The Best And Most Secure Windows OS Ever

Thursday, July 14, 2011

Kevin McAleavey

Ba829a6cb97f554ffb0272cd3d6c18a7

The Next Windows Will Be The Best And Most Secure Windows Ever...

Note: This is the fourth in a multipart series on the history of the antivirus and security industry by a long time insider (Part One)(Part Two)(Part Three). We will explore how antivirus and antimalware technology works, and why a 1980's solution is no longer applicable to the current threat landscape. The series will conclude with solutions and recommendations on where we might all go next.

In the beginning Bill Gates created the heaven and the earth.
And the computer was without form, and void;
and darkness was upon the face of the deep.
And the Spirit of Steve Ballmer moved upon the face of the waters.
And Gates said, Let there be light: and there was a blue screen.
And it said "Insert new diskette for drive A: and press Enter when ready."
And lo, verily, it crashed, stating "Keyboard error, press F1 to continue."
And Gates saw that it was good, and so he rested.

And it WAS good, because it didn't require an expensive Unix license or a PDP-8. It ran on toys and so hobbyists, and later business, settled for the "experience." Ever since Microsoft emerged on the scene however, no one in IT or software development has rested.

MSDOS was a simple operating system, similar to CP/M and managed to work fairly well with absolutely no security whatsoever. Eventually it was able to support modems and ethernet networking which allowed MSDOS clients to connect to Lantastic and other ethernet based networks in institutional environments. However text-based computing was primitive compared to Unix-based systems which offered a primitive GUIs known as X-Windows or Motif. And a little thing called security.

A word of warning before we continue: There are so many details and issues that are part of the Microsoft legacy that it is impossible to detail all of them or explain the nuances fully. Therefore, a lot will unfortunately be glossed over and numerous details missed. Those interested in learning more are encouraged to research those points of interest - I need to keep this to one single article and so will only mention the highlights which will hopefully be nostalgic.

In 1984, Apple introduced the Macintosh and Microsoft went to work on early versions of Windows in response. However, Microsoft didn't create a credible GUI until their Windows 3.0 version which shipped in 1990. Windows didn't really take off in the mass market until the introduction of Windows 3.1, however reasonable stability especially for networking didn't occur until their 3.11 release in 1992.

During the mid to late 1980s, Microsoft and IBM had cooperatively been developing OS/2 as a successor to DOS, but an ugly divorce ensued in 1992, and IBM took the code they contributed to the OS/2 project and left Microsoft with code developed by Microsoft that IBM didn't want to license, and this became "Windows NT" which was released in 1992. It had many problems and the first successful NT release was 3.51 in 1994, and was replaced by NT4 the following year in parallel with the release of Windows95.

Windows 3.x, 95, 98 and ME carried on the tradition of MSDOS in a nice GUI package, with little attention paid to security since the only way your computer could get "pwned" in the beginning was if you installed a trojaned application, or inserted a disk that had a virus already on it.

Certainly the benefits of 386 enhanced mode, a flat 32-bit address space and virtual memory provided more security than existed in DOS and made it more difficult to infect than MSDOS, but good old DOS was still there as part of the boot process. This "compatibility" still allowed DOS viruses to gain a foothold since really bad things can happen when a system is booted, and MSDOS was still there once Windows was fully up and running as a "DOS prompt" program.

The original Windows NT was largely designed by Dave Cutler, who was one of the designers of VMS at Digital Equipment Corporation along with code co-developed with IBM for OS/2 which IBM ceded to Microsoft when they weren't interested in Cutler's work when Microsoft and IBM parted ways.

Some argument exists that IBM was concerned about legal issues, and in the end Microsoft settled claims brought by DEC over VMS code which found its way into NT. From the beginning, the code base for NT was intended to be far more secure than the MSDOS legacy code which remained in the consumer (9X/ME) versions of Windows.

