Scott Field: How secure is Vista, really? - Part II

The Discussion

• 

  Cool Video.
  
  MS should have moved the WinKernel from Ring0 to Ring1 in that onion. PatchGuard can then secure Ring1 Code. This way you get rid of the impracticality of securing code with same priviliage level that exist in Vista.
  
  Or, MS could introduce Zones within the Kernel layer, where one zone would have more previlage than the other. Kind of like the Throne and the King servents. Or the nucleous in a cell. Zone 0 Zone 1 Zone 2. Zone 0 Runs hyperviser and hurestics, Zone 1,2 run Kernel and other stuff.
  
  
  Anyways, I look forward to seeing the cryptography in Windows Vista and Socket Security. Will certificate substitution work in vista (man -in middle attacks) as in before? or not?
  
  What about the ASLR (Address Space Layout Randomization) which was intrudiced later in the dev cycle into Vista. This was already present in open-source OS , and linux. It was supposed to make the odds of a successful buffer overrun exploit 1/256 chances, because each time you restart winVista, the system resoruces that are loaded into memory are loaded in to randomal address space. It helped Linux be more secure than Windows in the past, and its a plus in terms of security. But in the Linux world, Crackers found a way around it with memory search tools and things like that. I dont know how MS implemented their ASLR but it would be cool to know more about it.
  
  RootKits will still work in Win-32 Vista, although its much harder now. Even if people were not able to patch the kernel anymore with rootKits, they might patch process memory space with DLL injections and impersonation. Does Vista check at run time , if a process had changed? Suppose a DLL injection happened at Run Time for a process running in Windows Vista, would Vista block the injection or will allow the injection but crash the application or stop its execution?
  
  What applications can access Raw Sockets? Does windows check?
  
  
  Thanks for part 2. Its cool and I am looking to see the Crypto video (if will be done), on Vista and the new innovations as compared to prevista era.
  
  
  Edit: Since we are in Security zone here, How secure is the Firewall in Vista? Will it prevent LAN attacks? like Arp poisioning, MAC Spoofing, things like that?

• 

  Hmmm... Secure?...
  
  Just try to kill "winint.exe" from TaskManager...
  
  PS: DON'T DO THIS ON YOUR MAIN/WORK PC!!!
  

• 

  BlackTiger wrote:

  Just try to kill "winint.exe" from TaskManager...

  
  
  No such file comes with windows?? And if you mean wininit then hard to kill as it's not running.
  

• 

  SecretSoftware wrote:

  
  
  MS should have moved the WinKernel from Ring0 to Ring1 in that onion. PatchGuard can then secure Ring1 Code. This way you get rid of the impracticality of securing code with same priviliage level that exist in Vista.
  
  

  
  
  Isn't that what they're talking about introducing with the Hypervisor? Bumping the kernel up a ring and having the hypervisor sit in ring 0.
  

• 

  SecretSoftware wrote:

  
  MS should have moved the WinKernel from Ring0 to Ring1 in that onion. PatchGuard can then secure Ring1 Code. This way you get rid of the impracticality of securing code with same priviliage level that exist in Vista.

  
  
  Nice idea, but it would have broken every bit of virtualisation software out there. It is the way they are going by introducing low-level virtualisation support and a hypervisor though.

• 

  Nice vid guys!
  
  Hey, it would be really nice if someone (probably from MS) would put together a detailed list of all these new innovations in Vista (i.e. security, network, new interesting apis, new tech, etc)  Not a marketing document, but a real list that devs and IT Pros would like.  I see stuff scattered around, but have not seen in one document.  Maybe a wiki page on a Vista team updated by an evangelist.  Does this already exist? 

• 

  staceyw wrote:

  Hey, it would be really nice if someone (probably from MS) would put together a detailed list of all these new innovations in Vista (i.e. security, network, new interesting apis, new tech, etc)  Not a marketing document, but a real list that devs and IT Pros would like.

  
  
  Yeah, it would be great to be able to link to something like that whenever someone says, "Vista is simply an eye-candy upgrade."
  

