Coffeehouse Thread

49 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Spyware: Why Microsoft Must Act

Back to Forum: Coffeehouse
  • User profile image
    jamie

    Spyware: Why Microsoft Must Act


    - SP2 - good so far - but does nothing to stop spyware

    - most of my friends dont have virus - they have spyware

    - ad ware is spyware
    - trojians and malware are spyware

    i - as a WINDOWs user - am tired of having to run:

    - adaware
    - spybot
    - highjack this
    - cwscrubber

    SP2 may be the flavor of the day - but what about spyware - honest to goodness - sp2 does nothing about it - i really think ms should buy all the above companies

    conflict of interest?

    ( i mean - you got the "bread")

    cue 70's theme

    ( [wah wah] - mwakka mwakka....)

    </starskey>

    What will SP2 do about spyware?

    In that 52 billion - can you not buy adaware???




     

  • User profile image
    TristanK

    I can't comment on who to buy or what to do - but seriously, the changes in SP2 should make it relatively difficult for spyware to accidentally end up on an end-user's machine.

    If you're seeing differently, that's feedback we need to have.

    From locked-down IE security zone settings through to blocked ActiveX controls by default, SP2 should significantly raise the bar when it comes to users inadvertently installing spyware.

    For a good high-level idea of the thinking behind the changes in SP2:

    http://blogs.msdn.com/michael_howard/archive/2004/06/27/167367.aspx

  • User profile image
    Simo

    I think the issue here is more than the arbitrary blocking of cookies & ActiveX controls.

    And don't even get me started on that bloody ActiveX dialog.

    Windows: “Would you like to grant Acme Fashionable Software Co permission to do anything to your PC forever?”

    Hapless User: "umm well... I'd like to run their fashionable new widget... but I don't want it to be able to do literaly anything to my PC and I don't want anything else from Acme software to just download and run"

    Windows: "Answer the question. Yes or No."


    Anyway, spleen vented for another day, back to the subject...

    What Adaware, Spybot do (and quite good at they are too) is take a view on all the cookies and ActiveX controls, etc that are downloaded in a day's innocent browsing and tell us which ones we really don't want on our machine. Something we, as users, just don't know. You could throw all the candy coloured dialog boxes in the world at the problem, but we still can't tell the OS what to do... because we don't know.

    Naturaly, in the interests of self-promotion, these products do tend to be a little alarmist. I run adaware once a week and note that all the ad-tracking cookies I manage to collect seem to generate the same level of claxon sounding alarm as some of the more nastier things that might crop up.

  • User profile image
    manickernel

    To quote Mr. Ballmer from an article in InformationWeek

    "I want to make sure (a user) can't get through ... an online experience without hitting a Microsoft ad," he said. "

    Now with an attitude like that what do you think their priorities are?

  • User profile image
    jsrfc58

    Great.  I can see it now: AdWare "Battlebots" slugging it out on my computer with each one trying to redirect my browser to their site.

  • User profile image
    JParrish

    First let me say something about this: "I want to make sure (a user) can't get through ... an online experience without hitting a Microsoft ad,"

    there is a "..." indicating part of the context was taken out, as well the "ad," suggests that it was not the end of a sentence. How about not giving credit to sensationalist media.

    Secondly, the problem of SpyWare is a complex problem that invloves mostly user education. Security has always been a balance of making things hard to do (secure) vs. making them easy to do (insecure). There are some cases where security can be transparent, such as HTTPS, PGP for email, Checksum validation for files, etc. When it comes to users installing applications that they would like to run, and having spyware embedded as part of that application, that perhaps should be addressed with a carefully drafted "user rights" law.

    Microsoft cannot forsee the difference between an application that may be accessing the file system and sending traffic back to a server (such as quake 3) vs. an application accessing the file system and sending traffic back to a server (such as Gator).

    Firewalls that alert a user to trafffic going out are a good resource for some users, but it doesn't take long for a user to either 1. lesson their vigilance to the problem.. or 2. grow tired of having to explicitly state whether an outbound connection is allowed and open up the protection such that it is no longer protecting.

    Part of the problem outside of .NET security, is that processes that are executed by a user inherit that user's rights. MS should move closer to the kind of granular security offered with .NET policies, in the rest of the OS. That should include perhaps prompting users with a short wizard to specify what a process that was just executed should be allowed to do. For example, I decide that I want to play internet chess, so I load the ActiveX control for Acme Games. The OS detects this process invocation and prompts me to specify the security zone with a series of questions like "Access registry, Access system directory" etc.

    You could have "trusted" processes so that things that you run on a regular basis, such as Outlook Express, don't prompt you for the security restrictions. Microsoft offers the same vein of control through the use of "Zones" in  IE, but it is not a responsive measure, and once a user opens the door enough, everyone runs right through.

    Just some opinions off the top of me head.

  • User profile image
    jsrfc58

    Good points.  And perhaps that is something Microsoft could work on more...mass education of the average home user on security issues.  Most people click right on through the "license screens" before installing things and miss a lot of the fine print.  Perhaps Microsoft should put a prominent "security education" section on the front end of the "Windows Tour" that new users can fire up when they first get their computer.  That still won't solve some of the other security issues out there, but so many of the virus/malware/adware issues lead right back to education of the average user.

