Defense in Depth

Since its introduction in 2006, Microsoft's Windows Live OneCare has altered the antivirus landscape. With Tuesday's announcement that Microsoft will no longer be selling the product in retail outlets but offering a new free version, code-named Morro, starting in the second half of 2009, it's sure to change the field once again.

Since Microsoft bought Romania-based antivirus firm GeCad five years ago, there has been fear among the commercial antivirus vendors that the software giant would simply bundle its malware protection within the next version of Windows. While that didn't happen--and it's unlikely to happen--Microsoft's addition to the market has forced its competitors to make some changes even though Microsoft hasn't become the huge player once feared.

Even before the first beta in 2005, McAfee and Symantec were talking about plans to go head to head with the software giant. McAfee announced plans around Project Falcon, and Symantec launched Project Genesis.

Microsoft OneCare entered the market in May 2006 as a "desktop IT department" and inspired a new breed of "omni security suites" that went beyond the traditional Internet security suite. I wasn't impressed. Although OneCare offers the revamped GeCad antivirus engine, Microsoft Windows Defender antispyware protection, and the Windows Firewall, along with system diagnostic tools, backup capabilities, and a way to monitor home networking, I think that the interface is clunky and that the tools aren't necessarily top of the line. And, I'm on record as calling OneCare SopranoCare since it seems wrong to me to have to pay the company that broke your operating system to fix it.

But at its introduction, Microsoft did shake up the antivirus landscape. OneCare was priced at an absurdly low $49.95, and it protected up to three PCs. At the time, Symantec's Norton Internet Security and McAfee's Internet Security were both priced at over $100 for their three-user packages. Today, three-user packages well under $100 are common.

Symantec responded in 2007 with its Project Genesis-produced Norton 360, a unified product that took Norton Internet Security and added online backup. But Symantec didn't just add to its existing product, it reinvented the product, producing a new one with a fully integrated interface marketed for the average home user. And at around $70, it could be used on up to three PCs.

McAfee also responded with its Project Falcon-produced McAfee Total Protection, also priced around $70 for up to three PCs. It too offers home network monitoring and premium or enhanced versions of the McAfee Internet Suite.

But McAfee and Symantec both had something Microsoft did not: effectiveness.

Almost two years ago, independent antivirus-testing organizations faulted OneCare for missing known malware. Andreas Clementi of AV-Comparatives.org wrote in his February 2007 report (PDF) that OneCare did not meet the minimum requirements for participation. "Due (to) that, its inclusion in future tests of this year (will) have to be re-evaluated."

Microsoft began hiring longtime antivirus experts from competitors, and it appears to have paid off. A few years ago, Vincent Gullotto came over from McAfee to head Microsoft's Security Research and Response team. Microsoft has since added experts from F-Secure, Sophos, and elsewhere to the team. And it shows. In the latest On Demand scanning test from AV-Comparatives.org, Microsoft OneCare 2.5 scored as well as McAfee VirusScan Plus 2008.

All is not perfect, however. In May, Microsoft mistook Skype for a piece of malware. And the Windows Firewall, while Microsoft insists otherwise, is not a truly two-way firewall; there are a great many outbound exceptions within the Microsoft version. A Microsoft representative said "If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network." Given that other firewalls have outbound filtering, I still don't see why Microsoft can't.

The free version of Morro won't have all the current bells and whistles of OneCare; Microsoft says the diagnostic tools won't be included. Although the final feature set won't be known for a while, just having a free antivirus/antispyware/personal firewall product from Microsoft is bound to shake things up.

With traditional antivirus protection perhaps becoming obsolete, maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products--something that I've said for years.

In Windows 7, the Windows Security Center will be replaced with the Windows Action Center

(Credit: Robert Vamosi/CNET Networks; Microsoft)

Since Monday, I have been running a prebeta copy of Windows 7, the next operating system from Microsoft.

