Microsoft Windows: Insecure by Design

[MDLarson]

Washington Post news article, posted yesterday:
http://www.washingtonpost.com/wp-dyn...2003Aug23.html

I posted a link to this article in my defense. I recently started a thread, more or less proposing that MS Windows is inherantly more vulnerable than other OSes, excluding the fact Windows is the "larger target". Well nobody seemed to take an objective look at the facts, so maybe this is your chance.

A special message to those who think I'm trolling (which I'm not): Please read the article and then post your thoughts about the article. The linked story is exactly what I wanted to get into before.

[rraehal]

While I do agree that windows is open to attacks, I disagree with the entire article.

I did not update Windows XP to include the RPC patches. I was not affected by the Blaster or Welchia worms. The problem goes a little deeper than its insecurity when installed. These problems must include user knowledge. A knowledgable user will not suffer as much as an un-educated user.

I set up my own firewall and ignored Windows XP's firewall for the most part. I did enable it when I set up my ISP only because it asked me to. (checked the "yes" radio button. One step when creating my dial-up connection not the 5 the article talks about. (I installed my firewall before creating my dial-up connection.) I will need to look and see if the XP firewall is not truly functioning because I did nothing besides the one step. Regardless my firewall works and my PC is fully stealthed from the net. The difference in a MAC, no open ports by default with no firewall enabled - One step to make my XP box funtion the same)

I installed a Antivirus software, connected to the net, and updated the AV. Macs do not come with antivirus software that is updated. They still need updated definitions and soemtimes you still need to buy a third party application before this. Both MAC and Windows are in the same boat here.

After these two steps I installed Direct X 9 from a CD copy I have and then installed my video drivers. I installed software and games that I use the most. No problems at all.

It seems that if a user takes the first two steps of installing their own firewall and antivirus, most of the insecurity of a windows install will disappear. This is where education comes in.

I have installed the patches now, but I did not install them until 8/24. The viruses had been out and never affected me. I seem secure enough. I use a limited accout on my PC with shortcuts to run something as an admin when needed. A virus could not even install on my PC unless it could use alternate credentials and guess my admin password of 6 characters and 2 numbers. This in effect is creates the exact same function of a MAC computer requiring a password to do certain things.

[Edit] Don't take this the wrong way. I had several MAC computers before I ever bought a PC. I like MAC's in many regards. I would even say that with OS 10 MACs would be even better than when I used OS 7, and 8.[/edit]

[MDLarson]

rraehal, thanks for the thorough post. But, I'm confused - you admit that Windows is open to attacks, yet you disagree with the article (which is basically saying that Windows is open to attacks). Then you go into great detail about how you, a savvy computer user, made using Windows more secure.

What, exactly, did you disagree with in the article?

p.s. No, I didn't take it the wrong way (in regards to Macs) If anything, I'm sighing in relief that (so far) people aren't flaming me and calling me a Mac zealot or a troll or something.

[rangeral]

Tried your link and it asks a couple of questions then says I reached page in error, so much for that. Obviously I have no interest in pursuing that.

There isn't any modern day OS that is secure even if it was made secure by design. A brief survey from some other article comparing how much plugging you have to do in a months time found one month earlier this year that linux beat windows for once for more holes than windows had in that time period by over a 150.

No matter how hard coders try to make something secure anything is still breakable.

Again I'll have to say it puts food on the table, a friend had his hours cut back now because of the virii going around he got alot of OT and his hours back. What I'm afraid of is all this cost to repair and secure may be passed on to the consumer eventually.

[MDLarson]

washingtonpost.com

Microsoft Windows: Insecure by Design

By Rob Pegoraro
The Washington Post
Sunday, August 24, 2003; Page F07


Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics.

This is not a coincidence.

The usual theory has been that Windows gets all the attacks because almost everybody uses it. But millions of people do use Mac OS X and Linux, a sufficiently big market for plenty of legitimate software developers -- so why do the authors of viruses and worms rarely take aim at either system?

Even if that changed, Windows would still be an easier target. In its default setup, Windows XP on the Internet amounts to a car parked in a bad part of town, with the doors unlocked, the key in the ignition and a Post-It note on the dashboard saying, "Please don't steal this."

Not opening strange e-mail attachments helps to keep Windows secure (not to mention it's plain common sense), but it isn't enough.

The vulnerabilities built in: Security starts with closing doors that don't need to be open. On a PC, these doors are called "ports" -- channels to the Internet reserved for specific tasks, such as publishing a Web page.

