10 September 2008

Compatibility vs. Safety

Technorati tags: ,

Once upon a time, new software was of interest because it had new features or other improvements over previous versions.  This attracted us to new versions, but we still wanted our old stuff to work - so the new versions would often retain old code to stay compatible with what we already had.

Today, we're not so much following the carrot of quality, but fleeing the stick of quality failure.  We are often told we must get a new version because the old version was so badly made, it could be exploited to do all sorts of unwanted things.  In this case, we want to break compatibility so that the old exploit techniques will no longer work!

Yet often the same vendors who drive us to "patch" or "upgrade" their products to avoid exploitation risks, still seem to think we are attracted by features, not driven by fear.

Sun's Java

I've highlighted the long-standing problems with Sun's Java before, and they are still squirming around their promise to mend their ways.  In short, they may still leave old exploitable versions of the Java JRE on your system, but it's no longer quite as easy for malware to select these as their preferred interpreter.  Still, you're probably safer if you uninstall these old JREs (as Sun's Java updater typically does not do) than trust Sun to deny code access to them.

Microsoft's Side By Side

Here's an interesting article on the Windows SxS (Side By Side) facility, which aims to appease software that was written for older versions of system .DLLs and thus ease the pain of "DLL Hell".  This works by retaining old versions of these .DLLs so that older software can specify access to them, via their manifest

How is that different from Sun's accursed practice? 

Well, is generally isn't, as far as I can tell, until a particular exploit situation is recognized where this behaviour poses a risk.  The current crisis du jour involves exploits against GDIPlus.dll - yep the same one that was fixed before - and the patch this time includes a facility to block access to old versions of the .DLL, leveraging a feature already designed into the SxS subsystem.

7 comments:

Dan W. said...

I have looked forward to posting a comment about this and feel now is the time, Chris. First, you are so awesome to have your blog and I think your research is so cool and helpful to the whole world. Anyway, Windows 98 Second Edition still runs like a champ on my multi-boot computer. I tried out Ubuntu Linux but have been too busy with work so I removed it for now. Anyway, I have connected Windows 98 Second Edition directly to the Internet and baited hackers to hack me now and the most that has happened so far is denial of service errors with Internet Explorer and a freeze with Internet Explorer when trying to report a crash to Microsoft. Someone, certainly did not want me to report that crash information. I feel that users for now can connect 98 Second Edition safely to the Internet if they are very careful and use 3rd party software such as Mozilla Firefox and Sun Java. Currently, Mozilla Firefox 2.x which is supported in 98 Second Edition is scheduled to end by the end of 2008 and Sun Java 5 which is supported in Windows 98 is scheduled to end on October 31, 2009 so users such as myself still have some time. I do miss your posts in Windows 98 General and hope you have a chance to post there soon. Another key is to always initially read in plain text, block session as well as 3rd party cookies, and under no circumstances install Windows 98 Scripting Host because this automates the writing of scripts which is bad in this day and age with all the DNS Poisoning and other vulnerabilities floating around in the sky and white clouds. Grin --- Take Care ---

Note: The website below is not my own of course but hopefully will help users to research vulnerabilities in current software to better protect themselves in cyberspace

http://secunia.com/

Dan

Chris Quirke said...

"I feel that users for now can connect 98 Second Edition safely to the Internet if they are very careful and use 3rd party software such as Mozilla Firefox and Sun Java." - that advice may be valid, but has a short sell-by date.

Is it worth setting up a new system just for the few months before these things dry up for Win9x? Firefox 2.xx isn't going to be around forever (ah, I see you say October 2009; way better than I'd have hoped!), and Java JRE 1.6.x has been "not for Win9x" for several versions now... if incompats between these JREs and the OS are exploitable, that isn't going to be fixed.

So while I'd say to existing Win9x users that they can carry on truckin' for now, I wouldn't expend effort setting up new Win9x systems that are to face the edge.

Really old PCs that have to face the edge, pose a problem that may best be solved by one of the "lite" Linuxen. Yes, some Linux will run on these things, but you'd usually have to choose between "runs on old systems" and "includes the things we need", with one of the needed things being update delivery.

