Windows Vista still Rife with Insecure Code

osxpetition writes "As noted in a News.com article, Symantec researchers have been testing the latest Microsoft Windows Vista build (Beta 2), and have found that the code is 'complete with new corner cases and defects' in the networking component. Symantec describes how Microsoft scrapped the old networking stack code from Windows XP in favour of newer, rewritten code. 'Microsoft has removed a large body of tried and tested code and replaced it with freshly written code.' Since January 2002, Microsoft has put a stronger emphasis on protecting PCs by attempting to implement stable, secure code into Windows XP and their new operating system. This latest report from Symantec brings attention to Microsoft's trustworthy computing campaign, and shows how it will be a long way before it is ready for the mainstream."

Re:I would like to know

[Derek Pomery]

Even if running as an unprivileged user, doesn't windows offer a bunch of system notification stuff in the taskbar?
Are any of those running as privileged, or communicating with the system services in an unsafe manner?

Re:Mistake?

[aymanh]

I was going to moderate but after reading your comment, I decided to reply. Why are you assuming that it's not possible to write secure code from the start? The networking stack is a vital part of an OS's security, can't MS fork enough resources to create a relatively secure networking stack for Vista?

Crackers will become familiar with Vista's net stack soon or later, either by reverse-engineering the new not-so-secure stack, or by utilizing their familiarity with the XP stack (in case MS didn't replace it), it's a cat and mouse game, just like how they found exploits in the first one, they will find ones in Vista's stack, the solution is to write a secure networking stack, not to replace it with another vulnerable one that hasn't been reverse-engineered yet.

Re:You joke, but

[Anonymous Coward]

I'd bet that every single country in which Microsoft has a devlopment team has at least one back-door programmed into their code -- perhaps more in countries where they have more than one security agency that don't share info with each other.

Considering that they even have legislation to require wiretappable telecom infrastructure, I wouldn't be surprised.

In fact, I think it's the only way to explain how many security bugs are in Windows. Don't buy the excuse of it taking a lot of resources -- Microsoft has a *LOT* of resources including billions of dollars in the bank; and the OpenBSD group have a near perfect track record with a better performing OS with a budget thousands of times smaller than what Microsoft pays as dividends to shareholders.

If they wanted to fix their security problems, they could and OpenBSD is proof of that. The fact that instead they pay out dividents to shareholders (which is what a company does when it can't think of a better use for the money) means that they have some reason not to want to fix the problems.

Clearly it's not a marketing decision - it's bad press every time another one of these backdoors is exposed -- and it's not a feature corporate customeres want -- so it most likely is a policy decision with governments.

Re:I would like to know

[NutscrapeSucks]

How is a shatter attack a configuration error? Any application can send a windowing message to any other.

The security model is built on "window stations" -- If you put a privileged window into an unprivileged window station, then you have made a configuration error. Period.

The author of the paper stated that *nix/X11 is just as vulnerable to these types of attacks, BTW, so *nix is just as irrevocably mis-designed as Windows. The only difference is that *nix programmers are smart enough not to write interactive software that runs as root.

Re:I would like to know

[ThinkFr33ly]

This "shatter attack" has been known about and acknolwedge for MANY YEARS. (Long before the 2002 paper cited in this thread.) Every once in a while people will bring it up as proof that Windows has design flaws.

This was a design decision with known trade-offs. Attaching security tokens to window messages would result in MAJOR overhead that would, even on today's beefy hardware, kill performance. Having to do a permissions check every time the mouse is moved is not feasible.

So Microsoft decided that they would rely on "best practices" information as apposed to enforced security in the OS to prevent "shatter attacks". The best practices are pretty simple: If your service/application is running with elevated permissions (such as SYSTEM), do not display a GUI on a desktop owned by a lower privledged user.

There have been examples of applications, in particular some poorly written anti-virus applications, that liked to display GUIs to the user despite the fact they were running as SYSTEM. For the most part, however, very few major applications exist today that have this issue.

