Why Windows is a Security Nightmare

March 8, 2008 – 3:15 PM

Security in all mainstream operating systems is non-existent; however, things are especially bad for Windows. Windows happens to be the favourite target of worm and virus writers. Conventional wisdom suggests that the huge installed base of Windows helps spread the worms and viruses, and also makes it a highly attractive target for worm/virus writers. The installed base certainly has an undeniable effect on the prevalence of malware on Windows, but this is not all there is to it.

Worms and viruses are so stunningly effective on Windows only because Windows provides some atrocious functionality which makes it easy for worms to strike. It might seem counterintuitive but Windows Registry, and a misdesigned Windows Update are the primary culprits that create a hospitable environment for worms and other malware.

A typical Windows system follows a simple lifecycle: it starts out with a clean installation, which gradually deteriorates as programs are installed, and uninstalled. Eventually, the registry accumulates so much crud that the user is forced to do a clean install. When a user does a clean install that user’s system loses all the previously applied security updates, and becomes a sitting duck for worms and other malware.

Things wouldn’t be so bad if the user was able to update the new system with security patches painlessly, but Windows Update makes it very hard to do so. My personal experience with the killer duo is an enlightening example of how all of this works.

I purchased a Thinkpad X21 with Windows 2000 Professional in January 2002, and since then I have gone through three clean install cycles. After the second cycle I decided to stick with a deteriorating installation no matter what happened.

As expected, pretty quickly the registry started accumulating all sorts of rubbish, and the system started exhibiting strange bugs. First, Mozilla stopped working; reinstallations, uninstallations, upgrades did not resolve the problem, so I switched to Opera.

A few months later Windows Explorer started to hang when right clicking on folders. I did my best to search for a solution to this problem on the internet, but never managed to find one. Resigned, I eventually learned to avoid right clicks on folders, and became adept at killing and reinvoking the explorer process after an inadvertent forbidden click.

Then I made the mistake of installing the 30-day demo of VMWare on my system. As soon as I booted Linux under it as a guest OS, the sound card went bonkers and started producing high-pitched screeching sounds. I tried reboots which didn’t solve the problem; as a last resort I uninstalled VMWare but that didn’t do any good either. This forced me to lower the volume of the speakers to muffle the screeching, but I continued using the same set-up.

Finally, I had the bright idea of downloading a registry cleaner to fix things. The product I downloaded turned out to be some pathetic crippleware, and I uninstalled it. Well, that was the fatal fatal mistake; the next time I rebooted, Windows refused to load. Safe mode, last known good configuration, etc., all failed, and so I was forced to do a clean install.

As expected the clean install took care of the bugs. However, it also got rid of all the security updates. I immediately connected to Windows Update to download the service packs, and the critical updates. Rather quickly I was welcomed by Messenger Service spam. This was only a minor inconvenience as I knew how to turn it off; however, within a short while I got a message from Windows saying that svchost.exe had crashed: the Blaster worm had struck.

The Blaster worm attacks Windows XP and Win2K systems. In order to infect a system the worm needs to send the correct payload for the respective OS. The worm is not able to differentiate between the XP and Win2K so it randomly guesses the OS type; however, if it guesses wrong the RPC service crashes, and Windows reports it as a crash of svchost. The Blaster attack was quite a surprise as the major outbreak of the worm occurred back in August 2003, and I was expecting that the worm would not affect recent versions of Windows.

I was in no position to do anything about the Blaster attack, so I continued downloading the 35 MB service pack 4 over my dial-up connection. It took me a couple of hours to download it, but Windows Update refused to install it; Windows Update probably needed some functionality provided by the crashed svchost.exe.

I rebooted and connected to the internet, which was a mistake as I was giving the worm a second chance to infect my system. Anyway, I proceeded to Windows Update, and tried the same download again. Alas, Windows Update had forgotten all about the 35 MB it had downloaded previously, and started downloading the same stuff all over again. Worse, the Blaster worm crashed svchost again, and I had to discontinue the download.

I knew about the existence of a standalone security update to patch the vulnerability Blaster exploits, so I decided to bypass Windows Update and download it directly. The download was small less than 1MB, but as soon as I tried running it I learned that it requires at least service pack 2 to install, which I didn’t have.

Microsoft provides a separate download for service packs as well, and I decided to download the latest service pack, service pack 4. Well, the standalone service pack 4 distribution turned out to be a mammoth 129 MB download. This is about the maximum I have ever downloaded over a dial-up connection; a download of this size can easily take 10 or more hours to complete.

