files get redirected to appropriate user locations.
  • No reboot required.

Cons of silencing UAC:

  • No more prompts?

The biggest non-security problem comes about because many users disable UAC when they're setting up their machines, when installing their software, many older applications will happily write to Program Files as they're running with full rights to the machine, they'll store their data, and config files there, or in system locations in the registry.

This is a disaster waiting to happen, when UAC is re-enabled the applications will suddenly lose all of its config information and whatever else it has saved into Program Files as UAC redirects them to where they should be writing their data, in locations writable by standard users, such as ProgramData or AppData. Many applications will however happily recreate their information with the default settings. Some however will break horribly, I've run into situations where applications won't uninstall or install because its state has gotten so muddled due to the user disabling and enabling UAC over and over. They had to be manually removed from the system and then reinstalled.

How to put UAC into silent mode.

Go to Control Panel -> System and Maintenance -> Administrative Tools -> Local Security Policy (alternatively you can launch by typing secpol.msc in Start Search).

From there navigate your way to Local Policies -> Security Options.

There will be an option for 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode'. It has three options, 'Prompt for consent' (default), 'Prompt for credentials' (requires the user to enter a password as well) and the last one 'Elevate without prompting' (which I call silent mode).

If you're running a home system without the Local Security Policy options you can also make the change by changing the registry. Run regedit from Start Search, and make your way to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Look for 'ConsentPromptBehaviorAdmin' the default option is 2, while 1 prompts for a password and 0 elevates without prompting.

1 2 4 5 ...6 ...7 8 9 10 11 12 ... 13