At first glance, build 6801 of Windows 7 appears very much like Windows Vista; that's because enhancements to the look and feel part of the operating system typically come late in the development process. Right now, the core programming is being set, and there are already some changes in how Windows 7 will handle computer security.

Gone is the Security Center, introduced in Windows XP SP2. Instead, there will be an "Action Center" that incorporates alerts from 10 existing Windows features: Security Center; Problem, Reports, and Solutions; Windows Defender; Windows Update; Diagnostics; Network Access Protection; Backup and Restore; Recovery; and User Account Control.

Changes to the User Account Control (UAC) may raise an eyebrow or two. While vastly unpopular in Windows Vista, the dialog boxes that pop up whenever a user tries to install new software, among other reasons, served a purpose.

In Windows 7, users can adjust consent prompt behavior using a slider control, if they have administrative privileges. Microsoft says they'll still be protected against malicious software, even if they never see another alert. I'm wondering if that's actually a bad idea: if people never see an alert, they might think nothing bad ever happens to their computer. We lose an element of user education.

Windows 7, which Microsoft unveiled at its PDC 2008 event this week, also introduces something called the Windows Filtering Platform (WFP). The idea is that third parties can take advantage of aspects of the Microsoft Windows Firewall in their own products. Microsoft says "third-party products also can selectively turn parts of the Windows Firewall on or off, enabling you to choose which software firewall you want to use and have it coexist with Windows Firewall."

I mentioned this feature to one major security vendor, which responded by saying it couldn't imagine running its product side by side with Windows Firewall. Also, if Microsoft had a compelling component in its firewall, this vendor said it would just build its own version, not use Microsoft's.

Other security features have been tweaked in the current build of the next Windows operating system. Scrollbars were removed in the configuration settings screen, as has the Software Explorer feature, and real-time protection in Windows 7 has been improved to reduce the impact on overall system performance.

Windows 7 extends BitLocker drive encryption support to removable storage devices, such as flash memory drives and portable hard drives. This means that users can keep sensitive data on all of their USB storage devices.

Biometrics enhancements include easier reader configurations, allowing users to manage the fingerprint data stored on the computer and control how they log on to Windows 7.

And System Restore includes a list of programs that will be removed or added, providing users with more information before they choose which restore point to use. Restore points are also available in backups, providing a larger list to choose from, over a longer period of time.

Returning from Windows Vista are Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels.

This information could change, as Microsoft nears the final build. Microsoft still expects to ship Windows 7 "within three years of Windows Vista," which means that it could be available sometime before January 2010.

Click here for more news on Windows 7.

Window Snyder, Mozilla's chief security something-or-other (her official title), wants to bring open source practices to the security community.

"At a lot of companies," she told me recently, "there's fear around security: you don't want to talk about what you're doing around security because one might deem it not enough--or might want to criticize it." She said most companies have a lot of reasons to keep what you're doing in security quiet, but not Mozilla. "We benefit from being open; it's the model for us and it's been successful for us."

Snyder started her security work at @Stake (now a part of Symantec) then went to Microsoft and later Matasano Security. She describes her journey as moving toward open source with each environment. At Mozilla, makers of the popular Firefox browser, Thunderbird e-mail client, and other open software, she's pretty much at ground zero.

Snyder said the idea of opening up security came about by asking, "What are we doing internally that we can make publicly available to help somebody else in some other project."

They decided to start out small. "We're starting off with secure programs and practices for C and C++. There is a focus on how to make it useful for a browser, but there is of course a general aspect to this. It's training materials, it's syllabi, exercises, it's a workshop-style class. Hopefully we'll be able to do video as well." The idea is that one employee from a company can attend these workshops and then take the training back home to train even more people.

Johnathan Nightingale of Mozilla echoed this. "It's pretty brittle if there's only one person who is the security guy or gal that always solves a problem. It's better to get that knowledge out there--whether it's working on Mozilla or some other project. By working at understanding the good habits and the bad habits, you've made a huge step forward."