• 

  Jeremy Mazner pointed me to this document: http://download.microsoft.com/download/c/9/8/c988dce4-1971-4ad4-a1ef-df99e596a4cc/WVPG%20RTM.xps
  
  It's the product feature guide for Windows Vista. Loads of information on what's new in Vista. It's not very technical or deep, but it does provide useful descriptions of the new innovations in Vista.
  
  You can find Security-related white papers here: http://www.microsoft.com/security/windowsvista/default.mspx
  
  Feel free to create a C9 wiki that lists all new features of Vista, broken up by OS layer We should do this!
  C

• 

  androidi wrote:

  

  BlackTiger wrote:Just try to kill "winint.exe" from TaskManager...

  
  
  No such file comes with windows?? And if you mean wininit then hard to kill as it's not running.
  

  
  
  Yes, it's "wininit.exe". And this process is VERY running (check "Show all processes" in TaskMan). Killing of this process VERY crashes Vista. Sometimes(!!!) Vista can't even start after rebooting. It's very easy to write some virus/trojan to kill some process.
  

• 

  Killing system processes on Vista will invoke a privilege elevation prompt (assuming UAC is running). Admins can do stupid things, just like in XP. If some rogue process tries to do harm, then a user would be prompted by the system that a questionable action is taking place and will be given the option to stop it.

  I don't see how killing processes in Admin security context is a Windows security issue. 100% user error.....

  C

• 

  Charles wrote:

  

  Killing system processes on Vista will invoke a privilege elevation prompt (assuming UAC is running). Admins can do stupid things, just like in XP. If some rogue process tries to do harm, then a user would be prompted by the system that a questionable action is taking place and will be given the option to stop it.

  I don't see how killing processes in Admin security context is a Windows security issue. 100% user error.....

  C

  
  
  1. Believe me, UAC WILL BE disabled on many systems.
  
  2. This IS bug in security. It's impossible to kill system by killing process in XP. Try to kill critical process in XP (SYSTEM, smss, svchost(s)).
  
  

• 

  Windows XP (and I believe 2000 and NT too) terminates if you kill some important system processes such as lsass.exe. It is probably safer to shutdown the system after one of these procs has been compromised instead of going on and hope everything is ok. Same motivation for going to "blue screen" after a kernel error.
  

• 

  Turning of UAC is a user-decided action and therefore a user-decided mistake. Yeah, a mistake. Do NOT turn off UAC unless you HAVE to on your dev machine (which is our fault, not yours - we will fix this)

  You are wrong about not being able to compromise XP by doing stupid things as an admin.

  C

• 

  Well the uneducated user or the average user who just uses the computer. When they get a pop-up or prompt, and don't know what it means, 99.9% will say 'yes'. It goes back to things like a firewall (Zone Alarm, Norton, McAfee) showing a pop-up asking if the user if they wants to do 'xyz' on 'pdq'? Well more than likely, not knowing what a 'pdq' is let allone what it means to 'xyz' for 'pdq'. Then to be asked if they want to continue or not?
  
  Then if they get sick of the prompts or impatiant (like other programs) the user finds ways to turn off or disabling 'ABC' or should I say "UAC". They don't really read it or take patiants to look at, instead they just answer it. It is a tangent.
  
  I think the big point here is that the *average* user does not speak geek.
  
  So, they answer 'Yes' to the 'xyz,pdq' questions. Or they turn off 'ABC' regardless of the software trying to protect them. Or if enough FUD is applied the 'end-user'  answers 'No'. Could you image all the things that can't be done if you answer 'no' to all UAC prompts. So,  it is back to not reading and just answering 'yes' to all or disabling.
  
  
  
  - guy
  "Have a great day! You just unlocked the pick slip virus!."
  
  

• 

  You can easily screw linux with one command or a bad software install ... and that means, needing to reformat. So in that I think people are demanding the impossible from Microsoft.
  
  I doubt UAC will the the solution to all problems, but it's a step to a good direction. User's should read the messages, you can't blame the creators for everything, user stupidity is to blame most of the time.
  

• 

  HellSnoopy wrote:

  ...everything, user stupidity is to blame most of the time.
  