Downloading a large file over dial-up requires the ability to resume downloads which Internet Explorer does not provide, so I downloaded Wget to acquire that ability. Wget is a commandline tool and is invoked by calling it with the URL name. I tried pasting the URL on the command line, but it turns out that the cut and paste functionality disappears after a Blaster attack, so I was forced to manually type the URL.

Normally, typing a URL is not a big deal. Everyone types URLs all the time, and I do too, but I do mind typing gibberish strings of 95 characters like the following:

http://download.microsoft.com/download/E/6/A/E6A04295-D2A8-40D0-A0C5-241BFECD095E/W2KSP4_EN.EXE

To cut a long story short I managed to download and install the service pack, and the Blaster security update. Finally, the Windows Update started working and after another 30-40 MB of downloads, and three or so reboots, I managed to installed the 18 security updates available there (another five have been added to that number as of now).

After this experience I cannot help but laugh at the ‘useability’ problems Windows users are reporting about GNOME and KDE. It has become pretty clear to me that Windows users are so accustomed to usability problems that they don’t even recognise them as useability problems. But, as soon as these people move to a different environment they start complaining simply because the new environment does not replicate the features and bugs of Windows exactly.

The other big lesson from all this is that most Windows users are incapable of “securing” their systems. This is precisely why an unprotected system gets attacked in a matter of seconds, and spammers are still sending out Messenger service spam. Worse, Microsoft is directly responsible for this state of affairs. Windows encourage users to reinstall it every once in a while, and when they do, Windows Update actively prevents users from updating their systems.

The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter. I was able to download security updates off the internet only because the current generation of worms are not particularly malicious; they are just minor irritants.

If Microsoft is serious about Windows security it needs to fix Windows Update, and get rid of the damned registry for good. Unfortunately, Microsoft’s approach is to layer half-baked fixes over utterly broken things to keep them going for as long as possible. Microsoft knows that there is a problem with the registry, but the way it is dealing with it is by offering registry rollbacks, and similar worthless functionality.

I did a search on Google for “System Restore Does Not Work” and as anticipated there are plenty of complaints about XP’s System Restore functionality. Furthermore, such approaches – even if they somehow became reliable – would still not work. There is a very simple reason for this – users cannot reliably associate the problems they are experiencing with changes in the Registry. For instance, if svchost crashes how is a user to know whether changes in the Registry caused it or a worm caused it? The extra functionality is likely to lead to futile rollbacks and additional frustration for the users.

The upcoming SP2 update for Windows XP is another good example of a clueless fix. According to the reports I have read SP2 will enable the XP firewall by default, and will also include many nifty features to protect the system. It is pretty obvious that such updates cannot work in the presence of the Windows Registry. Windows users who install any kind of software will sooner or later be forced to downgrade because of Registry problems, and when they do they will get fried.

I am not saying Microsoft should not do what is doing, but it should focus on the more important things first. For the short term the correct approach is to fix Windows Update so that users aren’t forced to connect to a network to get security updates. Windows Update should encourage users to create a Windows Update CD that contains all the security updates the user has downloaded so far. The CD should contain a setup routine that is capable of installing all the updates in an automated fashion without requiring user intervention. Inevitably, when the user downgrades he/she can use that CD to update the system, and then connect to a network to download any further updates. Such a CD should be shareable amongst users, so that if someone doesn’t have an update CD, he/she can simply get one from a friend or an acquaintance.

Actually, Microsoft does offer a security update CD, and is willing to ship it to customers free of charge. But, as always Microsoft has made a mockery of a decent idea. First of all, 2-4 weeks are needed to deliver the CD. Then there is the problem of availability, the CD is not available everywhere (I live in Pakistan, and the CD is not available for Pakistan). Also, the CD Microsoft is offering is horribly out of date. There is no fix for this last problem, if Microsoft starts updating the CD every other week, then people will start asking for a new CD every other week. Obviously, shipping a CD to every customer every few weeks is quite an expense, and Microsoft doesn’t want that. So, the Microsoft Update CD is there just for moral support.

Overall, Microsoft is flat-out confused about how to deal with Windows security problems. The recent decision to disallow pirates access to Windows XP SP2 is another action reflective of that confusion. I can’t understand why Microsoft is so jittery about supporting pirates. Microsoft’s paying customers are suffering because of insecure Windows systems; therefore, Microsoft’s first priority should be to get the worm infected systems fixed. If this requires distributing security updates to pirates, so be it.