In addition to training sessions, Mozilla will be making a variety of tools available. Last year Mozilla released a protocol fuzzer created by Michael Eddington, and a Javascript fuzzer created by Jesse Ruderman. Further, Mozilla admitted that these tools had found vulnerabilities within Firefox. Accepting that openness, Opera reported that the tools had also discovered a flaw within its browser product. Microsoft, maker of Internet Explorer, and Apple, maker of Safari, haven't revealed whether they used the tool to detect any flaws in their products.

Snyder says often the security story isn't that a company created a tool that found 14 vulnerabilities in it own product, it's that there were 14 vulnerabilities in the product in the first place. "Why would they want to share this tool? Maybe they want to demonstrate how successful it was because it found a vulnerability. That's something that we can do that other companies cannot."

In addition to training and tools, Mozilla wants to talk more about security metrics and threat modeling.

In this video, Window Snyder talks about security metrics.

"Threat modeling is a methodology for identifying security vulnerabilities, for identifying the risks of a security vulnerability within that application," Snyder said. "Making a threat model available shows other development environments how a complex application like Firefox gets deconstructed into threats, along with the mitigations that we've implemented to address those specific threats.

"But it also gets us feedback on whether or mitigations are sufficient. It gets the research community engaged in another point in the development process. Instead of looking for vulnerabilities at the end of the lifecycle, they're able to get involved in the threat modeling process which is between design and implementation, ideally. You want to be able to do it early enough in the process so that you can actually change at the architectural level as the result of threat modeling."

The goal, she said, is to remove whole categories of vulnerabilities. "Here's a pattern, and if we implement one architectural change we can eliminate all these vulnerabilities."

Threat modeling is more theoretical; it's abstract. "So, instead of saying concretely if you do this that and the other thing, that will result in an actual vulnerability, threat modeling, says there is no input validation mechanism, for example. If you send a request this way, you end up bypassing the input validation mechanism and you're sending content, unvalidated to this audio decoder. That would be scary. So the threat would be unvalidated content is being passed directly to the audio decoder if it comes in this way. A vulnerability would be there's an overflow in the audio decoder that an attacker is able to trigger if they craft a URL this way, and because it bypasses the input validation mechanism, all these other mechanisms that would have protected from an exploit are bypassed as well."

She concludes that the training, the tools, and the threat modeling is "good for peer reviews, it's good for testers, it's good for developers." She sees it as delivering on a promise to "to make the Web more secure."

Mozilla has been steadily demonstrating how open source projects can make money without betraying their community goals. At Mozilla, she says "we absorb the costs in criticism and we tolerate that in security because the benefit for us far outweighs everything else."

Last week, a new report (PDF) on emerging threats from the Georgia Tech Information Security Center mentioned, among other predictions, that botnets were likely to hit mobile phones sometime in the next year. On Tuesday, I spoke with VeriSign CTO Ken Silva about that possibility and why it might happen within the coming year.

"Criminals will go where the money is," Silva told CNET News. "If you start doing things of financial interest with your mobile phone, they will find a way to get your money."

Silva said the mobile phone market is changing. Today's mobile phones don't just make phone calls, they stream video and support content. "Most consumers did not care about a smartphone until Windows Mobile, the Apple iPhone, and now Google Android came along. Now more and more consumers want smartphones. Kids want them; it's a cool phone to have."

Silva said that smartphones tend to use either Java-based Blackberry OS, Mac OS, or Windows Mobile OS as platforms, and it is this standardization of operating systems that should make it easier for criminals to target their victims. The way mobile users browse the Web already is standardizing. With Windows Mobile you have Internet Explorer, and on Apple's iPhone you have Safari. Both of these browsers have vulnerabilities that can be exploited, although not always on the mobile version.

Another compelling reason to think malware is coming soon to your smartphone is more bandwidth. Because of the streaming media options, this year's phones process data much faster than last year's models.

One possible malware vector might be new application downloads. "People are thirsty for applications to run on their devices," Silva said. "Despite the fact Apple has gone to great lengths to make sure the applications are signed (and) have gone through a vetting process, users continue to break their iPhone and install software outside the channel."

Silva doesn't, however, think denial-of-service (DoS) attacks will be the first choice of botnets operating on mobile phones. For one thing, DoS attacks require always-on computers, and mobile devices are not always on or connected to the Internet.

He ranks DoS attacks second behind data theft. "These smartphones now have e-mail on them--and also corporate e-mail on them. We're doing more personal transactions with them." Silva thinks it's the rise of mobile payments and the popularity of banking on mobile phones in Europe and Asia that are leading malware to the mobile phone.

"If we've learned nothing else from the desktop, we should have learned that software needs to be secure right from the get-go." We have opportunity on the mobile platform to write secure code, he said, knowing what has happened on the desktop.

As for the currently status of botnets operating on mobile phones: "Definitely theoretical." But Silva adds, "Someone--just to prove the point--will develop a toolkit to do it." So it's never too early to be thinking about this problem.

Microsoft today released its July 2008 security bulletin highlighting items all considered important but not critical. They are for Domain Name Service in Windows, Windows Explorer within Windows Vista, Outlook Web Access (OWA), and Microsoft SQL servers. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-037: Important

Entitled "Vulnerabilities in DNS Could Allow Spoofing (953230)," this bulletin is for users of Windows 2000, Windows XP, and Windows Server 2003; not affected are users of Windows Vista (both 32-bit and 64-bit editions) and Windows Server 2008. The update addresses vulnerabilities detailed in CVE-2008-1447 and CVE-2008-1454. The patch modifies the Windows Domain Name System (DNS) in Windows. Microsoft says these two vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems.

MS08-038: Important

Entitled "Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)," this bulletin only affects users of Windows Vista and Windows Server 2008; all other versions of Windows are not affected. The update addresses vulnerability detailed in CVE-2008-1435. Microsoft says "the vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

MS08-039: Important

Entitled "Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)," this bulletin affects users of Microsoft Outlook Exchange Server 2003 and Microsoft Outlook Exchange Server. The update addresses the issues detailed in CVE-2008-2247 and CVE-2008-2248. Microsoft says "an attacker who successfully exploited these vulnerabilities could gain access to an individual Outlook Web Access (OWA) client's session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client's OWA session."

MS08-040: Important

Entitled "Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)," this bulletin affects SQL Server 7.0 Service Pack 4, SQL Server 2000 Service Pack 4, SQL Server 2000 Itanium-based Edition Service Pack 4, SQL Server 2005 Service Pack 2, SQL Server 2005 x64 Edition Service Pack 2, SQL Server 2005 with SP2 for Itanium-based Systems, Microsoft Data Engine (MSDE) 1.0 Service Pack 4, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 4, Microsoft SQL Server 2005 Express Edition Service Pack 2, Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) x64 Edition Service Pack 2. This update addresses the vulnerability detailed in CVE-2008-0085, CVE-2008-0086, CVE-2008-0107, and CVE-2008-0106. Microsoft says this bulletin "resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."

Apple on Thursday released a new version of Safari for Windows that includes a security fix for a high-profile carpet-bombing desktop attack vulnerability previously dismissed by the Cupertino vendor. The Safari update is only for Windows users, not Mac OSX versions. Version 3.1.2 of Safari for Windows can be downloaded and installed from Apple Downloads, or you can download Safari 3.1 here.

BMP or GIF image memory error
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-1573, an out-of-bounds memory read vulnerability. The error may occur in the handling of BMP and GIF images, which may lead to the disclosure of memory contents. Apple credits Gynvael Coldwind of Hispasec for reporting the vulnerability.

Carpet bombing attack
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2540, a vulnerability in how Windows desktop handles executable files. Apple explains: "Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP." Apple credits Aviv Raff for reporting the vulnerability.

