Support NeoGAF

[goodcow]

http://it.slashdot.org/article.pl?sid=06/10/14/0832202

Microsoft Agrees to Changes in Vista Security
Posted by Zonk on Saturday October 14, @09:27AM
from the those-waters-were-a-mite-too-deep dept.
Security Microsoft Windows

An anonymous reader writes

"Bowing to pressure from European antitrust regulators and rival security vendors, Microsoft has agreed to modify Windows Vista to better accommodate third-party security software makers. In a press conference Friday, Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"

http://www.washingtonpost.com/wp-dyn/content/article/2006/10/13/AR2006101301280.html

Microsoft Now Decides to Accept Outside Security for Vista

By Brian Krebs
Special to the Washington Post
Saturday, October 14, 2006; Page D01

Microsoft Corp. did an about-face yesterday, agreeing to make it easier for customers of its forthcoming Vista operating system to use outside security vendors, such as those who make popular antivirus and anti-spyware programs.

Until now, Microsoft had planned to block those companies from installing their products in the deepest levels of the new operating system, which is scheduled for release early next year.

The company said it was doing so to address the concerns of security and performance in Windows XP and apply them to Windows Vista.

Microsoft's shift means that users would continue to have a choice in the programs they use to protect their computers and not be tied to something that Microsoft offers.

Microsoft is getting into the established, multibillion-dollar Windows security market with its own antivirus and anti-spyware services. The European Commission, which has fined Microsoft nearly $1 billion for antitrust violations, told the company that it was concerned that Vista's system for alerting users about security weaknesses might confuse customers who were using a similar alert system with other security programs.

Symantec Corp., maker of the Norton security programs, specifically took issue with what Vista users will see when they start their computers: a screen that advertises Microsoft's own antivirus and security services.

Symantec spokesman Cris Paden said the company was encouraged by Microsoft's announcement, but noted that it had not received any technical details about the plan.

"Right now we're in wait-and-see mode, but we're hopeful because it looks like customers are now going to have the right to use whatever security solutions they want with Vista," Paden said.

Microsoft said it is still gathering information from the software security vendors and will respond case by case.

The company said that blocking the core area of the operating system was also meant to enhance the performance of the entire computer, noting that unsupported access by outside software programs could affect the overall stability of the machine.

Stephen Northcutt, president of the SANS Technology Institute of Bethesda, a computer-security training group, said the changes that Microsoft agreed to make with Vista would help ensure that consumers continue to have a choice in security software.

"It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet," Northcutt said. "That's a good thing, because it's just too easy for mistakes to happen when you are only left with a single security provider."

 

[AlanHemberger]

**** you Symantec and **** your bloatware.

 

[Ghost]

Good. I dont trust microsoft to keep my PC safe for free.

 

[Juice]

I trust MS to keep my PC safe more than the virus writers at Symantec and McAffee. At least MS has a vested interest in their platform being secure.

 

[AlanHemberger]

I trust MS to keep my PC safe more than the virus writers at Symantec and McAffee

Not to mention, OneCare and MS AntiSpyware ran better and kept my computer cleaner than anything Symantec or McAffee has ever created.

 

[ShowDog]

So it's a violation of antitrust laws for Microsoft to include software that keeps their own OS from getting hacked and rendered useless? I must be missing something here. Or were they blocking other companies from releasing effective anti-virus software?

 

[AlanHemberger]

So it's a violation of antitrust laws for Microsoft to include software that keeps their own OS from getting hacked and rendered useless? I must be missing something here. Or were they blocking other companies from releasing effective anti-virus software?

They weren't giving other companies access to the kernel iirc. so they created an API now for companies to access it.

 

[goodcow]

They weren't giving other companies access to the kernel iirc. so they created an API now for companies to access it.

Which also means spyware and rootkits can use that API, and the API also ignores UAC, so everyone is happy!

 

[datruth29]

So it's a violation of antitrust laws for Microsoft to include software that keeps their own OS from getting hacked and rendered useless? I must be missing something here. Or were they blocking other companies from releasing effective anti-virus software?

Well, for one, they were blocking other compaines software from accessing certain lower-level parts of the OS.

 

[loosus]

Microsoft is certainly no saint, but it gets to the point where you can just run the "Microsoft wants to illegally use its monopoly" mantra into the ground, using it as an excuse to get your way rather than lodging it as a legitimate concern about Microsoft's use of monopoly.