    As always "just my $.02".

  • User profile image
    Larry​Osterman

    Simo wrote:


    And don't even get me started on that bloody ActiveX dialog.

    Windows: “Would you like to grant Acme Fashionable Software Co permission to do anything to your PC forever?”



    Simo, have you tried using SP2 yet?  Did you read Michael's blog entry?

    Windows no longer says "Would you like to grant Acme Fashionable Software...". 

    Instead it now says: "The web page you're accessing is trying to put some software on your machine.  Such software can be dangerous and evil and may trash your machine.  Do you REALLY want to do this?"  The default answer is "NO".

    If the site's trying to load an ActiveX control, then it just pops up the subtle yellow bar at the top and says "Windows blocked an ActiveX control".  That's it.  No popup, no interaction.  It's just blocked.  The user has to notice the yellow bar, click on it, and then say "Allow this activeX control".

    The default is to not let the user even SEE the activeX control if possible (the yellow bar disappears after 5 seconds).

    And there's nothing that can be done for people who download the Gator-supported version of DivX.  They CHOSE to put spyware on their computer.  We can't stop them, even if it would be a good idea.

  • User profile image
    manickernel

    One little thing I did was use a listing of  adware/spyware/not-very-nice websites from the IE-SPYAD list available online. (currently about 6000)

    Put them in IE in my restricted sites. Followed MS suggestion for applying IE zone restrictions via group policy so now those restricted sites are pushed to all the users.

    Granted, this is only one little piece of the puzzle.  Like a spam list it has to be kept current.

    Vance

    ...you can take the man out of marketing, but you can't take marketing....

  • User profile image
    object88

    LarryOsterman wrote:
    Instead it now says: "The web page you're accessing is trying to put some software on your machine.  Such software can be dangerous and evil and may trash your machine.  Do you REALLY want to do this?"


    Really?  It says it can be evil?  That's so cool!!  OK, I know it probably doesn't do that, but the cool-factor would go off the scale if it did.

    BTW, JParish, it looks like the way ManicKernal quoted Ballmer is the way just about everyone is quoting it.  I've seen one place where there's a more complete quote:  "We’ve really prioritized online as our top approach. The first thing we fund is online ads. I want to make sure you can’t get through an online experience without hitting a Microsoft ad." (Jupiter Research)  I don't know if it's more or less acurate than anything else.  In regards to the comma at the end of "ad", it's the fault of English grammer-- the quoting sentence is often "... ads,' he said.".  English grammer dictates (poorly, I think) that there be a comma at the end of a quote (even if it the end of the quoted sentence) if there's more to the complete sentence.

  • User profile image
    jamie

    i think you are all totally mistaken

    My wife does nothing but go to CIBC bank on the other machine and she got a thing that changes the hompage and puts in popups - and i read on slashdot today that 50 banking sites have been compromised with this crap

    im getting tired of all this

    BHOdemon?
    CWScribber?
    Highjack this?
    Adaware?
    Spybot?

    i never new ANY of these apps - or needed them in the past...and now im either using one or all of those daily - or reading about a new one!

    To me ( marketing/design) it is akin to " Here have a nice cold refreshing coca cola"

    ...but dont forget to run GlassRemover 2.0, Bacteria Scrubber, TasteInhibitorGone 4.1 etc etc

    It is LUDICROUS


      Im glad to hear theres a new IE team - but honest to goodness..its getting out of hand - i honestly want to FORMAT all my tech support family and friends computers and load Linux - or tell them all to buy macs

    I prefer to post light hearted stuff, or try to be fun - but IM LOSING IT


    Microsoft: are you out of your MIND!!!?????

    Fix these F***** EXPLOITS NOW!
    = buy the companies TOMORROW - hook the teams together and get this OVER with

    * AND DO NOT ATTEMPT TO CHARGE ME A DIME FOR IT

  • User profile image
    JParrish

    Jamie.. I won't say most of what I feel at first read about that last reply, since I value my own integrity. Instead, let me see if I can brainstorm how, if she "does nothing but go to CIBC bank on the other machine" how she could get spyware that affects her web surfing experience.

    First off, you are saying she does absolutely nothing, including downloading MP3's, software, email w/ attachements, etc? If that is true albeit unbelievable, have you kept that machine updated with the latest patches from windows update? Have you been proactive at all in keeping the machines from being infected with malware?

    If you have kept it up to date.. there is a remote chance that she surfed onto a site during a small window of time where an exploit could have been executed without a patch being available. However, as you described it she had gone nowhere but the CIBC bank site, so I suppose your banks web server has been compromised?

    If that is not true, then perhaps you have other machines on an internal network, that are thoughtfully protected behind an internal firewall. Only problem being that the activity you may generate could infect your machine. Once inside a network, the firewall is a helpless measure.