Applications that run with high privs that need to display a GUI typically launch their GUI with the privs of the user, or display the GUI on a secure desktop. (Like Winlogon.exe.)

This is really a non-issue and hasn't been for a very long time. Please, ignore the FUD.

Well, no it isn't.

[jd]

The network stacks that exist for, say, BSD and Linux are rather more convoluted than I would have thought necessary. I believe they could be made a lot simpler and faster, without sacrificing one iota of capability, flexibility or configurability. In fact, there may well be areas where reducing complexity will increase flexibility. That happens.

It should be very easy to build a networking stack for Windows (or any other OS) that is bullet-proof, compact and fast, because it's not a particularly complex piece of logic. There are lots of rules, sure, but each rule within itself is very simple. That makes it possible to test each decsion-making component directly and individually, along with the rule that component applies. Because you know what a well-formed packet looks like - that is defined by the applicable RFC(s) - you can also do comprehensive bottom-up integrated testing.

Add in one of the multitude of profiling packages that will work with kernel-level code, and it should be child's play to make the code not only correct but damn fast.

Could Microsoft do this? Of course they could. They might act the part, but that doesn't make them idiots. In general, anyway. How long it would take and how much manpower it would take depends on how correct they'd want the code. If you want to guarantee fewer than N errors per M lines of code, you can do it, but halving N will more than double the effort required. Can you guarantee no errors at all? Yes. The networking stack is simple enough that you can prove it complete, sufficient and correct. It would cost Microsoft far less to prove their network stack totally bug-free than they're owing the EU in fines. Personally, I feel that producing better code would have been a wiser investment, but that's their decision to make.

could Linux developers do this? Again, sure. There are many tools for profiling and analyzing the Linux networking stack, and suitable test harnesses shouldn't be that hard to write. If kernel hackers had more of a liking for testing, Linux networking bugs should be all but extinct within a year. As things stand, the cleanup is OK but not enough to seriously endanger the bug population. I would like to see a concerted effort to clean up the code rigorously, but I do recognize that much of the code is "good enough" for most developers to be more interested in expanding the capabilities than polishing the code to perfection.

Re:You joke, but

[DroppedPacket]

OK, I have to bite on this:
In fact, I think it's the only way to explain how many security bugs are in Windows.

I think you perhaps need to take some lessons in critical thinking. This is the equivelent of saying, "The only reason auto-manufactuers put problems into cars so they have to recall them is because the government makes them, which is why Japanese cars are better than American cars."

Large monolithioc systems are inherently more complex that smaller componant built systems. (Although those have problems too along the boundary interfaces.) Auto-makers put lots of time and money into making a car that A) doesn't fall apart and B) doesn't require a multi-billion dollar recall effort. Microsoft puts lots of time and money into trying to make their software more secure.

On the whole, I'd say the auto companies do a better job. :-) Thowing money at a problem very rarely solves the problem. The need to have an understanding of the problem, and how to fix the underlying problem is vital. I think that is where Microsoft fails. The systems they have in place (from what I hear) are more frustrating to the engineers than helpful.

I also have problems believing MS engineers are really motivated these days. Many of Microsoft's security issues have stemmed from their own code interactions which they implemented as deliberate features. Many more have been from sloppy programming (such as buffer overruns).

Trying to blame MS security issues on government mandated back doors smacks of plain political diatribe with a nice glossy veneer of ignorance on the top to give it a nice sheen.

It's part of the bigger picture

[postbigbang]

There are a myriad companies that Microsoft has bought, then put to good use. Some were then thrown off a cliff (like McAfee does/did with Network General and OilChange) while others made them smarter. They need the brains. And they need a new authentication methodology, a new networking stack, and a new registry protection mechanism not made of tissue paper. That doesn't mean they'll get it. So many people have blown up Vista (yes, I know it's not RC+ yet) that Microsoft must be rattled to their very core (yes, Bill-- you, you crummy half-assed programmer) before they'll believe their customers. It's a classic case of Sales Department Rules (Ballmer) and everything else drools. Hit the sales department in the wallet, and things change. Look for a big change from Microsoft soon when they report that XP sales are down and that Windows 2003 server's recent sales peak has now hit the skids, and the X360's are costing a fortune. Mark these words.