  
  
  Ya, but if a user who is a brain surgen stupid because he does not know about a dialog box asking him to "xyz.pdq", when not knowing what it is going on?
  
  I know I won't be doing any brain surgery, and I know that brain surgury is not for the average person, *user*. Am I considered stupid because I can't do brain surgery from there point of view. But should a computer require a Computer Degeree to use just as much as it would take a PHD to operate on a human.
  
  I know that is apples and oranges but the point is that it should not be. Is the user is considered to have *user stupidity* because they can't operate a computre or a genesis becuase they can operate on the brain.
   
  The real issue here is the hacker. Second is educating the user and how and at what cost if not free. And third would be the one who should supporting the complete package (from selling to educating) and not jsut providing a platform for chaos.
  
  Don't forget the third party the malware creator who IMHO is the realy stupid person in this picture and not microsoft or the *average* user even if you think of them as doing something stupid.
  
  Does buying Vista come with free training and education on all thes terms like UAC, MalWare, Prompts, etc... or Or is the user just left on there own.
  
  Buyer beware!!! There are hackers out there that no one can stop but you and if you don't then don't blame the OS manufacturer or the hacker just blame yourself.
  
  Sounds like smokey the bear "Only you can prevent Forest Fires."
  
  
  

• 

  Charles wrote:

  Turning of UAC is a user-decided action and therefore a user-decided mistake. Yeah, a mistake.

  So UAC is Microsoft's way of making an insecure Windows system the user's fault instead of Microsoft's fault.  A "cover your (I need to watch my language)" feature.  Nice.

• 

  JChung2006 wrote:

  

  Charles wrote: Turning of UAC is a user-decided action and therefore a user-decided mistake. Yeah, a mistake.

  So UAC is Microsoft's way of making an insecure Windows system the user's fault instead of Microsoft's fault.  A "cover your (I need to watch my language)" feature.  Nice.

  
  
  
  So... is the root account Linux's way of making an insecure Linux system the user's fault instead of Linux's fault?

• 

  y2k4life wrote:

  
  
  Does buying Vista come with free training and education on all thes terms like UAC, MalWare, Prompts, etc... or Or is the user just left on there own.
  
  

  
  
  The UAC dialogs clearly say "This program is trying to run. If you started this program, please continue." or even "The source and purpose of this program are unknown. Don't run the program unless you used it before or know where it's from.", followed by "Cancel: I don't know where this program is from or what it is for."
  
  If the user doesn't understand that message, or worse, doesn't -read- that message, then yes, it's the user's fault.
  
  It's not an ideal system, but in my opinion, it's the best compromise between usability and security.

• 

  IMHO:
  Some (very) critical processes (look at my exampe) MUST BE protected not by UAC or any other "user level" system, but by some internal "unstoppable" system. They must be protected even from SuperPuperAdministrator. Some kind of "core protection". UAC is just a "protection feature", not a "protection system".
  
  I'm not against UAC. This is nice... feature. But far from perfect. Best scenario (imho): disable UAC during system setup/tuning, but enable after whole system installation including all software and settings.
  
  But... What we will do between incompatibilities between UAC and Microsoft(!) software? This is weird problem. There was some solution. I don't know why MS not used it (did I misse something?). Application signatures. Exctly like antivirus software, but in opposite direction. Ok, MS can't collect all signatures from all ISV (at least in short time), but they CAN do it for own software! In this case you can run application  without interaction with user even if application is "not quite right, but doing nothing harmful".
  

• 

  As Scott mentions in the video, all MS software components in Vista are digitally signed. It would be a compatibility nightmare to force all ISVs do do the same. That said, Vista is the beginning, not the end, of a much more strict system. You see, there's always been (and will contnue to be) a struggle between platform flexibility and system security. It's a very hard problem. Scott, for one, has been working on it for 12 years.
  
  Vista is not perfect, but it contains a great deal of security innovation that will form the basis for future iterations of Windows while doing a great job of keeping users safe today.

  C

• 

  Bas wrote:

  

  y2k4life wrote:  Does buying Vista come with free training and education on all thes terms like UAC, MalWare, Prompts, etc... or Or is the user just left on there own.