"Security" in Windows95 was largely accomplished by offering a password at login. Of course just hitting the enter key usually got past that. Networking security at least permitted mounting of shares as read-only but the Windows file and print sharing with its ubiquitous listening ports on 137, 138 and 139 made it pretty easy for unauthorized connections to be established.

Microsoft solved that problem by adding a "workgroup" name that had to be entered. And yes, it was usually left as "WORKGROUP" which was easily guessed. And so, the first bad idea from Redmond was their readily-exploited NETBIOS design which advertised open machines to all callers, even across the internet. Worse, "NETBIOS NULL sessions" continued to plague Windows machines well into 2006 because it was the default setting when Windows was installed.

And so Redmond, not satisfied to build in just ONE backdoor, decided to add yet another to Win98 and NT known as "NETBEUI" and a new port 445 which upped the hackability of Windows, including its "secure" NT. We won't even bother with all the other issues of SMB shares. The sheer number of script kiddies and pushbutton hack tools went through the roof.

And the average home and business user had no idea of how many rats were eating their cheese because it was all enabled by default with little if any warning and Microsoft wasn't about to make them nervous by telling them. Fast forward to 2009 and file-sharing is still a problem... yep, even Win7.

So nobody warned Grandma or Uncle Todd (who insists on pulling his finger) about this, but "savvy" computer users read on usenet that they should firewall that stuff and no problem. Thus, those pesky "Windows print and file shares" continued to be the gift that kept on giving and a primary point of entry into victim's machines for many years.

And while Microsoft has mitigated it somewhat, it remains a serious threat because people still fail to configure these services properly or set up a firewall to keep it local. After all, in Microsoft's world, every user is a glittergeek who codes in their sleep and knows MSDN inside out, just like Bill. None of this would be a problem if only it weren't default-enabled and the end user was guided in order to set it up properly in the first place. But they weren't.

Microsoft also "streamlined" their winsock kernel driver to be faster by removing checks on data passed between layers, which resulted in the famous "teardrop" denial of service exploit which crashed machines instantly. If you didn't have a firewall to block the attack, mmm-bye. Same for numerous attacks on port 139 with similar results leading to a phenomenon known as a "nuke" which also affected NT4's winsock. This mistake had such serious results, Microsoft fixed it fairly quickly - in their NEXT versions.

From the end-user standpoint, one of the most boneheaded things on the planet to do was Microsoft's insistence on hiding file extensions. Were it not for this "idea" users might have had a clue when they looked at a "treat" named "nude pictures of.gif" that it was in fact an executable program called "nude pictures of.gif.exe" and not what the file was claimed to be. More people have been infected by files that hid the extension that any other possible attack method in Windows over all these years. And the old "double dot" trick STILL works.

And complementing this stupidity was "file association" which automatically executed the file based on that hidden extension instead of determining the file type by parsing it first and possibly triggering some sort of advance warning of what was to come as the result of the discrepancy. Hapless users thought that if they clicked on that picture, they'd see a picture instead of launching and permanently installing a backdoor.

Other "innovative" great ideas were "autorun" and "autoplay" where upon the loading of any mystery disk, Windows would seek out and run anything placed in a file called "autorun.inf" without user intervention by default. This permitted disks to be distributed with malware already on them and have it started even before the file window appeared on the desktop. And it didn't stop there.

Windows also had the bright idea of executing files on the disk in order to obtain their icons and thanks to poorly written code, it was possible to drop "links" to infected files and cause them to execute automatically as well. Stuxnet was but one of the many in this category.

But when it comes to the number one "moment of abject stupidity" that award has to go to "browser/OS integration" with the release of Windows98. In response to a consent decree with the Department of Justice, Microsoft decided to break down the wall between web browsing and the operating system, forever ripping open a major security hole by allowing the internet to reach into the file system unimpeded.

Had I written a book instead of this series, this alone would account for four chapters of it. There was much outcry including my own testimony at an FTC hearing regarding browsers and cookies, and at the end of my testimony, I warned the FTC as to what was to come from this. And when called on the carpet over it later by Judge Thomas Penfield Jackson, Microsoft said that it would be impossible to disassociate the two because they were "integrated" so tightly.