Re:I would like to know

[ThinkFr33ly]

I completely agree with you that it's a problem that security related dialogs in XP are clickable by malware even if it's running as the current user.

But you have to remember that the only way that dialog will affect the entire system is if the user is running as admin, and if the user is running as admin the malware likely is to... so they don't really have to simulate clicks to do their damage.

Re:Fun-factor

[Foolhardy]

Just to be clear, NT has always supported TCP/IP. In fact, KB article Q12823 [microsoft.com] compares available protocols circa NT 3.1 and 3.51.

From the October 2000 MSDN magazine, "Windows Sockets 2.0: Write Scalable Winsock Apps Using Completion Ports" [microsoft.com]

Unlike some other operating systems, the Windows NT and Windows 2000 transport protocols do not have a sockets-style interface which applications can use to talk to them directly. Instead, they implement a much more general API called the Transport Driver Interface (TDI). The generality of this API keeps the subsystems of Windows NT from being tied to a particular flavor-of-the-decade network programming interface. The Winsock kernel mode driver provides the sockets emulation (currently implemented in AFD.SYS). This driver is responsible for the connection and buffer management needed to provide a sockets-style interface to an application. AFD.SYS, in turn, uses TDI to talk to the transport protocol driver.

Ironically, it's TDI that's being replaced for something more sockets-like.

I think this is yet another example of Microsoft not understanding code that was previously written by someone no longer available, causing the new developers to misunderstand the original design, who then feel the only option is a rewrite. I've yet to hear any technical comparisons between TDI and "Next Generation TCP/IP", showing how the TDI architecture could never do those things. I bet TDI can support these new features with some new code, but it just wouldn't be as glamorus that way.

To adapt an old saying about LISP and UNIX, "Those who fail to understand NT are doomed to reimplement it. Poorly"

Re:It has been fixed

[Compholio]

BTW, almost no Microsoft written applications are still vulnerable to shatter attacks on XP.

You can exploit a buffer overflow by changing the name of the stupid "Start" button! There are PLENTY of MS applications on XP that are vulnerable to this attack.

Re:I would like to know

[spagetti_code]

I dont necessarily agree with you. I have a commercial app out there that relies on this funtionality - for good reason.

The application I do this to does provide an API for remote control, but they left out some obvious things. They are not going to add them in, so I take control of their window. Works a treat.

Point is, its not a design flaw. Its damn useful.

However it should be secured in some way - so as a suggestion, have the OS pop up a window: "app A is trying to send messages to or control app B, is this ok? (Generally its a bad idea)"

Default to no.

Re:However

[Tim]

It has been my repeated experience that "Cruddy and complex" code is that way because the problem space is cruddy and complex and thats what bugfixes do to code.

Yes, yes. Cruddy and Complex code is cruddy and complex because it needs to be cruddy and complex (not because it was hacked together on an impossibly short schedule, or written by a novice developer using a fundamentally bad design. Or both.) And you should never rewrite code. Ever (except when you should).

There are no absolute rules in software engineering. Part of the art of the game is knowing when to toss code that is so impossibly bloated that it would take many times longer to "re-factor" than to "re-write." And despite the fact that many (most?) people are bad at making this decision, it is not automatically true that code should never be re-written.

Re:beta

[rblancarte]

You raise some very good points, all of which I agree with.

I think what I have gotten out of this is the whole is a damned if they do/damned if they don't issue taken with Microsoft. Before this article came out, people blasted MS for the fact that they had such bloated and bad code. Now that MS is in the practice of trying to replace all this "bloated" code, but are now being attacked on the front that they have untested code.

IMHO, this was something that was going to come regardless of what MS choose to do. Eventually, they were going to have to get their code (be it network, kernel, etc) out of the code base and move to new code, or suffer from really bloated code that was years old.

