As you can see, the executable is signed by Microsoft and it is in a “protected” directory. So what’s the catch? Well, the catch is that the command line actually looks like this:

c:\windows\system32\cmd.exe

... 1000 instances of newline ...

-c notepad.exe

Of course instead of notepad.exe we could have used me_evil_program.exe. There is no visual indication of the fact that there is more information available in the textbox. In fact, the disabled scrollbars (when there is no more information available) and the active scrollbars (for the case at hand) look visually identical until you mouse over them.

So what does this mean? Prompting the user is the worst thing you can do, because it is very hard for a s/he to distinguish between information from different sources and ascertain which one can be trusted and which one can’t (an other classical example is a webpages which display the SSL lock in the webpage, yet users still think that it is as trustworthy as displaying it in the browser chrome).

Teaser: in an upcoming post I will be discussing how the concessions made by Microsoft in Windows 7 to the “UAC is annoying” crowd makes the default accounts on it virtually no more secure than the default administrator accounts created created by Windows XP during installation (hint).

The problem with these? They fail to account for the fact that the biggest reason nobody is attacking Vista is because it is still rare. You could get the same (and even better) results from this point of view with Linux, MacOS, etc. From the things listed in the “Defend Against Malware” only UAC and ASLR are really new (and IE7 Protected Mode).

ASLR only mitigates exploits, not malware per se. And UAC is one of those technologies which will quickly become ineffective (and of course it’s not a security feature). The reason why it becomes ineffective are twofold: one is social – people will learn to just click ok/accept. The second one is that malware writers will learn not to touch areas which trigger UAC. You can still do a lot of damage, even when running with reduced privileges (you have access for example to all of the user’s data).

BTW, this isn’t the first time I’ve heard misinformation from Microsoft representatives. Just last weak I’ve listened to an interview with a MS UK IT evangelist where she said something like: “I cleaned up the computer with an Anti-Spyware program and then used an AV to clean up viruses” which leads me to believe that she doesn’t understand that spyware is just malware and almost all current “AV” products can handle both. This is worrying because it doesn’t seem to be intentional (so it is a lack of competence which makes you question any other information which you get from her).

To get back to Vista’s security features: lets suppose that MS manages somehow to write perfect, bugfree code. Does this mean that we solved the computer security problem? Far from it!

For one, there are a lot of very popular software packages out there with vulnerabilities (think Adobe, Flash, etc). These are present on 80%+ of the Windows PC’s, which makes still a great target for malware writers. You can check out the top used applications from Wakoopa to get an idea (although that is a somewhat biased sample – for example I don’t think that Google Chrome is the 4th most used application by the general population).

Finally, a growing problem – which currently nobody seems to address – is the vulnerability of data stored on public servers (I’m talking here about things like Webmail, Social networking, etc). You can have the worlds most secure computer system and still loose control of you data stored online if the third party service has vulnerabilities (although arguably the worlds most secure computer wouldn’t run browsers :-)).

To sum up, I think three trends will appear in the following year or so which will make it apparent that Vista is no security silver bullet:

• “Vista compatible” malware
• Malware targeted at popular software
• We will see more and more “web-based” problems

Of course the biggest problem is the human element, which no technology can fix…

Now for the fun part of it: it is possible to change the IOPL level of a user mode process from user mode. What this means that you can directly control all the hardware from user mode (think DMA controller, HD controller, etc). For those of you who don’t want to fiddle with the policy editor, download PsTools and use the -s command line switch – don’t forget to give the full path name to the executable. And yes, it works with Vista too if you are Administrator (I’ve tested using a pre-RTM build, but I don’t think they changed anything in the RTM build).

Be safe out there and remember: don’t run as root!

PS: If you don’t have access to a compiler, you can grab the exe here. Just remember, it will restart your computer without a warning!

• File size: 36864 bytes
• MD5: 19cd8a70f199df4182eb198818e6c782
• SHA1: 7c5dc5ab1c36b3876bedcb3641513a06b75bf453

• At home I dual boot between Ubuntu and Windows 2k3 SBS which was a gift from MS. What kills me is the text on the box of Windows: Includes 5 Microsoft Windows Small Business Server Client Access Licenses for Devices and/or Users. This is a typical example for MS trying to get more money than it should. If I want to have a stronger server, I should pay for the hardware not the software!
• The updates last week went seamlessly on the few boxes I’m responsible for, however on one of them it kept insisting that I don’t have a valid license. Now it must be known that we are a big company and only buy equipment from big vendors in big quantities so surely that computer had a valid license! But because of MS I had to waste several hours to find the site admin and ask him to check the situation so that finally I can apply the patches. What should have been a 30 minutes top outage for that server (yes, server!) became several hours. Thank you MS!
• Read MS’s reasoning for the restrictions: less than X% of the users need this. First of all: how do you know that? Was it told you by a market research company team / company? I’ve read yesterday a report issued by market research company who claims to have more than 30 years of experience in the field about technology and they couldn’t get even their wording about economics right, let alone technology! Secondly: get it into your head: that X% covers your enthusiast base (you know, technical evangelist) and techies who do the support work and the recommendations. The most valuable people you have! Thirdly: usually I’m don’t talk politics, but I see a very good analogy: let’s eliminate the constitution, because only Y% needs it (and I’m sure that Y < X). Think about it!

My opinion: move to free software where you don’t have to put up with this crap and you can concentrate on doing what you have to do!

Update: as the guys over at the Splitcast forums pointed out, I’m not the only one dislikeing MSs business practices.

Update: the guys over at the boagworld forum pointed out two more editors: DevEdit and Dojokit.

He mentioned several improvements which went into the Vista kernel. My feeling about it is that it is very nice, but who will program against an interface which isn’t on the market yet, won’t be the version used by the majority for several years and there is no backward compatibility (one example which comes in my minds is the new Private Namespaces feature). I know that Microsoft is in a difficult position, because on one hand if they would offer an update kernel for Windows XP, they would kill off incentives to upgrade, but if they don’t very few people will program using the new functions until Vista becomes a significant piece of the market. Compare this with Linux where there are very few reasons not to upgrade (one being that it breaks something you really care about – but this is a very rare case and usually updates come out very quickly for the given software). Having such a long release cycle really limits the options Microsoft has in my opinion.

An other feeling that I’ve got from the presentation (or better said: I’ve had this feeling for a long time and the presentation only reinforced it) is that Windows as an operating system (and I’m talking about the NT line here) is quite secure, the problem being the default policies and the way that they’re trying to get people to adopt a new security policy in Vista for example. Because of fear for their revenue they (and I don’t mean the technical people) are not imposing all the security restrictions they should, but rather come up with things like LUA, which IMHO is a semi-solution which can be used to blame the user if something happens (because they clicked yes without reading the message box – what percent of the users reads the dialog boxes anyway?).

Now for the fun part: all the source code that comes with this program. It is composed from three parts as you can see from the main site. I’ve looked at the licenses first (take care, because there is a different license for each component). The key points that I dislike:

• You are not allowed to reverse engineer the tools which come with the curriculum. While I’m sure that there is a lot of information in the curriculum itself, probably there will be times where you wonder: how exactly does this tool do that?
• IANAL, so the definition of derivative work is a little fuzzy to me, and I don’t know exactly how this would apply later in your career if you choose to do this line of work (working at a security company for example and doing kernel level development).

Personally I will stay away from it, I think there is enough information out there which doesn’t come which such restrictions. Also, for the moment I don’t see how such access would be useful. It’s nice to have, sure, but I’m not sure that it’s actually useful (none of the two major Universities that we have here use / present kernel level code in their OS courses for example).