Judge Jackson had no problem doing so (See the sidebar marked "HANDS ON JUDGE?" on page 26 in the article). Microsoft then covered their "fib to the court" by spraying IE bits throughout dozens of system security-critical DLL's in order to cover their tracks and make things far worse than they already were in their original design rendering the Judge's discovery moot. From that day forward when Microsoft shoved the "not ready" Windows98 out the door to prevent the judge from reversing that move, Windows became a neverending security disaster, and a fast breeder for malware. And they did it to their NT progeny as well for good measure.

After all, why bother with seven layers of OSI when you can directly connect the physical layer to the internet? But even that wasn't sufficient stupidity for Microsoft. To add to the thrills, every copy of Windows is shipped with full debug hooks and direct system calls from userland since as we all know, Granny and Uncle Todd want to attach a debugger to everything from Solitaire to Sharepoint.

And of course, for extra credit, why not toss in a RegConnectRegistry() function while we're at it so we can allow strangers to come check out and modify our registry? Worse yet, you don't even need to hack the kernel. Microsoft conveniently provides dozens of hooks at your command from userland also available to outsiders through browser/OS integration. And I don't even have to bring up "ActiveX" or "scripting" or even link to the horror shows there.

I never could fathom why such exploits shipped with retail products since Microsoft charges out the wazoo for developers in their MSDN versions. They could have just left the debug code in the debug versions that ship with MSDN. You'd think code would be all debugged and ready when it shipped and wouldn't need to have these functions in a retail version. And Microsoft's excuse of course is that it "makes administration easier". Malware authors have been singing the praises of Microsoft ever since for all that.

So why didn't they just include these added features in their corporate versions, allowing for installation where required, and not include them in every copy? I guess grandma wants to hook the kernel and replace the IAT tables for fun since all of these backdoors exist even in the "home versions" as well. Microsoft went out of their way to make writing malware easier than spellchecking your Word document.

Then there's Microsoft's DLL libraries which allow one infected DLL to have access to the memory of other processes because everything is "shared". Functions such as strcpy(), strcat() and similar C functions with unchecked bounds ripe for getting hit with buffer overflows remained not only in the libraries used by third party developers, Microsoft itself was using these unsafe functions for years in their OWN code. You would think that a professional OS would at least check bounds and sizes before even pushing it onto the CPU stack.

Nope. It wasn't until very recently that Microsoft has gotten rid of many of them (not all) and replaced them with slightly safer calls, but there are still binaries which contain these unsafe functions assembled with static library calls built into the offending code. At least they mitigated "DLL Hell" which was yet another wonderland of whoopsies in the past.

Props also go to Microsoft for their UPNP ("Universal Plug and Pray") debacles (PDF) - why hardware needs to connect to the internet is also a solution to a question nobody asked. Other runners-up in the "sheer genius" category include "superhidden files" to protect malware from antivirus and you, and the powerful ADS ("Alternate Data Streams") which can not only hide malware, it can hide whole operating systems where even Microsoft can't find it. But malware can! No shortage of helping out those rogues in Redmond.

There are thousands of other security nightmares in badly written code throughout the Microsoft "experience", and while they've been taking many of them seriously the past couple of years and issuing more and more gauze for them, their latest versions are only slightly better than their older versions and it seems as though every "Patch Tuesday" there are more and more holes having bandaids applied.

We read constantly about other exploits that have persisted for years and still haven't been fixed and frankly it's gotten to the point with the explosion of malware of late that the end is nowhere in sight. And promises that "Windows 8 will be the most secure windows ever" are already providing copious eye rolls.

As one who has been in this since the beginning of MSDOS, and seeing none of the actual root causes of these problems being addressed other than the (finally!) removal of the default setting for autorun in Windows 7 but not in any of the predecessors, I gave up on Windows back when Vista first left skid marks on the landscape back in 2006. There are clearly ways to make an operating system secure, and it's not all that hard. Pure unix did it decades earlier. But Microsoft clearly is never going to participate and plans only to provide prettier blue smoke.

