Microsoft vs. The World Part 1 May 16, 2007 Alan /.effect Dang

Introduction

Page:: ( 1 / 9 )

There are an equally prolific group of writers who write about Microsoft’s unyielding dominance in every market that they enter. These writers can point to the battle between the Xbox 360 and PlayStation 3, or the rising threat of the Zune against the iPod – or at least when version 3.0 of the Zune comes out. These same writers point to Microsoft’s ability to destroy Netscape, PalmOS, OS/2 and even Microsoft’s ability to drive smaller third-party companies out of business (anyone remember Trumpet WinSock?). Indeed, with Windows Vista, companies with commercial software like BeyondTV or SageTV will face even greater pressure than they ever had before.

Is Microsoft the underdog who must struggle to win back the minds of the trendsetters and technology elite, the Herculean juggernaut whose unlimited resources will inevitably destroy the competition over the next 50 years as was seen with AT&T and the “new AT&T”, or the lumbering dinosaur blissfully unaware of its impending extinction?

None of the above. The complete answer takes this entire article series to explain.

The Flagship: Windows Vista

“If you're a gamer… don't upgrade and risk losing the ability to play some of your favorite games.”

“If you're at the office, you might want to steer clear for a while to let many of the bugs get addressed before making the plunge.”

“IT folks have a saying that goes along these lines - if it doesn't have a service pack, we aren't using it. In our book, that is a mighty fine slogan to adhere to.”

Those quotes aren’t referring to Windows Vista. Those are from FiringSquad’s Windows XP Review from 2001.

Every time Microsoft releases a new operating system, the review boils down to a couple of simple conclusions. The new operating system will be:

1. Flashier and Easier to use (but with a few idiosyncrasies introduced by the new interface).
   
2. Engineered to be efficient, but slower for most real-world apps due to immature driver support
   
3. Buggy, requiring compatibility or security patches
   
4. Something that most people should wait before jumping into
   

Security

Page:: ( 2 / 9 )

There isn’t a month that goes by where I don’t hear about a new Windows bug or vulnerability. To say that Windows requires regular security updates is an understatement. To really understand the issues that face Windows, Linux, and Mac users, we need context. We have to understand the threats that computer users faced in the late 80’s and early 90’s and compare those to the threats of today.

In the early 90’s, I had no qualms about computer security. It wasn’t naivety either. You see, in the world of DOS, viruses only had a few ways to replicate: alter executable files or the boot sector. The original computer viruses were simple parasites. When you ran an infected file, the virus would stick around in memory and then insert a copy of itself into all of the other executable files you subsequently ran. The really tricky ones would implant themselves into the boot sector. Anti-virus scanners could easily detect these types of viruses by looking for a unique signature. That is, the anti-virus scanner could search for a subset of the viral machine code (the raw bytes representing the instructions of the virus) in executable files. It’s basically a “find” in all files command. Easy.


But the human mind is as clever as biology itself. If you had to name an untreatable but widespread virus, you’d probably think about HIV. It’s secret is mutation. In the 90’s, the next major advance from the virus scene was polymorphism. Viruses were now written to be self-mutating, self-encrypting themselves using a randomly generated key resulting in over 4.2 billion (2^32) combinations. The Dark Avenger MtE (Mutation Engine) was the most infamous of these tools. The MtE, developed by a single programmer, appeared to make every signature-based virus scanner impotent.

But the anti-virus researchers were not going to concede to the virus scene. The cat-and-mouse game continued. The anti-virus scanning world was also home to some of the most sophisticated software engineers. Even though there were 4.2 billion combinations for the virus to encrypt itself, the revelation came with the recognition that mutation process itself represented a fixed algorithm. While you still couldn’t detect the virus itself, you could still detect the code that was used for decryption. This involved more complex algorithms than a simple signature search, but it worked and even the formidable self-mutating engine was neutralized by the best anti-virus makers. This revelation made it possible to detect new mutation engines in the same way they had detected new non-polymorphic viruses. In essence, once a new polymorphic virus was released into the wild, researchers could confidently develop a detection strategy by fingerprinting the decryption algorithm.