I think this is where the whole being Beta and their Beta program comes in. So long as they have these issues fixed BEFORE their commercial software is out, I think MS is fine. Now, if they let Vista go and it still has a bulk of untested code, then there are problems. (And I get that the article does point this out in a a single paragraph, but the point is, if CNET really thought about this, then you might think they would have realized maybe the article shouldn't have been written).

RonB

Sounds to me like...

[Phraghg]

Symantec is trying to carve up Vista so that they don't go the way of Iomega. I hate to defend Microsoft, but according to the link

"However, these were all fixed by Microsoft in build 5384, the version of the operating system that was publicly released in May as Beta 2."

That's not to say the code is totally secure but that that seems to be a very good sign.

Don't forget to question your sources. If I was Symantec, I would be worried that in the case that Windows Vista is secure, and does come with a good build in antivirus that my revenue would go down the drain. For those of you who have ever used recent versions of Norton Antivirus or Internet Security, you know what I'm talking about. The widely used Norton software is honestly rather bloated and probably presents a security risk of its own. As an IT technician, I get a lot of requests from workers to remove Norton because Norton causes an alarming measurable slowdown in system performance.

Given that all the bugs found by Symantec were fixed in build 5384 and the fact that Vista still has about 5-6 months before it goes gold (at the earliest), any attempts to speculate on the security of Vista is just that -- pure speculation.

Re:beta

[kubevubin]

The current version of Windows XP is, as you described, nothing more than a five-year-old OS with a few [hundred] patches. As such, no, it isn't a valid comparison. Despite what you may think, however, comparing Server 2003 is a rather valid argument, as it is used quite extensively as a desktop OS (usually pirated, of course). In fact, it's even more sensible to use Server 2003 in this comparison, because Vista is based on Server 2003. Longhorn was based on XP, and it was pretty much falling apart; XP's kernel simply wasn't robust enough. Server 2003, on the other hand, is quite robust.

A common gripe about Windows (other than the obvious blue screen BS and security issues) is the fact that its out-of-the-box driver support is far inferior to that of Linux. Again, seeing as how the current version of XP doesn't have much (if any) added driver support out of the box, how is that even fair? It offers security patches, nothing more. Any driver support is included by the respective hardware vendors.

So, if you don't happen to have a copy of Server 2003 handy, why not just wait until a better build of Vista is released to the general public? I have a feeling that, despite what the majority of Slashdotters believe, Windows Vista is gonna be a great release for the average user right off the bat. Note that I said "average" user, however, as I don't really see all that much that appeals to me with the additional features. Why? Because I use other applications already. Why should I change?

Say what you want about Windows. The fact of the matter is that it's obviously not bad enough for most people to even bother searching for an alternative. I work at CompUSA, and the Apple hardware is very well represented there. As such, I highly doubt that people have no clue that other options exist, and I've even told many of them about the alternatives. I've even helped out with peoples' Linux-related inquiries, and I've even done my good deed by recommending that they download them for free to allow them to try several distros.

I realize that my needs aren't identical to everyone else's needs. As such, I'm understanding of what other people look for in an OS. I remember talking with a customer who had just purchased a Windows PC, as her Mac had recently died, and a friend had recommended that she get a Dell. (Ouch.) She was shocked at how bare-bones Windows XP was when compared to Mac OS. I honestly had never thought about that, and I suppose that I took my knowledge of Windows for granted. I now recognize Windows' bare-bones nature as a legitimate flaw, but Microsoft seeks to change that with Vista. They're improving their product, but they'll never escape the criticism of those Linux users who can't seem to fathom the fact that the "s" in Microsoft isn't actually a dollar sign. It's quite tragic, really.

And let's not forget the fact that they tend to have a lawsuit thrown their way for every single feature that they attempt to add to Windows. Despite what you may think of Windows, do realize that Microsoft isn't free to do whatever it likes with its OS; a lot of businesses have been built on Microsoft's past mistakes, and it would seem that Microsoft isn't able to simply correct those flaws without facing legal retribution.