GET A MAC AND YOU'LL BE SAFE

Nancy, our CEO, similarly threw her hands up back in 2006 after spending more time cleaning Windows than using it. She was recruited by the Church of the Fruity Computer and always begins her morning by facing Cupertino and moaning and dancing whatever that chant is that Apple people do.

And over the past few years, she's been quite happy with a little one and a big one on which she does her art and videos and music as well as run our company. Nancy is a whole lot slicker than most computer users, having been in the security business all these years as well. And she's a good fruiter. If it isn't from the fruit store, she's not installing it. Whenever she feels the need to visit a site that she doesn't trust, she boots up KNOS on her fruit and uses that instead.

Lately, she's been getting the sniffles too. In fact on Wednesday, one of her sticks misbehaved when I copied in artwork to my KNOS machine. Turns out that she had a java virus with no signs of it on her Mac. She's also seen "Mac Defender" and a few other rogues lately of the variety that self-installs without warning to her user folder. After seeing a few of these hitting the most careful user in the world, I made it a point to contact Apple who is having their own adventures though they're denying it publicly.

I spoke with Ron Dumont, a wiglet with "Apple Product Security" on June 14 and offered Apple solutions to their little malware problem since these rogues are adopting the same techniques that we saw back in our BOClean days. Needless to say, he told us that they weren't interested in our solution and that they were "developing their own way."

Although they said they were going to make me sign an NDA with them, I guess they forgot. I can imagine things are a bit hectic in Cupertino since one year ago, antivirus companies were seeing 500 malware samples a month and this year, it's getting worse.

Apple has responded to the problem so far with "updates" using the same old blacklist signature technique as early Windows antivirus and as soon as they release an fix for what's out there, the rogues redo the code as an undetectable within minutes. Java and Flash given kernel access? "vm_write(port, (vm_address_t)addr, (vm_address_t)&val, sizeof(val))" much? You're kidding, right?

And not allowing your users to unhide those "dot" files including ".Spotlight-V100 folder" contents is an open invitation to malware to hide from users attempting to clean up the mess manually. Bad enough Microsoft created "superhiddens." Then again, I imagine if users could see those, you'd have some explaining to do. So in the world of Macintosh, here we go again.

LINUX AND ANDROID

My first encounter with Linux was the old Slackware 2.0.8 version in 1994. I learned it primarily to augment our network at a New York State government agency since we needed to provide access to arpanet and our Novell Netware did not have support for TCP/IP. I absolutely loved Linux in the early days. Linus was personally involved, the number of distros was very small and fairly tightly controlled. Bad code rarely found its way into a Linux distribution and when it did, it was promptly removed and everyone was alerted quickly.

Eventually Linus finished school and got a job and no longer held much control over Linux like in the early days. Exasperated by too many chefs and too many distributions, Linus threw up his hands and ceded control to userland and libraries and insisted solely on continued control of the kernel itself.

And over the years with more and more chefs and less and less accountability, Linux became a genuine mess. Caldera came up with a good business version, and later Red Hat. However, owing to the "too many chefs" syndrome, many problems ensued as each Linux distribution went off their own way and when Ubuntu burst upon the scene, Linux had become so fragmented that it was no longer attractive to people like me.

Linux still beat all hell out of Windows, but it had to be carefully watched. And going from one distribution to another with so many variations in each became difficult to manage. Security was generally pretty good throughout though, and highly secured versions were available for situations where better than normal security was required.

But security problems in Linux did become more and more frequent over time. It needed very capable administrators to hold it together, particularly in server use. That was when I made the break and went back to BSD and personally have never regretted the move. BSD is extremely difficult for non-technical people though and so it remains as a server only operating system because it's quite "end user hostile" even today.

Google decided to adapt Linux to create their own flavor of Linux called "Android" and pretty much threw security under the bus in adopting the Microsoft philosophy of making it ubiquitous, pretty and then put it into the hands of end users with no documentation, no security regime and very little warning.

