Its true Microsoft says it every time, but the software maker paid particular attention to security in Windows Vista. The company took more advice and more risks than ever before, deprioritizing many other concerns that were heretofore paramount. Were still only in beta, but does it look like Microsoft has delivered?
Luckily the company just published a document titled “Microsoft Windows Vista Security Advancements,” so we have a list of its own claims to evaluate. And just last week we heard of a significant advance in Vista that didnt make the PR document.
The Security Development Lifecycle. Three years ago Microsoft created a security group to be involved with development at all stages, but Vista is the first product to be designed from the ground up with such consideration. (Actually, it sounds remarkable that such a development is so recent, but at least Microsoft finally did it.)
Has this made a difference? The jurys still out. But its encouraging to hear some of the measures used. All buffers in the code are marked up to assist automated analysis tools. Fuzz testing is used extensively throughout development. Microsoft says it is pursuing Common Criteria certification.
Restricted Services. This is an excellent example of how Vista takes the “least-privileged” philosophy seriously. Windows services are programs that run prior to user log-on. Many parts of Windows itself, such as the plug-and-play manager, run as services, as do many third-party programs such as anti-virus programs.
The previous approach has been to log on services with a special account called the LocalSystem account, which is a relatively privileged account, often having access to system resources completely irrelevant to the services task. Not so in Vista, Microsoft claims:
Good example. The RPC service has an unfortunate history, being at the center of the Blaster worm event. In fact, some of the other more famous and damaging network worms—Sasser, for example—have targeted services. What they do is find some overflow that can be triggered through network protocols and use that overflow to run exploit code. In Vista, these overflows will be far harder to find and exploit (more about this below), and restricted services will make it harder to do anything useful with them.
Data Execution Protection. One of the ways buffer overflows are getting harder to exploit is because increasing prevalence of systems that support DEP (Data Execution Protection), which uses hardware to determine that a program is attempting to inject code into a running process.
This has been in Windows since Windows XP SP2 and Server 2003 SP1, but Vista should help bump this feature into more prominence, since new versions of Windows are always targets at the next generation of hardware and aim to sell new computers. Its another thing that happens every time: You dont want to try to run Vista on a computer from five years ago. Incidentally, the Windows security paper also makes vague claims about protecting operating system components against heap tampering, although it doesnt say how.
64-Bit Security Enhancements: Kernel Patch Protection and Mandatory Driver Signing. Ive written about this before: As of the 64-bit versions of Windows from Vista on, kernel-level code will have to be signed. And not just with any old signature, but a real code signing certificate issued by a real certificate authority. Even if a rootkit author were to go to the trouble and expense of obtaining such a certificate, it could be revoked for abuse. Sadly, this will be active only in the 64-bit versions.
User Account Control. This has received the most attention of security features in Vista: The standard user account is now a restricted account that cant do dangerous things like install applications. When elevated privileges are required (yes, this is basically just like in Mac OS X) the user is prompted for credentials of an account with sufficient privileges.
This is a good thing, but Im suspicious of the extent to which it will stop malware. The key is social engineering. It seems to me that in most cases where malware gets installed users know they are installing something and therefore will be willing to install what theyre told, and theyll need to have access to the administrator credentials, even if they dont run them regularly. And some users will just throw caution to the wind and run as administrator.
But even administrative accounts will be less-privileged and run in “Administrator Approval Mode,” where some operations will require an extra approval. Extensive help is available on MSDN (and has been for a while) to help developers write applications that work well in a least-privileged environment.
New Log-on Architecture. The Windows log-on architecture has been completely ripped out and replaced with one that makes it easier to support stronger authentication systems, such as biometrics and smart cards. This is another one of those changes that will cause friction with the rest of the industry, since companies with such log-on products had to write custom GINA (Graphical Identification and Authentication) programs to work with Windows in earlier versions, and now theyll have to write a new version and maintain two of them until everything prior to Vista is obsolete. Oh well, these things happen, and the new versions should be easier to write and maintain than a secure GINA.
The report describes other improvements, such as bundling Windows Defender, Microsofts anti-spyware application, and tightening of the Windows Firewall. Ive been wondering for a while if the bundling of Windows Defender extends to free updates to signatures used by it. Ive asked Microsoft and have gotten no clear answer. The document is written almost too carefully in this regard:
It goes on to say Windows Defender will be a free download for licensed users of Windows 2000, Windows XP and Windows Server 2003. But what of the updates? Youd get the impression from Microsofts description of it that Defender doesnt have signature updates of its own. Either that or Microsoft will provide them for free through the usual channels like Microsoft Update. Or the company wont, and the continuing functionality it refers to is the substantial IPS-like work that Windows Defender does.
I need to hear more from Microsoft on this, but from this and other information on the Microsoft site it looks to me like the company will be updating it for free. This perpetuates the false dichotomy between what Microsoft calls “spyware and potentially unwanted software” on the one hand and “viruses and malicious software” on the other. Ive always maintained that its a phony distinction, but I guess it works for Microsoft. Perhaps its just a matter of time before protection against all real malware comes with Windows.
Internet Explorer 7
Internet Explorer 7+. So much has been written about IE7 that Ill not go into any detail. As I blogged recently, Microsoft decided to rename IE7 on Vista as IE7+ because it has several important features not available to IE7 on other platforms.
Protected Mode: In Vista, IE7 runs with specially crippled permissions. Anything remotely dangerous is blocked. If necessary, with explicit permission, users can elevate permissions. This is analogous to some of the user account control advances described above, and I believe subject to some of the same social engineering attacks. But its still an important improvement.
ActiveX Opt-In. Vista users are prompted before they can access a previously installed ActiveX Control that has not yet been used on the Internet. Web sites that attempt automated attacks can no longer secretly attempt to exploit ActiveX Controls that were never intended to be used on the Internet.
Many of the other improvements in IE7, such as the Phishing Filter, are available on earlier Windows versions as well.
Theres more in the document and more thats not in it. Last week on multiple security lists the famous David Litchfield of NGS Software revealed that Windows Vista Beta 2 implements Address Space Layout Randomization. With ASLR Windows randomizes the locations of different Windows program sections: the heaps, stacks and base load addresses. For lots of gory details on ASLR, see Litchfields paper “Buffer Underruns, DEP, ASLR and Improving the Exploitation Prevention Mechanisms (XPMs) on the Windows Platform.”
The short answer to your “so what?” is that ASLR—properly implemented—makes exploitation of overflows in programs considerably harder to accomplish. Other researchers piped up to say that similar techniques have been used in hardened versions of Linux and there are ways to defeat them, but theres some controversy over how true this really is and how relevant it is to Microsofts implementation. Clearly more research needs to be done, and betas the time to do it.
Its easy to get cynical about Windows security, but I look at the last couple years, since XP SP2 especially, and I see a vastly improved situation. Its been more than two years since Sasser, the last of the great network worms. There have been threats and fears of serious outbreaks in that time, but the worst you can say is that the tools exist for conscientious users and administrators to protect their systems. The flaws that weve seen lately typically require some user intervention and are blockable through other means.
This is due in large part to all the work Microsoft did on Windows security. Why doubt that the company is capable of greater advances in Vista?
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer