January 31, 2006 5:35 PM PST

Microsoft's OneCare firewall draws fire

The firewall component in Microsoft's Windows OneCare security bundle has holes, experts have warned.

The security software, available in a public beta version, by default allows applications that use the Java Virtual Machine or have a digital signature to connect to the Internet.

Like any blanket security-bypass rule, these default settings are a bad idea, said Mark Curphey, vice president at vulnerability management specialist Foundstone, a part of McAfee.

"Any firewall, any security device should have a default deny," Curphey said in an interview Tuesday. "Any door should always be closed."

Curphey discovered the issue when running software on his wife's computer, on which he had installed OneCare. He informed Foundstone security consultant Roger Grimes, who subsequently blogged about it on the InfoWorld Web site. Grimes also blasted the default bypass settings.

"It just invites malicious hackers and other malware goons to exploit it," Grimes wrote.

OneCare team on Tuesday responded to the Foundstone experts in its own blog, and a Microsoft representative confirmed the blog's content. Yes, the OneCare firewall does allow any signed application and the Java Virtual Machine to pass through without alerting the user, but this should not be a security risk, according to the posting. The team invites readers to discuss the topic.

"It is highly unusual for malware to be signed," according to the Microsoft blog posting. Furthermore, if an application is signed, it can be traced to its author, it said.

Blocking Java would result in many applications being disabled, Microsoft, the posting added. And asking users to allow applications to pass through each time they are invoked would be too confusing. If a malicious program that uses the Java Virtual Machine does land on a user's PC, the antivirus component of OneCare should catch it, the OneCare team wrote.

According to Grimes's blog, however, that adware and spyware makers often sign their applications. Such a signature is meant to make their software look more reliable. "They already routinely use signed controls to install themselves onto users PCs, and certainly they will continue to use them to bypass this (OneCare) service," Grimes wrote.

Spyware expert Ben Edelman agreed. "Most malware is signed," he said. "Getting these signatures is remarkably easy. And the resulting user experience is far better: reassuring-looking dialog boxes that make users think software is safe."

A public test version of OneCare has been available since November. OneCare is meant for consumers and will combine anti-spyware software with antivirus software, firewall software and several tune-up tools for Windows PCs. The final package is expected sometime this year and will be offered as a subscription service.

6 comments

Join the conversation!
Add your comment
OneCare Antivirus catches Java???
Microsoft's OneCare team wrote the following on their blog:

"If a malicious program that uses the Java Virtual Machine does land on a user's PC, the antivirus component of OneCare should catch it...".

But they just announced two days ago that AntiVirus would NOT be included with OneCare. So their argument is invalid.
Posted by melsmith (1 comment )
Reply Link Flag
Hold it
Wasn't that Vista that they said wouldn't include antivirus, not OneCare?
Posted by Bobman (114 comments )
Link Flag
Highly unusual
"It is highly unusual for malware to be signed,"

As well as for well written program to have buffer overflows. And yet.

Expect virus writers start signing their pets sooner that us programmers creating bugfree code. Take my word for it: former is much much much easier.
Posted by Philips (400 comments )
Reply Link Flag
MircoCrap
Considering how poor Windows design is why would anyone want to buy a security product from them?

They should fix the product's deficiencies at no cost to users!
Posted by Ronald J Riley (27 comments )
Reply Link Flag
happy with norton
i have been using norton systemworks for years now without any real headaches. why would i want to go to a untested product. much less why would i want to use a product by a company who if they had done their job right in the first place there would not be any holes in their os. in vista you have windows defender which i have not found any way to uninstall. there goes microsoft with embedded software again. i believe we need to take the same action as the eu did. which was to have microsoft remove several features so as to be fair to the competition. i have beta tested vista up through its current build and find nothing in it including windows defender to compel me to upgrade to it. i will continue to use norton products because i have never had any problems with them. i do not like having software just shoved at me. i.e. internet explorer, windows defender. microsoft should just stick with making the best core os that they can, set up separate devisions for browsers, security tools, and so on allowing for true freedom of choice in what software is used by the end user. i believe by the time vista is released in january i will be dual booting a brand new mac with osx and xp. i see no real reason to upgrade to vista, windows defender, or microsoft one care.
Posted by system001 (45 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.