As the virus scene got more sophisticated, anti-virus makers would also continue to improve their efforts. Research into heuristic scanning grew in favor; this was the ability to detect the unknown viruses that had not yet been discovered. With some degree of voodoo and an equal degree of algorithmic panache, anti-virus researchers began to think of ways viruses would work and developed complex algorithmic systems for detecting “unusual behavior.” To use a qualitative example, wouldn’t it be odd if an executable file contained code that searched for other executable files, used direct disk access, had weird garbage instructions (i.e. encrypted data or padded data to alter a viral signature), allocated memory in a weird way (i.e. stealth), and a suspicious jump construct (the program starts by skipping ahead several times or starts by running a routine to determine where the routine to be run is located)? The specific questions asked and the manner with which things were evaluated varied. Some heuristics were passive, while other early anti-virus scanners used simple virtual machines or code interpreters to execute the virus within protected space to look for abnormal activity, further enhancing the ability to detect stealth viruses.

The only way for a virus to truly cause damage and succeed was if the virus scene could outwit the researchers. The appeal of the cat and mouse chase should certainly be clear. It was a game where any creative mind could challenge some of the best computer scientists in the world. It wasn’t an issue of numbers. There’s no doubt that the anti-virus world had more resources, more experience, and the driving passion of moral superiority. However, even the elite group of anti-virus researchers failed to predict the next evolution of the virus scene: the macro virus.

Malware enters the mainstream

Page:: ( 3 / 9 )

Like the original self-mutation engine, or the advent of the macro virus, new innovations in the virus scene would continue to increase the stakes. As viruses grew in sophistication, the number of software engineers with the expertise in virus detection grew smaller and smaller. Anti-virus companies began to merge or snatch key engineers from competing companies. It wasn’t a scene… it was an arms race.

The Losing Battle

That was the 90’s. Innovations were driven by single individuals, motivated primarily for the thrill of the chase and the ability to “take on” the world’s most elite software engineers. In 2007, things are different. The world revolves around computers and the always-on world of the Internet is rapidly changing the face of computer security. E-commerce has brought organized crime to the world of computer security, and a virus released into the wild can quickly spread before anti-virus researchers can have an opportunity to develop new detection strategies. Organized crime has moved the distribution of malware from seedy websites/sources to organized hacks against mainstream websites such as ASUS or the Dolphin stadium website for Super Bowl XLI. While it was OK for users to wait for monthly virus signature updates, viruses can now spread across the globe within minutes. As predicted by the expansion of executable viruses to macro viruses, the realm of threats in today’s world have increased substantially. We now have cross-platform viruses that infect both Windows and Linux.

The bigger problem is that we’re no longer dealing with viruses anymore. A virus is designed to infect multiple files within a single computer and spread through human to human contact (i.e. someone emails you an infected file and hands you an infected disk). Without broadband, very few people kept their computers on 24/7. Nowadays, we’re worried about worms rather than viruses or combination worm/viruses that spread over the network without user intervention. Some of these worms are able to spread over the network via zero-day vulnerabilities (weakness/exploits in the operating system itself) while others can do simpler things like send out mass emails. We’re also have to worry about things like spyware, phishing/spoofing attacks and all sorts of general malware.

In a way, this is only the evolution of the virus scene. We are now seeing polymorphic variants of Windows malware, and the increasing use of rootkits, which are nothing other than a new name for the stealth principle being applied to the Windows world. In contrast, the number of elite software engineers focused on security research continues to dwindle. When was the last time you heard of the great security start-up?

Anti-virus software enters the fray

Page:: ( 4 / 9 )

There is also no such thing as perfect security – while Symantec and ESET NOD32 are the only two anti-virus scanners capable of detecting all known polymorphic variants in the wild as of February 2007 (av-comparatives.org; in comparison to AVG’s 16.7% rate, Microsoft Live One Care’s 25% rate, or Kapersky’s 66.7%), both Symantec and NOD32 failed to detect as many script viruses, backdoors, or trojans as their competitors. The malware scene has won the battle against Windows XP.

The war between the malicious hackers and security specialists has expanded onto new fronts. More and more people have moved to web-based email systems in an attempt to minimize virus exposure, but AJAX and web application exploits have already been described. Even spam, a “computationally benign” threat draws the attention of today’s security specialists away from worms and other security threats.

Finally, the increased accessibility of computer technology and the Internet means that the average Internet user of today is not as technically savvy as the average Internet user of the early 90’s. Computers were developed in a time where performance was paramount and users were technical experts. Things have changed. Today, you have to protect users from themselves.