    So, question is how did it happen? Did she execute an email attachment that included the spyware, did you install it on your own machine and infect her, did she get it from the bank and therefore prove that the banks site was compromised, or are you even clear as to the avenues that such software can penetrate a windows computer?

    My suggestion would be to educate yourself so that when you reply on the topic of security and Microsoft products again, you can contribute some sort of feedback that will benefit you, me, and every other end user out there. Along that path you will most likely benefit Microsoft, and I think that is the reason they are hoping that you post.

  • User profile image
    JParrish

    object88 wrote:

    I've seen one place where there's a more complete quote:  "We’ve really prioritized online as our top approach. The first thing we fund is online ads. I want to make sure you can’t get through an online experience without hitting a Microsoft ad." (Jupiter Research)  I don't know if it's more or less acurate than anything else.  In regards to the comma at the end of "ad", it's the fault of English grammer-- the quoting sentence is often "... ads,' he said.".  English grammer dictates (poorly, I think) that there be a comma at the end of a quote (even if it the end of the quoted sentence) if there's more to the complete sentence.



    Thanks for the added interpretation. If he really did speak like that, it makes me wonder if he is 1. just talking out his arse to the shareholders. 2. is really convinced that such a strategy would work. 3. Is still hoarse from yelling DEVELOPERS, DEVELOPERS, DEVELOPERS, DEVELOPERS, DEVELOPERS, DEVELOPERS, DEVELOPERS, DEVELOPERS and can't think rationally about online search engines and advertising vs. profitablitly models.  =)

  • User profile image
    lars

    The real problem is that being fully up to date doesn't help this time. There are several different attack vectors that lets the attacker 0wN your box just by visiting their site. Example: Microsoft Internet Explorer Non-FQDN URI Address Zone Bypass Vulnerability

    In the last two months security analysts have put MSIE security though the shredder in a way I've never seen before. Even though I love MSIE I'm writing this using Firefox. Something that was forced upon me by the lack of action from Microsoft.
    Some of the problems will be fixed by XPSP2. But first of all, that is beta software. Thus it isn't a solution that exists today. Second, it will only patch Windows XP (not W2K for instance).

    As a fellow proponent of Microsoft and MSIE I understand why Jamie is upset.

    Lars

  • User profile image
    ZippyV

    It should be possible to detect spyware faster without having to search through every dll file in the windows folder or the registry. Actually it shouldn't be allowed for a program to install anything in the Windows folder, not even a driver or service.
    That way, the core system files stay sealed of the other untrusted environment. Same for the registry, seal most of the keys off.
    Other applications also shouldn't be allowed to mess with another one. For example, I tried uninstalling a demo of a game and the wise uninstall program was very busy with removing my Program Files folder.
    Even with all the security precautions you take you can't predict what some programs are up to, even if you trust them.
    Another thing that disturbs me: Why are all applications allowed to create folders in the root of the drive? Shouldn't be allowed.

    • Program wants to install? Fine, all the exe's and dll's go to a folder withing the Program Files folder.
    • Program wants to have config files? Fine, put them in a user-settings folder.
    • Program wants to save documents? Fine, put them in the My Documents folder.
      Everything else should be blocked.
  • User profile image
    lars

    Some good points there.

    /Lars.

  • User profile image
    manickernel

    ZippyV wrote:

    Another thing that disturbs me: Why are all applications allowed to create folders in the root of the drive? Shouldn't be allowed.

    • Program wants to install? Fine, all the exe's and dll's go to a folder withing the Program Files folder.
    • Program wants to have config files? Fine, put them in a user-settings folder.
    • Program wants to save documents? Fine, put them in the My Documents folder.
      Everything else should be blocked.


    Ahhh, I wish that were the world we live in. I deal with a related situeation in that so many applications we deploy in our environment require elevated privileges just to run. One silver lining of all the adware/IE vulns of late is that higher-ups are finally ready to allow us to lock down users, which will solve 80% of this crap being installed. Only now I have to audit each application to determine which specific registry keys, directories, ect. the application requires write/extended access to in order to run under a restricted user account. 

  • User profile image
    FrankCarr

    JParrish wrote:

    If you have kept it up to date.. there is a remote chance that she surfed onto a site during a small window of time where an exploit could have been executed without a patch being available. However, as you described it she had gone nowhere but the CIBC bank site, so I suppose your banks web server has been compromised?


    The most recent attack did feature a double exploit of both IIS and IE so this is a very likely scenario.

    The problem is that you have to stay updated constantly to dodge the latest scumware attacker. This is what has become unacceptable and what has driven previously loyal MS customers to other browsers. I went with using  Firefox almost exclusively after getting hit with a scumware program that used an unpatched IE exploit to get onto my system. The program got in through an IFRAME hosted on a compromised advertising service provider's server who had bought a banner ad space on a guitar related website I often visit.

    I have a lot of sites blocked on my IE restricted list and in my HOSTS file as well as in my firewall program. I use programs that try to block unauthorized ActiveX objects from installing and executing and to protect the registry. However, I feel safer browsing using Firefox because Angel it's not as big a target and (b) is not as vulnerable to exploitation due the lack of ActiveX support and strong integration with the OS.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.