Microsoft really needs to look beyond short-term remedies to solve security problems. The company has to move away from its Windows roots in order to create a secure operating system environment. Microsoft has a huge research and development budget, and it just doesn’t make sense why it cannot develop a security-centred OS.

By Usman Latif

http://www.techuser.net/index.php?id=47

Ways to Speed Up Windows XP & Windows 2000

March 8, 2008 – 3:15 PM

While surfing around the net tonight in an epic battle against what I considered excessive hard-drive accesses by Windows XP, I ran across quite a useful site that some of you might find useful.

The site, BlackViper.com, contains very detailed descriptions of the services built into Windows XP and Windows 2000. It lays out what services depend on each other, essentially what they are used for, and provides a handy table for suggested settings.

Before I go any further, a quick explanation for those of you unfamiliar with services. Quite simply, a ‘service’ under Windows is similar to a component of your vehicle – each servie performs some task behind the scenes, under the hood. Just as race car drivers reduce the amount of components in order to reduce weight (therefore increasing their ability to accelerate), it is possible that you may have more services running on your Windows PC than you will need. Depending on your needs, some of these services can often be shut down and disabled, thus speeding up your Windows install.

That’s where this site comes in handy. The BlackViper.com site gives you a concise layout of what services are enabled and disabled by default, and then also has different configurations that you can use as a sort of guide, based on your needs. Two of those configurations are titled “Gaming” and “Super Tweak.” Not sure what a service does? Click on the service’s “Display Name,” and read the description.

Now, the warning. Just like you wouldn’t work on taking out car components without reading the manuals (ok, most of you wouldn’t), you absolutely need to read this guide and understand it before diving in headfirst and making a ton of changes. Get familiar with these services first, consider the tasks you perform on your PC, and don’t take all of the suggestions at face value. The settings provided worked for the author of the site, but they won’t necessarily work for you.

Also – do yourself a favor and print the guide out. Though I had no trouble after tweaking the heck out of my services, it is possible that you could lose your internet connection if you shut the wrong services down – though you shouldn’t, if you RTFM. At least with a printed copy, you can reset the services back to the states they were in when your PC was initially installed.

Here’s the last warning: if you are using a company laptop and have the ability to change these settings, don’t. As someone that works in IT and has to deal with users occasionally “tweaking” their company laptops to a virtual core meltdown, I can assure you that fixing this sort of problem is not always easy, and isn’t always greeted with a lot of joy. Give your IT department a break, and do this type of tweaking on your own PC – you may disable something that a business-critical app needs… and this guide is specific to just what Windows needs. If you hose the PC on your own accord, you might get fast service the first time, but not necessarily the next time if you get a reputation for hosing Windows due to reckless use.

Now that I’ve sufficiently warned you of the dangers, I can recommend taking a look at the guide. It’s well-documented, easy to read and it did end up reducing some disk activity that I knew wasn’t necessary! It’s a site worth the visit, so if you’re up to it, check it out! Here are the operating system guides:

* Windows XP
* Windows 2000

Enjoy!

http://techfocus.org/comments.php?id=4418&catid=35

Top 11 Things Google Plans to Do with Their IPO Money

March 8, 2008 – 3:14 PM
11. From this day forward, always get extra cheese on the pizza.
10. Hire staff to create Google in more silly languages like Klingon and French.
9. Hire hitmen to take care of all the bloggers involved in Google bombing.
8. Spend every last dime on keeping “Friends” on the air for one more season.
7. Buy t-shirts for everybody saying, “My company had an IPO and all I got were these lousy stock options worth $30,000,000.”
6. Quit while they’re ahead.
5. Use the really nice china, they save for when company comes over, every day.
4. You can’t put a price on the profound good to mankind that is achieved by pissing off Bill Gates.
3. Pay marketing company 1.2 billion for 10 new words that rhyme with Google.
2. Stop using Froogle to buy their toner cartridges.
1. Prove once and for all that money really can buy happiness.

http://bbspot.com/News/2004/05/top_11_google_ipo.html

New and Improved HFT Online!

March 8, 2008 – 3:12 PM

Need help with any of your computing needs? Stop over at the new and improved HFT Online Forums and post your questions for the Experts!

HFT Online

Prevent Browser Hijacking

March 8, 2008 – 3:10 PM

Mike Healan
March 23, 2004

If you’ve ever been infected with a browser hijacker, you know what an infuriating situation it is. For all intents and purposes, your $3,000 computer is converted into a source of revenue for some fly-by-night web site unable to generate legitimate web traffic. Once installed, it usually takes an expert to remove a browser hijacker effectively.

