Restricting insecure applications

Back in August I wrote about a free security program for Windows XP called DropMyRights. It comes from a trusted source, requires no maintenance, and incurs no overhead.

DropMyRights works by front-ending an application. To use it with Internet Explorer for example, you make a shortcut to DropMyRights and modify the shortcut to include the full path to the IE executable. When DropMyRights runs, it, in turn, invokes Internet Explorer. But, as the name implies, it first lowers the "rights" for IE. Thus, even if you are logged onto Windows XP as an Administrator, IE will run with the restricted rights of a limited user. Windows prevents restricted applications from doing a whole host of dangerous things, the most important of which being modifying the system itself and installing software.

For the ultimate in safety, you would, of course, log on to Windows as a restricted user in the first place. But, that brings along its own set of problems and has proven unworkable for many people. With DropMyRights, we try to hit a happy medium. Although logged onto Windows as an Administrator, we can run the most dangerous programs in restricted mode. But which applications should be run in restricted mode?

As a given, I suggested Web browsers (each one, if you have more than one installed), e-mail programs, and Microsoft Office. It turns out that two organizations publish lists of the most insecure applications. Let's go see.

Bit9

Over at ZDNet, Ryan Naraine recently mentioned a list, compiled by Bit9, of the most vulnerable (think buggy) Windows-based applications. Topping the list was Yahoo Messenger. Microsoft's own IM program, with the clumsy name Windows Live (MSN) Messenger, was fourth. If you use instant messaging, run your IM program with restricted rights.

I previously suggested QuickTime as an application that should be run in restricted mode. According to Bit9, it was the second most vulnerable application. As if to confirm this, Apple just released a new version of QuickTime with fixes to at least seven security related bugs.

iTunes should be included in the list of restricted mode applications. Not only was it sixth on the Bit9 list, but it also invokes QuickTime.

Secunia

Secunia has its own list of the most insecure applications based on data accumulated by its very useful Online Software Inspector. It even provides JavaScript so that you can display a dynamic version of the list on your own Web page. Rather than risk breaking a CNET publishing system I don't understand, I've posted a couple Secunia lists on my personal site.

As of this writing, Secunia ranks the Adobe Acrobat Reader version 8 as the most insecure application on a percentage basis, looking at the last month. Adobe recently released a fix for a critical security problem; if you are not running version 8.1.1 of Acrobat you are at risk. Add the Acrobat Reader to the list of applications that should be run in restricted mode.

The Secunia list includes many instances of Flash, but Flash runs in the context of a Web browser, so if the browser is in restricted mode, so too is Flash. The same applies to Java, which as of this writing was the second on the list.

Secunia also has a list of the most insecure applications based on the number of installations, rather than percentages. This list, however doesn't turn up any new applications that need to run in restricted mode.

At this point, you have to wonder if the pain threshold of keeping Windows defended isn't higher than that of switching to another operating system. I haven't done much switching, so I don't have an opinion as yet, but it's always in the back of my mind.

[ejevo]

Switching OSes only a temporary solution

There is NO OS THAT IS SAFE. Same can be said for browsers, too. End of story. The security bugs only follow the crowd. As soon as the crowd runs over to another OS seeking protection (OSX, Linux, whatever), the exploits will soon follow.

It's better to stay and defend your OS rather than just trade one set of issues in for a new set of issues.

[tenc21]

Temporary solutions are not bad choices

Let's use an analogy. There's Microsoft Pizza Works which charges $35 for a plain pie and it makes you sick, and then they sell you another for $40 which makes you even sicker. So, you go across the street to Linux Pizza Parlor which sells you a plain pie for $30 that gets you sick, but you get a free replacement pie that also gets you to the bathroom. Finally, you wind up at Mac Pizza Factory where the pies are only $20 and they don't make you sick, but they're just not tasty.

If you're dying from hunger and had to eat and had the money, you could keep getting sick until Microsoft or Linux made their pizza fit for human consumption, or you could go to Mac and eat awful pizza. If you had to eat, you'd go to Mac.

It's all about knowing when to desert a sinking ship...even a raft with no oars can be a better choice. [yup, it's true too many scrambling overboard onto the raft could sink it, but you wouldn't try to get on?]

[mhinnewyork]

IGNORE TENC21
Don't pay any attention to the comments made by tecn21. He/she is a stalker, doing nothing but griping about anything and everything I say. He/she comments on every blog posting of mine, regardless of the topic, and comments nowhere else at CNET. The persons purpose is not to debate anything just to argue. Ignore their comments.
Michael Horowitz