Why Windows is a Security Nightmare
March 8, 2008 – 3:15 PMSecurity in all mainstream operating systems is non-existent; however, things are especially bad for Windows. Windows happens to be the favourite target of worm and virus writers. Conventional wisdom suggests that the huge installed base of Windows helps spread the worms and viruses, and also makes it a highly attractive target for worm/virus writers. The installed base certainly has an undeniable effect on the prevalence of malware on Windows, but this is not all there is to it.
Worms and viruses are so stunningly effective on Windows only because Windows provides some atrocious functionality which makes it easy for worms to strike. It might seem counterintuitive but Windows Registry, and a misdesigned Windows Update are the primary culprits that create a hospitable environment for worms and other malware.
A typical Windows system follows a simple lifecycle: it starts out with a clean installation, which gradually deteriorates as programs are installed, and uninstalled. Eventually, the registry accumulates so much crud that the user is forced to do a clean install. When a user does a clean install that user’s system loses all the previously applied security updates, and becomes a sitting duck for worms and other malware.
Things wouldn’t be so bad if the user was able to update the new system with security patches painlessly, but Windows Update makes it very hard to do so. My personal experience with the killer duo is an enlightening example of how all of this works.
I purchased a Thinkpad X21 with Windows 2000 Professional in January 2002, and since then I have gone through three clean install cycles. After the second cycle I decided to stick with a deteriorating installation no matter what happened.
As expected, pretty quickly the registry started accumulating all sorts of rubbish, and the system started exhibiting strange bugs. First, Mozilla stopped working; reinstallations, uninstallations, upgrades did not resolve the problem, so I switched to Opera.
A few months later Windows Explorer started to hang when right clicking on folders. I did my best to search for a solution to this problem on the internet, but never managed to find one. Resigned, I eventually learned to avoid right clicks on folders, and became adept at killing and reinvoking the explorer process after an inadvertent forbidden click.
Then I made the mistake of installing the 30-day demo of VMWare on my system. As soon as I booted Linux under it as a guest OS, the sound card went bonkers and started producing high-pitched screeching sounds. I tried reboots which didn’t solve the problem; as a last resort I uninstalled VMWare but that didn’t do any good either. This forced me to lower the volume of the speakers to muffle the screeching, but I continued using the same set-up.
Finally, I had the bright idea of downloading a registry cleaner to fix things. The product I downloaded turned out to be some pathetic crippleware, and I uninstalled it. Well, that was the fatal fatal mistake; the next time I rebooted, Windows refused to load. Safe mode, last known good configuration, etc., all failed, and so I was forced to do a clean install.
As expected the clean install took care of the bugs. However, it also got rid of all the security updates. I immediately connected to Windows Update to download the service packs, and the critical updates. Rather quickly I was welcomed by Messenger Service spam. This was only a minor inconvenience as I knew how to turn it off; however, within a short while I got a message from Windows saying that svchost.exe had crashed: the Blaster worm had struck.
The Blaster worm attacks Windows XP and Win2K systems. In order to infect a system the worm needs to send the correct payload for the respective OS. The worm is not able to differentiate between the XP and Win2K so it randomly guesses the OS type; however, if it guesses wrong the RPC service crashes, and Windows reports it as a crash of svchost. The Blaster attack was quite a surprise as the major outbreak of the worm occurred back in August 2003, and I was expecting that the worm would not affect recent versions of Windows.
I was in no position to do anything about the Blaster attack, so I continued downloading the 35 MB service pack 4 over my dial-up connection. It took me a couple of hours to download it, but Windows Update refused to install it; Windows Update probably needed some functionality provided by the crashed svchost.exe.
I rebooted and connected to the internet, which was a mistake as I was giving the worm a second chance to infect my system. Anyway, I proceeded to Windows Update, and tried the same download again. Alas, Windows Update had forgotten all about the 35 MB it had downloaded previously, and started downloading the same stuff all over again. Worse, the Blaster worm crashed svchost again, and I had to discontinue the download.
I knew about the existence of a standalone security update to patch the vulnerability Blaster exploits, so I decided to bypass Windows Update and download it directly. The download was small less than 1MB, but as soon as I tried running it I learned that it requires at least service pack 2 to install, which I didn’t have.
Microsoft provides a separate download for service packs as well, and I decided to download the latest service pack, service pack 4. Well, the standalone service pack 4 distribution turned out to be a mammoth 129 MB download. This is about the maximum I have ever downloaded over a dial-up connection; a download of this size can easily take 10 or more hours to complete.