MacOS X Security by Social Engineering

Page:: ( 5 / 9 )

MacOS is often thought to be a “more secure” operating system than Windows. When compared to Windows XP, this is definitely true. Up until last year, there was no such thing as a MacOS X virus. The catch, of course, is that viruses aren’t the only threats. Worms have affected MacOS X, and zero-day vulnerabilities have been discovered (and subsequently patched). While there are more vulnerabilities in Windows XP, it only takes one hole to compromise an entire system: MacOS is not inherently malware proof. Indeed, the MoAB (Month of Apple Bugs) event showcased a different zero-day vulnerability each day in January resulting in Apple issuing seven updates for 62 vulnerabilities over the following two months, many of which represented high-risk issues with arbitrary code execution attack potential.


What was interesting about MoAB was that the time from disclosed vulnerability to exploit-in-the-wild. On a Windows PC, this typically runs about 3 days. During MoAB, there was no attack to MacOSX based upon the disclosed bugs. Why not? Why don’t malware writers target Macs? No one knows the true reasons, and there have been countless debates. Do virus/worm writers secretly like the Mac? Is there some unquantifiable element behind the MacOS hardware and software that makes it more secure? My guess is neither. It’s simply the dynamics of having a smaller userbase. The University of Wisconsin hacking challenge doesn’t mean much – in fact, security contests aren’t that useful.
If you look back at the 90’s-era virus scene, the thrill was in the cat-and-mouse chase. Virus writers looked for new ways to attack and exploit PCs. At each step of the game, the virus writers were going head to head against the best researchers in the anti-virus world. There was a worthy opponent. Nowadays, organized crime (consider the TJX credit card breach) represents a significant driving force. When it comes to Mac security, the small market share is what provides the protection. There’s no thrill of the cat-and-mouse chase: the market is too small for security companies to invest time and resources into developing robust MacOSX tools.

More importantly, the security threats driven by organized crime will necessarily focus on UNIX, Linux and Windows because that’s where the greatest financial plunder lies.

Windows Vista: Security By Design

Page:: ( 6 / 9 )

Address Space Layout Randomization: Traditional virus/worms can benefit from knowing where specific system DLLs are in place. That is, if you know that there’s a bug in winsock32.dll, and Windows Vista always loads that file in the same place in memory each time, it becomes easy for malware writers to exploit that attack. In Windows Vista, system binaries and software that has been designed to support ASLR will randomly locate themselves in memory. Because the address of these files becomes random, it is harder for malwares writers to make completely automated malware. It turns out that ASLR isn’t as random as it needs to be, but this represents a significant improvement in system security that is only found in a handful of Linux distributions, and is not found on the Mac. Reportedly, Vista SP1 will improve ASLR’s randomness.

Mandatory Kernel Driver Signing: In Windows x64, all kernel drivers must be signed by a trusted authority. Only code that has been tested by Microsoft or trusted third-party developers can be loaded. While this makes driver support even finickier with the x64 version of Windows, it’s provides an added level of security.

Code Integrity Checks: Vista regularly checks core files for alterations. If a core file has been altered, Windows shuts itself down.

Data Execution Prevention: First introduced as an optional feature in Windows XP SP2, DEP (AMD NX bit/Intel’s XD bit) is now enabled by default in hardware for Windows Vista x64. This feature helps to prevent buffer overflow exploits. Since DEP can “break” some 3rd party applications, the default behavior for DEP is only to protect certain critical Windows core software. I recommend that DEP be enabled for all applications. When this is done, buffer overflow exploits (such as the recent animated cursor exploit that affected both IE7 and FireFox on Windows XP SP2) are prevented.

PatchGuard: Microsoft prevents 3rd-party software from altering data in kernel memory. Along with mandatory kernel driver signing, this increases the difficulty with which malware can implement “stealth” techniques such as a rootkit. PatchGuard has some potential flaws, but the consequences of this are unclear, and Microsoft’s approach may ultimately be the right way to do things. To date, there is no known in-the-wild rootkit for Windows Vista x64 with exploits previously described by researchers fixed in the RTM version of the operating system. PatchGuard also prevents security companies such as Symantec from providing additional layers of security (but consequently providing additional risk for system instability). Microsoft promises to work with these security companies to provide API-driven tools to access the kernel in a secure manner. With Windows XP or Vista 32-bit, there is minimal kernel security.

