Computer Security - Anything But Windows. Seriously.

[thorfinn]

Amongst a swathe of other "[Win]" security alerts from AusCERT, this one stands out:

---

AusCERT Security Bulletin: ESB-2009.1267 - ALERT [Win] Windows TCP/IP: Multiple vulnerabilities

Product: Windows TCP/IP
Publisher:Microsoft
Operating System: Windows 2000, Windows Server 2003, Windows Vista, Windows Server 2008
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Original Bulletin: http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx

---

Why does this particular instance stand out to me? Because TCP/IP is the fundamental core of Internet communications - if your device does Internet, it does TCP/IP. The code to do it has been around for a few decades now, and pretty much everyone knows how to do it securely. Except, apparently, Microsoft.

This sort of security vulnerability can theoretically exist on other OS platforms, yes. That said, the only competing OS family these days is Unix - there are no extant OS platforms in common use that are not some type of Unix. Even Mac OS X is a version of Unix with a very shiny graphics layer on top.

Unix is designed from the ground up with a highly layered security approach, and in the layers where security is critical (i.e., the "kernel" - the part of the OS that deals with the computer hardware, and therefore can do things like snoop passwords, steal data from anyone on the machine, etc), the programmers tend to be very very careful, and most of the code is not actually new, and has been inspected heavily by many many people over the long decades that the technology has existed for, and tested by lots and lots of people who are pretty crazy about security, and think about it a lot.

Microsoft, fairly clearly, don't organise their code and their programmers to work that way. Every time they release a new OS version, they say "now more secure!" Every time they say that, they're proven wrong. Again. With several different hacks that break into the kernel layer, not just surface compromises. A Linux blogger describes the experience best:Windows Users - The Charlie Browns of Computing. Go on, kick the football. We promise it's secure this time. Really.

Don't get me wrong: You absolutely need to take security measures on other computers too. If you've got a Mac, you should still be purchasing anti-virus software, and if you've got Linux, or FreeBSD, or Solaris, or any other UNIX, you still need to be securing your computer in a variety of ways.

But on Windows - none of that matters. You can run all the anti-virus software you like, but if the Windows TCP/IP stack is open to a remote hacker, the remote hack will disable your anti-virus software, and install a bunch of stuff that will keep your computer broken and hacked, permanently.

If that happens to you, you can expect your computer to use all your bandwidth sending out spam email, attempt to crash and hack other computers on the Internet, send all your banking details to people who might be interested in stealing your money, send anything resembling personal data to the same people, and so on. Not good, not fun.

So, if you care about having a secure computer, don't use Windows. Ever. Really.

If you really do have to use Windows, then don't connect it directly to the Internet. Ever. Put that computer behind a secure firewall of some kind. If you don't know how to do that, find out from a tech-savvy friend. For your own sake.

Comments

[zey.livejournal.com]

A bit of a stinging bug that one, but, Microsoft have improved a lot when it comes to responding to zero-day exploits. The cynic would say, it's because they've had plenty of practice ;-).

The last comparable exploits to that one are the 'teardrop' RDOS (http://en.wikipedia.org/wiki/Teardrop_attack#Teardrop_attacks) of the very late 1990s that affected Linux, Windows 95 and NT4 boxes. I don't think this particular issue is so much Microsoft being particularly incapable, more that someone out there was extremely clever. How many months did it take for Apple to get around to upgrading the BIND9 resolver on Mac OS X when its last big RDOS scare was in the wild? ;-)

If you really do have to use Windows, then don't connect it directly to the Internet. Ever. Put that computer behind a secure firewall of some kind.

Always sound practice.

[vatine]

Put that computer behind a secure firewall of some kind.

I'd even go as far as saying "and then only allow the windows machine to interact with the Internet at large via protocol proxies" (that is, don't trust just filtering inbound connections, have the windows box interact with a (hopefully verified) protocol proxy that implements the protocol you're intending to talk to the world). As long as you're happy with HTTP/FTP/Gopher/SMTP that is DEFINITELY doable, but you lose almost all multi-player games and you definitely lose Steam.

[thorfinn]

*nod* I think you're right on that point, but that's a much more technical implementation than most normal people can manage. Unfortunately for them.

Hence why I really recommend "Just Don't Use Windows".

[reddragdiva]

There are people who run WoW and Steam in Wine specifically so that they're not running a Windows box that can be attacked by anyone who pisses them off.

(Support for each in Wine is still a bit fiddly, but CrossOver Games is doing very well on this score.)

[thorfinn]

Heh heh, yes regarding MS and zero-day. :-)

The thing is, it's not that MS don't have clever people in house. I know at least one of them (although she retired on stock options and is now a circus aerials teacher).

It's their toolchain usability and relatively poor engineering process that's at fault. I've used their toolchain - it's hard to make it do good things for you, doesn't help you find bugs at compile time at all, and the fact that MS SDK APIs are often horrendous does not encourage you to do Good Things when writing your own code. Xcode and the Mac OS SDKs, OTOH, are very sexy, highly usable, and helpful. Even raw lint/gcc/make is a sexy piece of work compared to the MSVC toolchain.

That process/toolchain issue is eminently fixable on MS's end... They just need to spend more time actually setting up and caring about development process that encourages first-time correctness, instead of waiting to piss on fires after they break out. So far I see little to no evidence that they have done so.

