http://www.techuser.net/winsecurity.html Why Windows is a Security
Nightmare

Security in all mainstream operating systems is non-existent; however,
things are especially bad for Windows. Windows happens to be the favorite
target of worm and virus writers. Conventional wisdom suggests that the
huge installed base of Windows helps spread the worms and viruses, and
also makes it a highly attractive target for worm/virus writers. The
installed base of Windows certainly has an undeniable effect on the
prevalence of malware on Windows, but this is not all there is to it.

Worms and viruses are so stunningly effective on Windows only because
Windows provides some atrocious functionality which makes it easy for
worms to strike. It might seem counterintuitive but Windows Registry, and
a misdesigned Windows Update are the primary culprits that create a
hospitable environment for worms and other malware.

A typical Windows system follows a simple lifecycle: it starts out with a
clean Windows installation, which gradually deteriorates as programs are
installed, and uninstalled. Eventually, the Windows registry accumulates
so much crud that the user is forced to do a clean install. When a user
does a clean install that user's system loses all the previously applied
security updates, and becomes a sitting duck for worms and other malware.

Things wouldn't be so bad if the user was able to update the new system
with security patches painlessly, but Windows Update makes it very hard to
do so. My personal experience with the killer duo is an enlightening
example of how all of this works.

I purchased a Thinkpad X21 with Windows 2000 Professional in January 2002,
and since then have gone through three clean install cycles. After the
second cycle I decided to stick with a deteriorating installation no
matter what happened.

As expected, pretty quickly the registry started accumulating all sorts of
rubbish, and the system started exhibiting strange bugs. First Mozilla
stopped working; reinstallations, uninstallations, upgrades did not
resolve the problem, so I switched to Opera.

A few months later Windows explorer started to hang on folder right click.
I did my best to search for a solution to this problem on the internet,
but never managed to find a solution. Resigned, I eventually learned to
avoid right clicks on folders, and became adept at killing and reinvoking
the explorer process after an inadvertent forbidden click.

Then I made the mistake of installing VMWare 30 day demo on my system. As
soon as I booted Linux under it as a guest OS, the the sound card went
bonkers, and started producing high pitched screeching sounds. I tried
reboots which didn't work; as a last resort I uninstalled VMWare but that
didn't work either. This forced me to lower the volume of the speakers to
muffle the screeching, but I continued using the same setup.

Finally, I had the bright idea of downloading a registry cleaner to fix
things. The product I downloaded turned out to be some pathetic
crippleware, and I uninstalled it. Well, that was the fatal fatal mistake;
the next time I rebooted, Windows refused to load. Safe mode, last known
good configuration, etc., all failed, and so I was forced to do a clean
install.

As expected the clean install took care of the bugs. However, it also got
rid of all the security updates. I immediately connected to Windows update
to download the service packs, and the critical updates. Rather quickly I
was welcomed by Messenger Service spam. The Messenger Service spam was
only a minor inconvenience as I knew how to turn it off; however, within a
short while I got a message from Windows saying that svchost.exe had
crashed: the Blaster worm had struck.

The Blaster worm attacks Windows XP, and Win2K systems. In order to infect
a system the worm needs to send the correct payload for the respective OS.
The worm is not able to differentiate between the XP and Win2K so it
randomly guesses the OS type; however, if it guesses wrong the RPC service
crashes, and Windows reports it as a crash of svchost. The Blaster attack
was quite a surprise as the major outbreak of the worm occurred back in
August 2003, and I was expecting all infections of the worm to be fixed by
now.

I was in no position to do anything about the Blaster attack, so I
continued downloading the 35 MB service pack 4 over my dialup connection.
It took me a couple of hours to download it, but Windows Update refused to
install it; Windows Update probably needed some functionality provided by
the crashed svchost.exe.

I rebooted and connected to the internet, which was a mistake as I was
giving the worm a second chance to infect my system. Anyway, I proceeded
to Windows Update, and tried the same download again. Alas, Windows Update
had forgotten all about the 35 MB it had downloaded previously, and
started downloading the same stuff all over again. Worse, the Blaster worm
crashed svchost again, and I had to discontinue the download.

I knew about the existence of a standalone security update to patch the
vulnerability Blaster exploits, so I decided to bypass Windows Update and
download it directly. The download was small less than 1MB, but as soon as
I tried running it I learned that it requires at least service pack 2 to
install, which I didn't have.

Microsoft provides a separate download for service packs as well, and I
decided to download the latest service pack, service pack 4. Well, the
standalone service pack 4 distribution turned out to be a mammoth 129 MB
download. This is about the maximum I have ever downloaded over a dialup
connection; a download of this size can easily take 10 or more hours to
complete.

Downloading a large file over dialup requires the ability to resume
downloads which Internet Explorer does not provide, so I downloaded Wget
to acquire that ability. Wget is a commandline tool and is invoked by
calling it with the URL name. I tried pasting the URL on the command line,
but it turns out that the cut and paste functionality disappears after a
blaster attack, so I was forced to manually type the URL.