IE7 Protected Mode: Although FireFox is “inherently” more secure than Internet Explorer 7 on Windows XP, FireFox is not without its critical exploits. New to Windows Vista is the ability to run Internet Explorer 7 in a “protected mode.” In this case, IE7 does not have the ability to write any files other than what is located in a temporary file directory. Again, this does not provide robust security (the full discussion being a whole article itself) and it breaks things like Adobe Acrobat. As a default setting though, this increases system security substantially.

Non-SuperUser default (UAC): Annoying when you’re first setting up your PC, but a necessary evil for running all processes in a non-root account. MacOSX’s implementation of SuperUser access is less intrusive (it asks less frequently), and appears to be more robust (it asks for a password). To the typical end user, the OSX implementation seems better; not only is it less annoying, but it prevents someone from walking up to my computer and running various applications in administrator mode. However, Microsoft’s “paranoid” UAC mode ends up being necessary to address the types of attacks that have happened in the past. OSX “gets away” with less frequent administrator escalation because it hasn’t been exposed to the same types of attacks.

In example, one of the most “annoying” features of UAC is that it dims everything when it needs to escalate things to the “Secure Desktop.” This is actually the core of the security feature. When you enter Secure Desktop, it is more than a visual prompt. It’s an environment when only System processes can act. This prevents spoofing of the elevation UI, prevents malware from controlling the mouse to “force” a click on the Allow button. Likewise, by choosing not to ask the user for a password, this prevents malware from spoofing the escalation prompt in order to obtain the root password.

Future Security Threats

Page:: ( 7 / 9 )

None of Windows Vista’s security features are foolproof. Exploits and weaknesses have already been described. However, when compared to Windows XP and even MacOS X, Vista is a substantial security improvement. This is not to say that it’s invulnerable, but it will mean that the bar has been raised for malware writers. This will drive the arms race between the two factions, thereby driving “enthusiast virus writers” even more toward Windows Vista.

MacOS X offers better security than Windows XP by design. MacOS X is a modern operating system with the advantage of being developed with a multi-user mindset and the advantage of knowing that there is such a thing as a security worm. Likewise, the fact that MacOS X hasn’t been a target itself is another element of security. However, while MacOS X is more secure than Windows XP, Apple has not been forced to make the same proactive security efforts that Microsoft has made with Windows Vista.

Currently, the most advanced OS exploits are VM rootkits. Like stealth technology or polymorphism, this represents a major “next step” in the security battle. These exploits use the virtualization feature of a modern CPU to create an “undetectable” entry. Private security researchers at Matasano have already shown a VM rootkit for MacOS X (Vitriol) and researchers at COSENIC have demonstrated a VM rootkit for Windows Vista x64 (Bluepill). However, neither Virtriol nor Blue Pill can be credited as the first proof-of-concept of VM rootkit technology. The first to be disclosed was SubVirt, developed by computer scientists at the University of Michigan and Microsoft Research.

Microsoft Research

Like many major technology companies such as IBM, Intel, Cisco, HP, and Xerox, Microsoft operates a full-fledged research division titled Microsoft Research. One of the projects at Microsoft Research is Singularity, a brand-new operating system developed from the ground up. This operating system is being developed with security and dependability in mind, and can be thought of as being the equivalent of how NeXTstep ultimately shaped MacOS with a ground-up rewrite. While this may not be transformed into the next version of Windows, its impact on the long-term success of Microsoft security is immense.

Microsoft Research studies ten broad areas:

1. Algorithms and theory
   
2. Hardware development
   
3. Human-computer interaction
   
4. Machine learning, adaption, and intelligence
   
5. Multimedia and Graphics
   
6. Search, retrieval, and knowledge management
   
7. Security and cryptography
   
8. Social computing
   
9. Software development
   
10. Systems, architectures, mobility, and networking.
    
11. Computational and Systems Biology
    

Microsoft Security in Practice

Page:: ( 8 / 9 )