For first-time users on hand-me-down PCs, the ability to easily get patched could become important if Linux starts to get attacked.

WSH, HTA and SHS are easily risk-managed in Win9x by renaming away the relevant engines, i.e. CScript.exe, WScript.exe, MSHTA.exe and SHSCrap.dll - but there's a catch; if you do this from within Windows, then the OS may track the changes so that the engines remain associated and active (yes, even if the extension is wrong, e.g. WScript.ex!). Use DOS mode (not just a command window) do effect these measures, and do the extras in WinME to kick SFP out of the way.

On the above, see...

http://cquirke.mvps.org/9x/riskfix.htm#FindAndKill

You should also remove the MS Java VM, for which instructions are available on Sun's site ;-)

Dan W. said...

Thanks Chris for your feedback. I know I mentioned to you how the hackers broke into my computer with a fully updated Windows XP Professional from VPN when connected to the Albuquerque Public School System in September 2007. The hackers just caused a Denial of Service error with Windows 98 Second Edition. If the above scenario had happened with Windows Vista, would the hackers who compromised the APS Network and had full access to the server be able to break in. I think current and former employees were involved and I know these people illegally imaged an administrator's computer called Michelle from building 6400 in Albuquerque, New Mexico to a computer at Painted Sky Elementary during the months of May 2007-August 2007 while I was away working at a camp in Santa Fe, New Mexico. The ironic thing is the computer they used was by a 3rd grade teacher named Claire who I worked with because I was a first grade educational assistant and I worked in Terese's 1st grade classroom and the 2 were twin sisters. Anyway, their dad Frank is a part of the United State's Justice Department and so things got really crazy because I have lots of friends and extended family that have worked for the U.S. Air Force as well as having worked as a civilian for the Air Force from 1998-2001 working with the Air Force children. Anyway, I am currently working in the electronics business specifically with computers and am slowly working on a report for the Department of Defense and Department of Homeland Security on all of this and just trying to live a more normal life again. I really appreciate your help and am very glad that you have this blog. BTW, currently Mozilla Firefox 2.x is scheduled to end its life by the end of 2008 and Sun Java 5 support is scheduled to end its life at the end of October 2009. I currently have removed unsupported components with Windows 98 Second Edition such as Adobe's Flash Player and do not have Windows 98 Scripting Host installed because I certainly do not want to automate scripts. What do you think about Windows 7 and the future of Microsoft and their operating systems? Have you read information about the latest attack method where you have to be careful about clicking anything in a web page and it is suggested that you use the NoScript Addon for Mozilla Firefox. Finally, what do you think about Mozilla Firefox 3.x compared to Internet Explorer 8 beta and the other browsers like Opera and Google's Chrome. Thank you again for being so willing to share your knowledge and expertise with the world.

Chris Quirke said...

Wow, Dan: Paragraph breaks. Please!

I'm careful about drawing broad conclusions from specific cases, unless they highlight a pattern that appears reproduceable.

I do, however, understand the sanity-preserving effect of context encapsulation and denial.

For example, when I was mugged in Jozi, it was much easier to live with "the center of Jozi's too dangerous, I won't go there again" than (the perhaps as true) "the center of cities are dangerous, I won't go there again".

If you've had a single shattering experience of being hacked that used NT-family OSs as an entry point, rather than Win9x-family OSs that were also available, then you could come away with the same impression... and while there is some reality to differential network entry risks, it's an impression that may have a sell-by date.


I haven't seen Windows 7, but in terms of statements made about it, and the tight development time frame, I expect a point revision of Vista that will respond to ant-Vista perceptions.

I expect some UI changes, hopefully some scaling back of "underfootware" effects, UAC made less obtrusive but hopefully not undermined (e.g. spot single points of intervention instead of nagging on multiple steps of the same process), and so on.

It would make sense for IE8 to be baked into Windows 7, as that allows earlier "retirement" of IE7 support down the line. In fact I was dissappointed that IE7 wasn't in XP SP3.