I feel that consumers have overall lost in all this. Screw you, Europe.

 

[datruth29]

Which also means spyware and rootkits can use that API, and the API also ignores UAC, so everyone is happy!

In all truthfulness, any group of hackers with the smarts, will, and time would have been able to create such spywares and rootkits regardless wether there was an API for it or not.

 

[AlanHemberger]

Microsoft is certainly no saint, but it gets to the point where you can just run the "Microsoft wants to illegally use its monopoly" mantra into the ground, using it as an excuse to get your way rather than lodging it as a legitimate concern about Microsoft's use of monopoly.

I feel that consumers have overall lost in all this. Screw you, Europe.

Yeah. The EU certainly could have gone about the antitrust suit in a different way. Making them ship another version of XP without WMP was ****ing retarded IMO.

 

[goodcow]

In all truthfulness, any group of hackers with the smarts, will, and time would have been able to create such spywares and rootkits regardless wether there was an API for it or not.

Which is why OSX has yet to been infected?

Now, I know Microsoft's security history is a complete joke, and I'm not a programmer, but with the new safeguards and UAC they've implemented in Vista, shouldn't it be pretty difficult to infect, if not at the level of OSX? But no, now people can just write stuff which ignores UAC completely. Completely ****ing stupid.

 

[Hitokage]

This whole story seems backward.

 

[retardboy]

Goodness... Stupid McAffee and Symantec. Stupid EU for basically making this happen. Now whenever MS includes a new feature, other companies are gonna go to the EU to stop them instead of them trying to make a better product. I still don't know why they're so popular. They make two of the crappiest antivirus products. Who the heck is buying their stuff? Geez.

 

[Azih]

Oh noes Slashdot got Gaming-Aged!

 

[AlanHemberger]

Goodness... Stupid McAffee and Symantec. Stupid EU for basically making this happen. Now whenever MS includes a new feature, other companies are gonna go to the EU to stop them instead of them trying to make a better product. I still don't know why they're so popular. They make two of the crappiest antivirus products. Who the heck is buying their stuff? Geez.

Dell, Gateway, Compaq etc.

Preloaded software that every average consumer assumes is top of the lines.

 

[White Man]

Dell, Gateway, Compaq etc.

Preloaded software that every average consumer assumes is top of the lines.

Curiously enough, the same people MS has lucrative XP deals with, heh.

 

[xsarien]

I'm shocked, SHOCKED that virus scanner and security software makers have a vested interest in keeping operating systems insecure.

 

[Lhadatt]

Which is why OSX has yet to been infected?

1) OSX is a low-profile target.

2) The user model is much, much more robust than anything MS has come up with. Apple does not allow normal users root access. Your standard user is a true user account, and has no power to install things. Even admins have to go through a couple popups and a password entry to install stuff. You can't run in the GUI with root access at all. It's a better security model, and I wish MS would implement it - but it's just not going to happen.

3) Vista UAC is a joke. "OH CRAP LET ME BLANK OUT THE SCREEN AND ASK IF YOU REALLY TRULY WANT TO DO THIS"... a typical user's response is going to be "WTF IS THIS JUNK IT DIDN'T DO IT BEFORE ZOMG TURN IT OFF AND LET ME INSTALL MY BONZAI BUDDY!" UAC isn't going to prevent anything when you can't do squat about the lack of intelligence of your userbase.

4) UAC still gives you COMPLETE FRAKING ADMIN RIGHTS on the box, now you just have dumb popups asking if you want to procede. The malware makers will likely give counter-popups that look like Vista UAC and say things like, "Be sure to ACCEPT on the next popup that you see! It's there for your protection!" If MS really cared about the problem, they would give the default users of the PC user rights, rather than complete admin rights.

 

[GSG Flash]

Man this is dumb, I'm pretty sure it's MS's product and they can protect it any way they want unless it's infringing privacy laws. I hate Norton antivirus and their stupid subscriptions.

 

[WarLox]

so what is best virus scan to use for windows ???

Spoiler

lol

 

[Lhadatt]

so what is best virus scan to use for windows ???

Spoiler

lol

ESET NOD32 and AVG ewido Antispyware.

 

[shantyman]

Which also means spyware and rootkits can use that API, and the API also ignores UAC, so everyone is happy!

Exactly.

This is the most moronic thing ever. MS locks down the OS, security software companies complain, and so they have to change it? Absurd.

 

[xsarien]

ESET NOD32 and AVG ewido Antispyware.