  
  
  The UAC dialogs clearly say "This program is trying to run. If you started this program, please continue." or even "The source and purpose of this program are unknown. Don't run the program unless you used it before or know where it's from.", followed by "Cancel: I don't know where this program is from or what it is for."
  
  If the user doesn't understand that message, or worse, doesn't -read- that message, then yes, it's the user's fault.
  
  It's not an ideal system, but in my opinion, it's the best compromise between usability and security.

  
  
  Yes, but would your agree that by doing X and knowing I'm doing X I could answer the dialog box. But at some point would you agree that by doing X that not only X is being done but also Y and Z?  If the user gets a dialog box for Z do they know for sure that they started Z or is it a rogue? Do they know what Z is? No, So, answer No, and now X does not work? So the user is back to answering Yes to all because if not then X will not work?
  
  Fore example while doing an install the average user is asked to continue to run this program (installer). They would say yes. But then half way through the process they get a message Y.exe is trying to access the z.exe do you want to continue (was that the install or a rogue program)? Well they did not start Y.exe or Z.exe (the installer did which they gave access to).
  
  Funny thing was when I did an install it did not work. I had to actually create a boot start bat file. And elevate security.(http://blogs.conchango.com/pauloreichert/archive/2006/11/21/Windows-Installer-MSI-packages-error-code-2869-on-Windows-Vista.aspx.
  
  IMHO I think this is good and going in the right direction but should we cut off our nose to spite our face. We need to keep the average user in the loop as we go after the security issue. I think put technical systems in place to tackly the issues but the more and more dangerouse it becuase the more education is needed. I can't drive a car (even knowing how simple it is) with out education (legaly). Maybe we need license to use a computer (i'm not talking EULA)? Also as I pointed out Smokey says only you can prevent forest fires. How does he help, educates the campers. MS where is your Smokey The Bear "Only you can prevent hack attacks"? Where is your UAC commercial telling the average users for free what the hell that means?
  
  Obviously if we would live in a platonic world there would be no security issues Malware, hacker, or the likes. The average user would use the computer like it was intended and would not need twenty dialog/prompts asking if they want to open an email. But if it is going to be this difficult than educate them. And I don't mean by giving them text in a dialog box in hopes that they will understand and answer the question with clearity.
  
  I'm going to start up a survay in my local communtiy to see how many average users know what UAC means let allone what User Access Control is?
  
  
  
  

• 

  I just wanted to say , Patch guard, or the hyperviser, will only make crackers move up one level. They will use the APIs to the Kernel, and do what they want. in the same way the security vendors are using it, to do their, dirty work.
  
  but if MS added heuristics to detect malicious software behavior, then this can be reduced by 60-70%.
  
  hey being clothed is better than being naked. Prevista, the Kernel was naked, now, it has some clothes on.

• 

  y2k4life wrote:

  Also as I pointed out Smokey says only you can prevent forest fires. How does he help, educates the campers. MS where is your Smokey The Bear "Only you can prevent hack attacks"? Where is your UAC commercial telling the average users for free what the hell that means?
  
  Obviously if we would live in a platonic world there would be no security issues Malware, hacker, or the likes. The average user would use the computer like it was intended and would not need twenty dialog/prompts asking if they want to open an email. But if it is going to be this difficult than educate them. And I don't mean by giving them text in a dialog box in hopes that they will understand and answer the question with clearity.
  

  
  
  Pretty much every "what's new in Vista" publication I've read mentioned UAC and explained what it did. I'm pretty sure it'll be covered in the tour on new installations, and that it'll be mentioned in the manuals. If companies train their personell on using Vista, no doubt UAC will be part of the training. I'm not sure how else Microsoft is supposed to educate people. By buying time for a commercial on TV that explains UAC to people during the Superbowl? Sounds a bit over the top, to me.
  
  I don't know, it seems pretty simple to me. If people get a new installation of Vista on their PC, they should take the tour and learn about new features, or at least read the manual. If they get to use vista on their PC's at work, I'm pretty sure their employers will have given them some sort of training to work with Vista. Both will cover UAC and educate the user.