These ports are what network worms like Blaster crawl in through, exploiting bugs in an operating system to implant themselves. (Viruses can't move on their own and need other mechanisms, such as e-mail or floppy disks, to spread.) It's canonical among security experts that unneeded ports should be closed.

Windows XP Home Edition, however, ships with five ports open, behind which run "services" that serve no purpose except on a computer network.

"Messenger Service," for instance, is designed to listen for alerts sent out by a network's owner, but on a home computer all it does is receive ads broadcast by spammers. The "Remote Procedure Call" feature exploited by Blaster is, to quote a Microsoft advisory, "not intended to be used in hostile environments such as the Internet."

Jeff Jones, Microsoft's senior director for "trustworthy computing," said the company was heeding user requests when XP was designed: "What customers were demanding was network compatibility, application compatibility."

But they weren't asking for easily cracked PCs either. Now, Jones said, Microsoft believes it's better to leave ports shut until users open the ones they need. But any change to this dangerous default configuration will only come in some future update.

In comparison, Mac OS X ships with zero ports open to the Internet.

The firewall that's down: A firewall provides further defense against worms, rejecting dangerous Internet traffic.

Windows XP includes basic firewall software (it doesn't monitor outgoing connections), but it's inactive unless you use its "wizard" software to set up a broadband connection. Turning it on is a five-step task in Microsoft's directions (www.microsoft.com/protect) that must be repeated for every Internet connection on a PC.

Mac OS X's firewall isn't enabled by default either, but it's much simpler to enable. Red Hat Linux is better yet: Its firewall is on from the start.

The patches that aren't downloaded: Windows is better than most operating systems at easing the drudgery of staying on top of patches and bug fixes, since it can automatically download them. A PC kept current with Microsoft's security updates would have survived this week unscathed.

But hundreds of thousands, if not millions, of Windows systems still got Blasted, even though the patch to stop this worm was released weeks ago.

Part of this is users' fault. "Critical updates" are called that for a reason, and it's foolish to ignore them. (The same goes for not installing and updating anti-virus software.)

The chance of a patch wrecking Windows is dwarfed by the odds that an unpatched PC will get hit. And for those saying they don't trust Microsoft to fix their systems, I have one question: If you don't trust this company, why did you give it your money?

Microsoft, however, must share blame, too. Windows XP's pop-up invitations to use Windows Update must compete for attention with all of XP's other, less important nags -- get a Passport account, take a tour of XP, hide unused desktop icons, blah, blah, blah.

Microsoft's critical updates also are absent from retail copies of Windows XP, forcing buyers into lengthy Windows Update sessions to get the fixes since last year's Service Pack 1 upgrade. At least the version of XP provided to PC manufacturers is refreshed once a quarter or so -- and Microsoft says it's working to shorten this lag.

The lack of any limit to damage: Windows XP, by default, provides unrestricted, "administrator" access to a computer. This sounds like a good thing but is not, because any program, worms and viruses included, also has unrestricted access.

Yet administrator mode is the only realistic choice: XP Home's "limited account," the only other option, doesn't even let you adjust a PC's clock.

Mac OS X and Linux get this right: Users get broad rights, but critical system tasks require entering a password. If, for instance, a virus wants to install a "backdoor" for further intrusions, you'll have to authorize it. This fail-safe isn't immune to user gullibility and still allows the total loss or theft of your data, but it beats Windows' anything-goes approach.

Because Microsoft blew off security concerns for so long, millions of PCs remain unpatched, ready for the next Windows-transmitted disease. Microsoft needs to do more than order up another round of "Protect Your PC" ads.

Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one. At $3 a pop (a liberal estimate), it could ship a disc to every human being on Earth -- and still have $30 billion in the bank.


Living with technology, or trying to? E-mail Rob Pegoraro at rob@twp.com.

© 2003 The Washington Post Company

[genesound]

Well, OK, the article has some good points, and windows having ports open by default is a problem, but with an unsophisticated user base this large, closing them all would also be a nightmare without major changes.

The legacy here is, after all, stand alone pcs, followed by small networks. Internet came much later, and much existing software would have a fit. As it is now, much of the old stuff still works! Eventually this is what needs to happen, though, and it prolly should've already (closing all ports by default). Just imagine the questions here when it does happen.

Apple, on the other hand, tends to turn it's back on the old stuff more easily. linux is open source, and basically free, so you get what you pay for in ease of use. Most of these virii are prolly written by people who use and write for xnix as easily as their native tongue, and they're not all that interested in crapping their own back yards, and they're not really motivated to do this anyways.

Microsoft is a huge target, and they've po'd many of the gurus capable of committing grand scale atrocities, so it really follows that they're under constant attack just to make them look bad and encourage this kind of fud.