Microsoft has access to both some of the best security researchers in the industry and some of the brightest and most talented software engineers in the world, Microsoft has not maximized its potential. So why does Windows Live One Care score in last place in malware and virus detection? Microsoft’s current anti-virus technology comes from the acquisition of RAV (from GeCAD software). Although, RAV was no longer a “flagship” anti-virus scanner at the time of Microsoft’s acquisition, and one of the two principal developers of RAV (Costin Raiu) had already left, the research team and underlying technology was certainly valuable. Microsoft’s acquisition meant acquiring Adrian Marinescu full-time. He was behind RAV’s polymorphic detection and the head of Antivirus research for RAV. Today, Marinescu is Microsoft's development lead for the Windows Kernel group. His work has led to the Windows Vista Kernel which offers not only improved security but also better SMP scalability, larger heaps, and reduced memory fragmention. Compared to Windows Server 2003, Windows Vista is six to eight thousand times faster when it comes to dealing fragmentation, and offers near-linear scaling for random allocation of memory with each additional thread (versus Windows Server 2003’s zero-slope performance). In addition to his work on the Windows Kernel, he is part of Microsoft’s team in developing “dynamic translation” technology as a novel way of defeating polymorphism in malware. As an aside, in case you're curious, OSX's kernel is based around Carnegie Mellon's Mach kernel. The lead developer on the Mach project was Richard Rashid. Today, Richard Rashid oversees the entire operation known as Microsoft Research.

Four years after Microsoft’s acquisition of RAV, Microsoft continues to expand its security intellectual talent. They’ve now recruited Vincent Gullotto to head their Security Research and Response team. Gullotto came from Symantec, but was better known in the industry as the VP of Research for McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team). With Gullotto on-board, Microsoft also recruited Jimmy Kuo away from McAfee AVERT (and was Symantec’s head of virus research in the early 90’s) and Katrin Tocheva from F-secure. In 2007, Microsoft will be opening new security research centers in Europe and Asia to provide 24-hour monitoring of emerging security threats, much like the operations of the elite anti-virus/anti-malware software developers.

The Future

Page:: ( 9 / 9 )

Today, Microsoft is hardly considered to be the paradigm of security. Likewise, Windows Vista reviews have been lukewarm. I’ll be the first to say that Aero Glass and Flip3D aren’t as useful as Quartz and Expose. I’ve had to install an Expose-clone (Switcher) and tweak the color. There are definitely Vista driver issues. I’ve had to use leaked drivers just to play Microsoft’s bundled Hold ‘Em game on my GeForce 8800GTX. It will also be some time before driver optimization reaches the point where Windows Vista will run faster than Windows XP. Finally, there are those who refuse to upgrade to Windows Vista due to moral or philosophical qualms about DRM.

But lack of security isn’t one reason to avoid Windows Vista. I’ve read reports from so-called “experts” who recommend that users stay away from Windows Vista because a) security patches are still required (therefore it must be as weak as Windows XP) and b) kernel-hooking tools like Zone Alarm won’t work (and therefore you’re unprotected). But there’s more to security than running security tools. Even last year, Zone Alarm was still susceptible to OLE exploits in 32-bit Windows XP. Firefox 2.0 on non-DEP enabled systems is susceptible to the recent ANI exploit. Security requires a comprehensive approach, from the CPU (NX/XD bit) to the operating system itself.



In the short-term, Microsoft must struggle to secure its legacy 32-bit operating systems as adequately as possible while preserving backward compatibility. However, Windows Vista x64 is still one of the most robust consumer operating systems on the market today. It represents the next evolutionary step in the on-going battle of computational security. As important, Microsoft’s “Games for Windows” program mandates compatibility with Windows Vista x64, ensuring that gamers will be able to enjoy the security benefits of a 64-bit version of Windows Vista. Looking toward the future, as attacks on computing networks continue to grow, the technology required to defend non-expert users against increasingly sophisticated attacks will only be available from a limited subset of companies with the experience and financial resources to provide an adequate response.

Windows Vista x64 offers modern security by modern design. It’s substantially better than Windows XP and even Windows Vista 32-bit. While Windows is on the frontlines of the security battle facing a constant salvo of threats, MacOS X offers security by staying under the radar. While OSX benefits from having a recent “clean slate” design compared to 32-bit Windows, Apple has not had to face the same security challenges that Microsoft has. As MoAB has shown, MacOS X security has been more about being lucky. While OSX is unlikely to be the target of enthusiast hackers, at some point the MacOS user base will become the target of malware produced by organized crime. At this point, Apple will find itself the underdog in comparison to Microsoft’s rapidly growing international security team. Indeed Apple’s transition from Apple Computer, Inc. to Apple, Inc. is a telling predictor of the future. Linux as an OS (not a kernel) is the least secure of the three when it comes to inherent design. Fortunately, Linux is secure because its users are technical experts.

Next Time in our Windows vs. The World: Office 2007 vs. Open Office, iWork , and the emerging world of web applications.