If you’ve gone through this before, you never, ever want it to happen again. So, how do you prevent being hijacked? This is surprisingly easy.

Dump MSIE

First and most simply, stop using Internet Explorer. If you use either Mozilla, Firefox or Opera, you are immune to all known and future browser hijackers.

You are immune not because current hijackers are written to exploit Internet Explorer. It is because these other browsers do not allow access to Windows the way Internet Explorer does. MSIE has all sorts of security flaws that allow malicious web sites to slip past security and run arbitrary code. This is what happened to you if you’ve ever been infected with a hijacker.

The other browsers have their flaws but even if someone did manage to compromise them, what could they do then? The answer is: “not much”. The Mozilla and Opera browsers are user-level applications; they have very limited access to Windows. At most, they might delete some of their own files and force you to reinstall them.

Apply the same question to Internet Explorer and you can do just about anything you want. Microsoft has integrated Internet Explorer as part of Windows. Because of this, Internet Explorer is a system-level application and can do just about anything.

If you have to use MSIE

Switching browsers is the easy answer. For some people, that is not an option for various reasons. Internet Explorer can be made reasonably safe without locking down every useful function, but it requires some third-party software.

The most important thing is to update your browser and operating system. Go to WindowsUpdates and install the latest version of Internet Explorer (currently MSIE 6 Service Pack 1), then go back and install any security patches that are available. Also install any service packs and patches for Windows itself. This one action will save you from the overwhelming majority of browser hijackers.

After you’ve done that, replace Microsoft Java VM with Sun Java. You can download that from http://www.java.com/. There are several hijackers that exploit flaws in Microsoft Java VM. Sun’s Java is more secure and more up to date. Make certain, in Java’s options, that Sun Java JRE is set to work with Internet Explorer.

Open Internet Options from the Windows control panel and click the “Security” tab. Highlight the “Internet” icon and then click “Custom Level”. Choose “Medium” from the drop-down box at the bottom, then click the “Reset” button. Click ok, then click “Custom Level” again.

Set your options just as I have listed below:

.NET Framework-reliant components

  • Run components not signed with Authenticode (Disable)
  • Run components signed with Authenticode (Prompt)

ActiveX controls and plug-ins

  • Download signed ActiveX controls (Prompt)
  • Download unsigned ActiveX controls (Disable)
  • Initialize and script ActiveX controls not marked as safe (Disable)
  • Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
  • Script ActiveX controls marked safe for scripting (Prompt)

Miscellaneous

  • Access data sources across domains (Disable)
  • Drag and drop or copy and paste files (Prompt)
  • Installation of desktop items (Prompt)
  • Launching programs and files in an IFRAME (Prompt)
  • Navigate sub-frames across different domains (Prompt)
  • Software channel permissions (High safety)
  • Userdata persistance (Disable)

Scripting

  • Allow paste operations via script (Prompt)
  • Scripting of Java applets (Prompt)

Next, you need to run a registry script called IE-SPYADS. This script will place an enormous number of web sites known to be abusive into Internet Explorer’s “Restricted Zone”. Any site in that list will be unable to run javascripts, java applets, set or read cookies or use ActiveX scripting. You still will be able to visit those sites but they will be very limited in what they can do.

Be aware that MSIE has many security flaws that will allow a clever site designer to bypass security settings, even if their site is in the restricted zone. More must still be done.

Now you need to install SpywareBlaster. ActiveX programs need to use a CLSID (identifier number) before Windows will execute them. SpywareBlaster stops certain ActiveX CLSIDs from working by setting a “kill bit” in the Windows registry. This will stop ActiveX drive-by installations from programs that use those numbers, as well as preventing software already installed from running if they use that CLSID.

As a final safeguard, install a program called Browser Hijack Blaster. This program will watch for alterations to the home page, default page and search page as well as watching for Browser Helper Objects being installed. If it detects a change, it immediately will pop up a warning and ask if you wish to allow the change.

Be very careful about installing programs. By far the most common source of malware infection comes from third party bundles. Grokster, for instance, will install a dozen or more unwanted programs.

Finally, you also should disable the preview pane if you use Outlook or Outlook Express. Simply by highlighting an email while the preview pane is active, even to delete it, you could activate any scripting in that email. Visit TomCoyote’s site for instructions on doing that.

Follow the steps above and it will be very unlikely that you ever will be hijacked again. Periodically scan your system with antispyware and antivirus software. I recommend Spybot S&D for antispyware and Nod32 for antivirus.