Normally, typing a URL is not a big deal. Everyone types URLs all the
time, and I do too, but I do mind typing gibberish strings of 95
characters like the following:

http://download.microsoft.com/downlo...2A8-40D0-A0C5-
241BFECD095E/W2KSP4_EN.EXE

To cut a long story short I managed to download and install the service
pack, and the Blaster security update. Finally, the Windows Update started
working and after another 30-40 MB of downloads, and 3 or so reboots, I
managed to installed the 18 security updates available there (another 5
have been added to that number as of now).

After this experience I cannot help but laugh at the 'usability' problems
Windows users are reporting about GNOME and KDE. It has become pretty
clear to me that Windows users are so accustomed to usability problems
that they don't even recognize them as usability problems. But, as soon as
these people move to a different environment they start complaining simply
because the new environment does not replicate the features and bugs of
Windows exactly.

The other big lesson from all this is that most Windows users are
incapable of 'securing' their systems. This is precisely why an
unprotected system gets attacked in a matter of seconds, and spammers are
still sending out Messenger service spam. Worse, Microsoft is directly
responsible for this state of affairs. Windows encourage users to
reinstall it every once in a while, and when they do, Windows Update
actively prevents users from updating their systems.

The whole idea of Windows Update is a joke. Using an unreliable and
insecure network as the primary means of distributing security updates is
simply idiotic. This is like asking people to walk through a minefield to
get to a shelter. I was able to download security updates off the internet
only because the current generation of worms are not particularly
malicious; they are just minor irritants.

If Microsoft is serious about Windows security it needs to fix Windows
Update, and get rid of the damned Registry for good. Unfortunately,
Microsoft's approach is to layer half baked fixes over utterly broken
things to keep them going for as long as possible. Microsoft knows that
there is a problem with the Registry, but the way it is dealing with it is
by offering Registry rollbacks, and similar worthless functionality.

I did a search on Google for "System Restore Does Not Work" and as
anticipated there are plenty of complaints about XP's System Restore
functionality. Furthermore, such approaches even if they somehow became
reliable would still not work. There is a very simple reason for that,
users cannot reliably associate the problems they are experiencing with
changes in the Registry. For instance, if svchost crashes how is a user to
know whether changes in the Registry caused it or a worm caused it? The
extra functionality will likely lead to futile rollbacks and additional
frustration for the users.

The upcoming SP2 update for Windows XP is another good example of a
clueless fix. According to the reports I have read SP2 will enable the XP
firewall by default, and will also include many nifty features to protect
the system. It is pretty obvious that such updates cannot work in the
presence of the Windows Registry. Windows users who install any kind of
software will sooner or later be forced to downgrade because of registry
problems, and when they do they will get fried.

I am not saying Microsoft should not do what is doing, but it should focus
on the more important things first. For the short term the correct
approach is to fix Windows Update so that users aren't forced to connect
to a network to get security updates. Windows update should encourage
users to create a Windows Update CD that contains all the security updates
the user has downloaded so far. The CD should contain a setup routine that
is capable of installing all the updates in an automated fashion without
requiring user intervention. Inevitably, when the user downgrades he/she
can use that CD to update the system, and then connect to a network to
download any further updates. Such a CD should be shareable amongst users,
so that if someone doesn't have an update CD, he/she can simply get one
from a friend or an acquaintance.

Actually, Microsoft does offer a security update CD, and is willing to
ship it to customers free of charge. But, as always Microsoft has made a
mockery of a decent idea. First of all, 2-4 weeks are needed to deliver
the CD. Then there is the problem of availability, the CD is not available
everywhere (I live in Pakistan, and the CD is not available for Pakistan).
Also, the CD Microsoft is offering is horribly out of date. There is no
fix for this last problem, if Microsoft starts updating the CD every other
week, then people will start asking for a new CD every other week.
Obviously, shipping a CD to every customer every few weeks is quite an
expense, and Microsoft doesn't want that. So, the Microsoft Update CD is
there just for moral support.

Overall, Microsoft is flat-out confused about how to deal with Windows
security problems. The recent decision to disallow pirates access to
Windows XP SP2 is another action reflective of that confusion. I can't
understand why Microsoft is so jittery about supporting pirates.
Microsoft's paying customers are suffering because of insecure Windows
systems; therefore, Microsoft's first priority should be to get the worm
infected systems fixed. If this requires distributing security updates to
pirates so be it.

Microsoft really needs to look beyond short term remedies to solve
security problems. The company has to move away from its Windows roots in
order to create a secure operating system environment. Microsoft has a
huge research and development budget, and it just doesn't make sense why
it cannot develop a security centered OS.


by Usman Latif [May 16, 2004]

Related Links:

--
http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software

So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998

http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002

"Yeah - I write Free Software...so SUE ME"

"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."

"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one."

© Copyright for the Digital Millennium