RE: Comment on Microsoft's leaked memos, and the unofficial end of Microsoft 'Trustworthy Computing'

["Dinis Cruz" <dinis () ddplus net>]

From: "James Tucker" <jftucker () gmail com>

> > Here, I completely agree, but I wonder then why is not
> > Microsoft giving us SIMPLER and LESS COMPLEX products?

> Programmatically they generally are.
> Complexity != Feature length, although the two are related.

 You are talking about user APIs, I am talking about what is happening under the hood. 

 Yes developer's APIs have been simplified, but that creates an environment where nobody really knows what is happening 
and how things work. A lot of security vulnerabilities occur when you glue together two secure objects in ways never 
predicted by the original developers.

 Take for example the new Vista's AIM: Application Impact Management feature (see Security in Longhorn: Focus on Least 
Privilege), one of the things that it does is "...Longhorn gives the application its own virtualized view of the 
resource it's attempting to change, using a copy-on-write strategy. When the application attempts to write to a file in 
the Program Files directory, Longhorn will give the application its own private copy of the file and it can party 
on...". Now can you image how complex this code must be? Since the code that supports AIM will be unmanaged (on C or 
C++) and knowing that it is impossible today to write complex solutions which are 100% free of bugs (and security 
vulnerabilities) how can we be assured that AIM will not cause as many problems as the ones it is trying to solve?

 We are trying to solve complex problems with more complex solutions, while giving the majority of the user base 
(including most developers) the perception that everything is getting simpler! (See my OWASP AppSec 2005 UK 
Presentation - 'The Fog of Software' for more comments on this topic)

> > I want a simper IE (one with less privileges
> > and able to handle malicious code).

> How many IE security flaws are actually specific to IE?
> Or are they specific to optionally loaded modules that come bundled with IE?
> What is the significance to changes in these modules to other applications?
> And can they be mostly be removed or disabled from IE through the GUI?

 The problem with IE is not the IE code, but its run-time environment. IE is an application that at the same time has 
to be able to : 
  run untrusted code,  provide that code with an rich programmatic object model, 
  allow dozens and dozens of system objects and component to be used by that malicious code, and 
  provide the users with a very user-friendly GUI.  Bottom line, it is impossible to defend against. There are two many 
interconnections and possible execution paths to be able to defend them all (which is why the only 'real' solution 
today (as recommended by Microsoft) is to disable IE's Active Scripting (which is not practical and doable solution))

 And let's not talk about the security vulnerabilities introduced by supposely benign and trustworthy applications and 
components (see Sony stops rookit production, ActiveX contains vulnerabilities and 'doing a sony')

 The only way to deal with IE is to say: "Ok, I know that malicious code will be executed inside the IE process, so I 
will either: A) execute that code inside a VM (CLR or JVM) or B) lockdown that process so that there is no impact to 
the OS and to that user's session". 

 Option B) is what it seems that Microsoft is doing for IE7.0 but I don't understand why that is not done for all other 
IEs (see Michael Howard's DropMyRights app  in Browsing the Web and Reading E-mail Safely as an Administrator and 
SetSafer app in Browsing the Web and Reading E-mail Safely as an Administrator, Part 2)

 Note that Firefox (for example) is not that much secure than IE (can we really trust everybody that writes a Firefox 
plug-in?).

> > (remember that XP SP2 was only
> > successfully from a security point of view, because it didn't
> > introduce any major new functionality
>
> Apart from DEP, Windows Firewall, a re-vamped TCP/IP stack... Blah, more here:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=7bd948d7-b791-40b6-8364-685b84158c78&DisplayLang=en

I was talking about major non-security features. Also important, most of the SP2's security features and enhancements 
were on areas with already quite a lot of research done and experience (and even then you can see how long it took SP2 
to make). You just need to look at what happen in the transition from NT 4.0 to 2000 to see what happens when you 
introduce at the same time a huge amount of new features/functionality with a huge amount of new security features (and 
remember that Windows 2000 was sold as being a 'more secure OS' (when compared with NT 4.0)).

 Don't get me wrong, SP2 was an amazing effort from Microsoft and it showed commitment to security (some say it was 
massively overdue). It did reduce the overall level of attack surface and created a better, more solid OS.

 My main point is that we need more Simple systems (not simplistic) and today you already have a large number of IT 
Professionals that have a good understanding of  the architecture of Windows NT/2000/2003 and how it works. So I would 
much prefer that Microsoft's targeted these group of professionals with more tools, knowledge and information, instead 
of creating a massive new platform (Vista) which will make everybody a 'Professional Amateur' (since it will take quite 
a number of years before these IT Professional have the same level of understanding of Vista's architecture)

 The problem is that Microsoft is locked into the business model of selling Operating Systems. 

 So since I know that Microsoft will need to justify to its shareholders the need to invest in simpler solutions for 
windows NT 4.0/2000/2003/XP I would like to propose to Microsoft that they SELL (i.e. charge) for the products that 
they develop for those OS. 

 Why don't we have an IIS 7.0 for windows NT? and IE 7.0 for windows 2000? an Windows Firewall for all windows under 
the sun?

 And if Microsoft changed fair prices for them (for example a fiver ($5) for IE7) I'm sure they would have enough 
buyers to justify the investment (humm... 200 million users * $ 5 a pop is 1 $billion), and (probably more important to 
Microsoft) they could give them for free for the companies that subscribe to the 'Microsoft software assurance' 
licensing model.

 Here would be a nice positive model which would create more secure software, give the users a better deal AND keep the 
shareholders happy :)

 Just my 10 cents :)

Dinis Cruz
 Owasp .Net Project 
 www.owasp.net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/