Downloading a large file over dial-up requires the ability to resume downloads which Internet Explorer does not provide, so I downloaded Wget to acquire that ability. Wget is a commandline tool and is invoked by calling it with the URL name. I tried pasting the URL on the command line, but it turns out that the cut and paste functionality disappears after a Blaster attack, so I was forced to manually type the URL.
Normally, typing a URL is not a big deal. Everyone types URLs all the time, and I do too, but I do mind typing gibberish strings of 95 characters like the following:
http://download.microsoft.com/download/E/6/A/E6A04295-D2A8-40D0-A0C5-241BFECD095E/W2KSP4_EN.EXE
To cut a long story short I managed to download and install the service pack, and the Blaster security update. Finally, the Windows Update started working and after another 30-40 MB of downloads, and three or so reboots, I managed to installed the 18 security updates available there (another five have been added to that number as of now).
After this experience I cannot help but laugh at the ‘useability’ problems Windows users are reporting about GNOME and KDE. It has become pretty clear to me that Windows users are so accustomed to usability problems that they don’t even recognise them as useability problems. But, as soon as these people move to a different environment they start complaining simply because the new environment does not replicate the features and bugs of Windows exactly.
The other big lesson from all this is that most Windows users are incapable of “securing” their systems. This is precisely why an unprotected system gets attacked in a matter of seconds, and spammers are still sending out Messenger service spam. Worse, Microsoft is directly responsible for this state of affairs. Windows encourage users to reinstall it every once in a while, and when they do, Windows Update actively prevents users from updating their systems.
The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter. I was able to download security updates off the internet only because the current generation of worms are not particularly malicious; they are just minor irritants.
If Microsoft is serious about Windows security it needs to fix Windows Update, and get rid of the damned registry for good. Unfortunately, Microsoft’s approach is to layer half-baked fixes over utterly broken things to keep them going for as long as possible. Microsoft knows that there is a problem with the registry, but the way it is dealing with it is by offering registry rollbacks, and similar worthless functionality.
I did a search on Google for “System Restore Does Not Work” and as anticipated there are plenty of complaints about XP’s System Restore functionality. Furthermore, such approaches – even if they somehow became reliable – would still not work. There is a very simple reason for this – users cannot reliably associate the problems they are experiencing with changes in the Registry. For instance, if svchost crashes how is a user to know whether changes in the Registry caused it or a worm caused it? The extra functionality is likely to lead to futile rollbacks and additional frustration for the users.
The upcoming SP2 update for Windows XP is another good example of a clueless fix. According to the reports I have read SP2 will enable the XP firewall by default, and will also include many nifty features to protect the system. It is pretty obvious that such updates cannot work in the presence of the Windows Registry. Windows users who install any kind of software will sooner or later be forced to downgrade because of Registry problems, and when they do they will get fried.
I am not saying Microsoft should not do what is doing, but it should focus on the more important things first. For the short term the correct approach is to fix Windows Update so that users aren’t forced to connect to a network to get security updates. Windows Update should encourage users to create a Windows Update CD that contains all the security updates the user has downloaded so far. The CD should contain a setup routine that is capable of installing all the updates in an automated fashion without requiring user intervention. Inevitably, when the user downgrades he/she can use that CD to update the system, and then connect to a network to download any further updates. Such a CD should be shareable amongst users, so that if someone doesn’t have an update CD, he/she can simply get one from a friend or an acquaintance.
Actually, Microsoft does offer a security update CD, and is willing to ship it to customers free of charge. But, as always Microsoft has made a mockery of a decent idea. First of all, 2-4 weeks are needed to deliver the CD. Then there is the problem of availability, the CD is not available everywhere (I live in Pakistan, and the CD is not available for Pakistan). Also, the CD Microsoft is offering is horribly out of date. There is no fix for this last problem, if Microsoft starts updating the CD every other week, then people will start asking for a new CD every other week. Obviously, shipping a CD to every customer every few weeks is quite an expense, and Microsoft doesn’t want that. So, the Microsoft Update CD is there just for moral support.
Overall, Microsoft is flat-out confused about how to deal with Windows security problems. The recent decision to disallow pirates access to Windows XP SP2 is another action reflective of that confusion. I can’t understand why Microsoft is so jittery about supporting pirates. Microsoft’s paying customers are suffering because of insecure Windows systems; therefore, Microsoft’s first priority should be to get the worm infected systems fixed. If this requires distributing security updates to pirates, so be it.
Microsoft really needs to look beyond short-term remedies to solve security problems. The company has to move away from its Windows roots in order to create a secure operating system environment. Microsoft has a huge research and development budget, and it just doesn’t make sense why it cannot develop a security-centred OS.
By Usman Latif