Internet Explorer 7
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2306 which is an Internet Explorer 7 vulnerability. Apple explains: "If a Web site is in an Internet Explorer 7 zone with the 'Launching applications and unsafe files' setting set to 'Enable,' or if a Web site is in the Internet Explorer 6 'Local intranet' or 'Trusted sites' zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the 'always prompt' setting is enabled." Apple credits Will Dormann of CERT/CC for reporting the vulnerability.

WebKit Javascript array
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2307, which is a memory corruption vulnerability. An error exists in WebKit's handling of JavaScript arrays, so visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Apple credits James Urquhart for reporting the vulnerability.

Updated at 12:30 p.m. PDT on Wednesday with links to the newly debuted release candidate.

If you were planning to host a Firefox 3 launch party this week, keep that bubbly on ice a bit longer.

Mozilla on Wednesday released Firefox 3 Release Candidate 3. Windows and Linux users won't likely feel a thing; the new browser is considered stable on those platforms.

The extra release candidate addresses some lingering issues on the Mac OS X operating system. The changes are internal.

The previous test version, Firefox 3 Release Candidate 2, can also be downloaded for Windows, Portable, Mac, and Linux systems.

As a follow-up to last week's story on Hotmail users getting locked out, the second account mentioned has been restored.

Last Wednesday, Hotmail account holder Will showed CNET an e-mail verifying that he notified Microsoft on May 2 that his Hotmail password had been changed without his knowledge. Microsoft support staff responded with the following message: "Thank you for your message to MSN and Windows Live Privacy. I understand you are having difficulties accessing your MSN Hotmail account because you believe someone has gained unauthorized access to your account. For assistance with this issue, please contact the MSN Support staff using the (following) form."

Will filled out the form, and several weeks passed. Last Wednesday, he told CNET he had received no further response from Microsoft.

Account hijacking, where someone else steals your password and then changes it to deny you access, is a problem that affects not only Hotmail, but AOL and even eBay.

In a statement to CNET, a Microsoft representative said, "We can't comment on the specifics of a particular investigation. However, we can say that attempts to hijack accounts through a variety of means (for example, phishing scams, keystroke logging, and any number of other known security threats) occur against all online proprieties on an ongoing basis. Microsoft is constantly working to help ensure the security and privacy of its customer accounts."

Once again, the Microsoft representative put the fault for the lockout on the user. "In addition, we continue to recommend that customers always exercise appropriate caution and safeguards to protect their account information online, whether for their Windows Live accounts, banking accounts, or any other accounts they have online. Microsoft provides information on online safety and security, including specific guidance on how to help protect your Windows Live ID account security."

But Microsoft didn't answer our direct question: Why did it take a month, plus intervention from CNET, to restore Will's account?

Perhaps this e-mail statement comes the closest to a possible explanation: "As an FYI, we found the original communication to Will in response to his request, but per his e-mail to you, it seems for whatever reason, he did not receive it. We appreciate you flagging the issue, as we make it a practice to respond to all customer issues in a timely manner."

Safari users may be subject to crashes or interactions with an attacker's malicious site, according to a warning posted on Tuesday on BugTraq .

Researcher Juan Pablo Lopez Yacubian is credited with finding multiple vulnerabilities in Apple Safari 3.1.1 for Windows. Other versions of Safari may also be affected.

Among the vulnerabilities cited are a denial-of-service (crash) vulnerability caused by a write-access violation, a denial-of-service (crash) vulnerability caused by a read-access violation, and a third vulnerability that allows attackers to spoof the content contained in the address bar. A full write up can be found here .

In a separate mailing to Bugtraq, Juan Pablo Lopez Yacubian says he was also able to use a similar exploit to crash Mozilla Firefox 3 beta 5.

That said, the general workaround is not to use Safari 3.1.1 for Windows until Apple issues a fix. Versions of Firefox 2.x and Opera are recommended.