So what's the verdict on Kaspersky?

 

[Lhadatt]

So what's the verdict on Kaspersky?

Better than Symantec/Norton and Mcafee. Not as good as NOD32.

 

[RumFore]

One of the great things I already love about Vista is that we wont need a third party antivirus or firewall to feel secure and I hope what MS is doing wont change that.

Also many of these antitrust cases seems to hurt the consumer more than help them. Yeah we get choices but many of those choices suck. Half these programs have such obscure names you cant tell them from the viruses and not to mention the crap that runs in the background. And hell if it aint norton/symtec releasing viruses so there software doesnt become irrelevant and with Vista being as secure as MS says I am sure they may do some sly shit so every virus maker knows what they know.

 

[Tenacious-V]

So what's the verdict on Kaspersky?

It's pretty good.

I personally use NOD32 though.

Even Kaspersky came up and backed up MS in this case. They think what MS is doing is a good thing overall. ****ing Symantec and Mcshitee are only looking after their bottom line, not actually protecting the users..

 

[Hunter D]

Doesn't this give crackers a way to get into the system?

 

[usea]

I have mixed feelings on this one.

On one hand I think you should be able to lock out whoever you want when writing software. If they want to intentionally block third party software that's their prerogative.

On the other hand I hate microsoft.

 

[RumFore]

I have mixed feelings on this one.

On one hand I think you should be able to lock out whoever you want when writing software. If they want to intentionally block third party software that's their prerogative.

On the other hand I hate microsoft.

Microsoft killed you puppy and made you homeless?

 

[aaaaa0]

Apple does not allow normal users root access. Your standard user is a true user account, and has no power to install things.

Eh? That's exactly how it works in Vista. An administrator user isn't a real administrator, and the real administrator account is disabled by default.

Here is the primary token of a process owned by an administrator user with their admin powers stripped (the default state):

USER INFORMATION
----------------

User Name     SID                                         
============= ============================================
FOO\Bar       S-1-5-21-622432358-813497703-53423279488-1031


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                          Attributes                                                     
====================================== ================ ============================================ ===============================================================
Everyone                               Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                 Alias            S-1-5-32-544                                 Group used for deny only                                       
BUILTIN\Users                          Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4                                      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group             
LOCAL                                  Well-known group S-1-2-0                                      Mandatory group, Enabled by default, Enabled group             
Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192                                  Mandatory group, Enabled by default, Enabled group, Local Group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

And here is the same token after elevation is requested by the system and granted (which can only be done through a UAC elevation prompt):

USER INFORMATION
----------------

User Name     SID                                         
============= ============================================
FOO\Bar       S-1-5-21-622432358-813497703-53423279488-1031


GROUP INFORMATION
-----------------

Group Name                           Type             SID                                          Attributes                                                     
==================================== ================ ============================================ ===============================================================
Everyone                             Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators               Alias            S-1-5-32-544                                 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                        Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE             Well-known group S-1-5-4                                      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group             
LOCAL                                Well-known group S-1-2-0                                      Mandatory group, Enabled by default, Enabled group             
Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288                                 Mandatory group, Enabled by default, Enabled group, Local Group


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

A couple of points:

1. You'll notice that the admin privs are removed from the non-elevated token, and the admin group in the token is set to "deny only".
2. You'll notice the mandatory access control is in the user token. This is a new thing in Vista. You see that the non-admin token is set to MEDIUM, and the true admin is set to HIGH.

4) UAC still gives you COMPLETE FRAKING ADMIN RIGHTS on the box, now you just have dumb popups asking if you want to procede. The malware makers will likely give counter-popups that look like Vista UAC and say things like, "Be sure to ACCEPT on the next popup that you see! It's there for your protection!"

Would you rather instead condition the average user into typing in their login password into any random dialog they see? At least if some random web site creates a fake UAC dialog, the worst that can happen is the user clicks "Allow", instead of giving away their login password. (And since it's a fake UAC dialog, it won't really be able to elevate anything anyway.)

But if you really want UAC to prompt for the password, you can set a local policy to do just that.

gpedit.msc, then go to Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options->"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" and change it from "Prompt for consent" to "Prompt for credentials".

If MS really cared about the problem, they would give the default users of the PC user rights, rather than complete admin rights.

That's exactly what UAC does.

The fact that it doesn't ask for the login password is intentional, to prevent people from spoofing the dialogs and grabbing user's login password.