As a result, Android Linux has become the second most dangerous petrie dish for malware, beating out OSX in record time. I for one can't wait to see the mess when the "Google desktop" appears in widespread use. This has got to be very embarrassing for the Linux world.

Bottom line: As much as I've spanked admins for the adventures of the lulzboat, even the dumbest IT people can't hold a candle to what happens when bad operating systems and bad security are placed in the hands of the end user who will click on anything. Twice. And you know that the lawyers, the pointy-haired wiglets and the sales department people are probably even more dangerous than grandma and Uncle Todd combined.

And yet we hand them these machines and turn them loose with operating systems that are just not ready for them. In my next article, I'll discuss how no matter what we do with "layered security" and policies and all the other things we do to protect them from themselves, it just doesn't work. And in the final article, I'll offer what just might solve the problem after all.

(to be continued)

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
23524
Viruses & Malware
Information Security
Antivirus Trojans malware Windows Operating Systems Information Security
Post Rating I Like this!
Default-avatar
D Ross Awesome article, Kevin. Thanks for pointing out ADS.

The only noteworthy omission was "Browser Helper Objects", which allow(ed?) malware authors to "help" themselves to the contents of your PCs.

With no prompting... no inspection capabilities... and no easy way to remove. Because Grandma and Uncle Todd both love editing the registry to remove BHOs...

1311015450
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Heh. I believe Aunt Tilly was assigned the keys to regedit. :)

There was just so many moments of dumbness that I saved mention of BHO's for the fifth installment today over the security blankets since BHO's ended up creating yet another layer of "security" and software required for Windows world in the "spyware" category.

We didn't consider it a big deal in the BOClean days, just more DLL's and registry purges that we were already doing for truly malicious stuff. But yeah, another testament to the neverending saga of more time spent cleaning Windows than using it.
1311019111
Default-avatar
First Last Great series of articles, but too bad you gloss over some of the truly technical lower level achievements in operating system design / evolution. For example, you could note when the different operating systems got basic modern OS security fundamentals like non-executable heap/stack, ASLR, etc; what was that like a year ago for OSX and 12 years ago for Linux? How can you write an article about the evolution of OS architecture or system security and not mention grsecurity/PaX? I mean, every OS vendor literally just copied what Brad Spengler did for linux way back when; that technology or architectural innovation represents the biggest evolution in "secure" OS design in the last 10 years (hence every OS vendor copied the ideas), agreed? I would praise the people like Brad who have actually pushed the technology forward in a secure direction... and for a more current example of similar work, how about the work Joanna is doing with Qubes OS?

BTW, Linus is clearly not a respected 'security guy'. He likes to silently fix kernel vulnerabilities and really that doesn't make people more secure. Really he's more like the source of the problem with Linux than the solution of quality you make him out to be. For example:

http://seclists.org/dailydave/2008/q3/59
1311024033
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey I *love* Joanna and her invisible things. And Linus had to get a job. Sometimes FOSS folks need to be reminded also that developer time costs money and/or sacrifice. I guess folks need to be grateful that Linus hasn't walked away after all these years.

As for the details, I had originally intended to write a book about all this and when in trying to pitch it, grew weary of all those glazed-over eyeballs I was staring into. Heh.

I was a bit concerned here about getting too technical in where I went throughout because while I see we have a good representation of gearheads like myself in attendance, I wanted to try to not scare off the pointy-haired who largely have no concept of any of this or else Windows would have gone the way of the TI-99/4A operating system ages ago.

I thought I was kinda pushing it when I brought up ADS and its forked tongue in a sentence back there which only found its way into NT because Microsoft was once considering eating Apples. I wanted to be cautious in all this though not to tl;dr the wigs who might have found this all worth a read.
1311025129
Default-avatar
First Last Understandable.. again this is a great series of articles, thanks. I liked article 3 the most. You should definitely write the book (and please don't worry about being too technical when you do).
1311026109
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.