And yes, Apple took their damn sweet time for updating Bind9, but I'm not exactly sure whether anyone actually *runs* named on their mac? It certainly isn't running by default. I guess anyone running Mac OS X Server might've had a problem. Fortunately for apple that isn't actually their main market. Still bad of them, I agree. :-)

[reddragdiva]

"Even raw lint/gcc/make is a sexy piece of work compared to the MSVC toolchain."

It's helpful to keep in mind here that Unix was really the first IDE. It just so happens to also be useful as an OS in itself.

[zey.livejournal.com]

Xcode and the Mac OS SDKs, OTOH, are very sexy, highly usable, and helpful. Even raw lint/gcc/make is a sexy piece of work compared to the MSVC toolchain.

That said, Windows app developers aren't forced to use MSVC at gunpoint: there are a lot of FOSS alternatives out there, so you can really pick and choose on a horses for courses basis :)

That process/toolchain issue is eminently fixable on MS's end... [...] instead of waiting to piss on fires after they break out. So far I see little to no evidence that they have done so.

I dunno. I think they've improved a long way, considering their corporate size and customer base. Compare that to Sun's Solaris or SCO's OpenServer in the same time. Still a way go, of course.

Apple took their damn sweet time for updating Bind9, but I'm not exactly sure whether anyone actually *runs* named on their mac? It certainly isn't running by default.

BIND9 libs are what Mac OS X uses to resolve DNS queries, whether they've got the BIND9 server running or not. So yeah, it was a bit of a worry! :)

[qamar]

Frightening. What anti-virus do you use on your Mac and what settings do you use?

[thorfinn]

ClamXav is a decent free choice, and I'm happy with Intego VirusBarrier. Both mostly just work.

[ideological_cuddle]

It's arguable that by running antivirus software on a Mac you're creating more vulnerabilities without adding any real value.

Run personal systems behind a firewall and don't click on random crap like a drug-addled monkey and you'll generally be OK. Be at least minimally picky about what software you run -- no, Outlook Express is not a good option, and yes, there are still people using that particular plague-ship -- and you are probably going to be fine.

(I've run any number of shoddy-OS systems this way over many years, and the only time I've ever had any sort of problem was my own damned fault.)

[thorfinn]

Yes, that is a potentially arguable point. It's a risk choice - you're weighing up between:

- AV controller finding out about a new virus and blocking it before you get attacked by it
- AV software doing something bad

Personally, I think that the risk of AV software doing something bad is low - they have pretty strong incentive to make as sure as possible that they avoid such failures.

I also think that whilst there are no known active Mac viruses out there at the present time, I like that if someone sends me a word doc with a macro virus, I'll know about it, even though I'm not affected by it. And that's not a theoretical example - I've been sent such documents.

You're right though - do what you say and you'll mostly be alright. Especially if you go for known relatively reputable software download locations, rather than doing silly things like downloading from "hackedsoftware.com.invalid". :-)

[ideological_cuddle]

My particular failure was to download Hackintosh Leopard image that'd been put into a self-extracting RAR. I knew it was dumb to open it and got exactly what I deserved.

As it happens I'm not sharing documents around the place so macro viruses are not something I worry about. On the very rare occasions when I need to work on such a shared document from a home machine I'm doing it with Google Docs.

(At work we've got mandatory AV and so on, but we're also running Windows XP desktops.)

[reddragdiva]

ClamXAV can be set to scan at sensible times, just to make sure you don't accidentally pass toxic waste to others.

Ubuntu 9.10 will, when you double-click on an .exe, ask if you want to install Wine ... and will fetch ClamAV as well. Remember than any program running in Wine on Linux can easily int 0x80 its way out of the .wine directory ... WHAT COULD POSSIBLY GO WRONG.

[ideological_cuddle]

Running apps under Wine is asking for trouble. On the rare occasions when running something under Windows on a Linux box seems like a good idea, I use a VM. And I don't let it at the outside world.

These days just doing a naive scan out-of-hours isn't enough if you're taking viruses seriously as a threat, you need wacky always-on slow-things-down-and-open-some-holes-ware instead to really properly trash your system.

[reddragdiva]

Oh - and in practice, with two teenagers in the house, they really really want genuine Microsoft MSN. Pidgin is horrible to them and they won't accept it.

Though both have been virused by crap received over MSN and had their machines reimaged. And both have been warned that next virus, they get Ubuntu whether they like it or not. MUWAHAHA.

[ideological_cuddle]

Give 'em Kubuntu with the shinies turned on. It's shiny enough it might just do the trick.

[reddragdiva]

*cough* Mac OS X is literally Unix (trademark) - Linux is merely Unix-like ;-p

[thorfinn]

It's a Fine Point(TM). :-)

Linux is duck-typed unix, pretty much.

[reddragdiva]

Solaris 10 competes with Linux ... by being more GNU-like.

Windoze

[(Anonymous)]

Hi, bar-Barra from LJ here. Yeah it figures. I dream of a defenestrated world but most of the software I need to run only works on Windoze. (Gee, why IS that, do you think??) I like my current firewall (CA) and security suite but, believe me, I rely on it 100% and I rely on the crap that Windoze sends about zero%.