I love IE8! It has some bugs to be ironed out, as can be expected of a beta, but I love the UI and feature set. It's not often that I like a new version of anything this much.

Chrome I've commented on, and I may or may not give that a go once it's less of a safety risk - though I'd insist on control over install location and vendor-pushed updates. Until I see both of those, I'd avoid it like the plague.

Have you been to the "Engineering Windows 7" and "IE Team" blogs?

Chris Quirke said...

Sorry, Dan; I didn't mention Firefox 3... I like, but it doesn't seem that different to earlier Firefox versions, which I've also liked and used.

On Vista, Firefox is clueful enough to use Vista's "Downloads" shell folder as default download destination - but in XP, it's as dumb as Chrome and Safari, duhfaulting to "Desktop" instead.

It's strange how no-one's pointing fingers at Firefox about what is usually presented as a "carpet bombing" risk (but is actually a more significant user- and OS-spoofing code-execution risk).

Maybe that's because Firefox isn't as easy to push into clickless site-initiated downloads?

I can't take Google Chrome's claims to "sandboxing" seriously, if it allows sites to clicklessly-automate any sort of download outside the sandbox. Now *that* is a "clear and present danger".


One aspect to these sort of "by design" exploit opportunities, is that it improcves plausible denialbility for malware vendors.

Exploiting code behaviour that is documented to be unwanted, and patched by the vendor, should be seen as proof of malicious intent.

But if the vendor merely "uses the system as designed", it's harder to prove malicious intent - the implication being that their behavior must be within acceptable norms if the OS was designed to facilitate it.

That's one reason why I get so angry, when OS design is cluelessly unsafe - not only are they exposing our systems, but setting new nadirs in acceptable vendor-victim relations.

Dan W. said...

Hi, Chris.

Sorry about not separating paragraphs but I get on a thought process and just keep going.

Yes, I have briefly checked out the blogs on Internet Explorer 8. I am trying IE 8 beta 2 now and I do enjoy it. I still use Mozilla Firefox 2.x as my primary browser. I have not tried Google's Chrome browser yet.

Will Windows 7 be lacking a maintenance operating system like Windows 98 Second Edition has in Disk Operating System?

Chris Quirke said...

Hi, Dan!

Being cynical, I'd say yes, Windows 7 is likely to be under-serviced in terms of a maintenance OS.

I still don't see a product group that corresponds to a mOS team; the WinPE team may still be driven by narrow OEM and pro-IT deployment roles, and the WinRE team blog hasn't had new content for ages.

The problem (as always) is that we will lose functionality through compatibility-breaking, faster than this is replaced and enhanced.

That breaks the ability of 3rd-party solutions (such as Bart) to bridge the gap. On paper, Vista has a better mOS in WinPE than XP has in the laughable Recovery Console, but once you factor in Bart, Vista loses transparent registry redirection and is thus worse off than XP.

In Windows 7, if we were to see failure to support FATxx (at least for HD volumes), we'd lose a lot of data survivability and recoverability right there. If NTFS is tweaked beyond XP (and thus Bart) compatibility, the door on formal malware management would be closed, too.

Finally, there's the bogey of unacceptable distribution and licensing. MS Office 2007 is already there, due to the "no disks" nonsense, and I've already responded to that at the business level. In place of monthly MS Office sales, I've sold around 2 copies of MS Office 2007 in 2 years.

In the land of large OEMs, Vista's already shipping as "no disks" product, and I've responded by providing 3rd-party OS partition backup images as the recovery source.

If this "no disks" stuff is driven into small OEMs, i.e. my own PC builds, I may abandon Windows for Ubuntu, rather than put myself at risk by breaking MS's licensing terms to provide recoverability.

I'm already routinely building dual Vista + Ubuntu systems, building Ubuntu skills on the way, and have built my first Ubuntu-only PC this week... so I'm reasonably well-positioned to abandon Windows if Windows 7 comes with too many strings attached.

What with the economic meltdown, we may find folks' tolerance for BS is falling... less blind brand loyalty, less willingness to pay unneccessary price premiums out of laziness, etc. Could be a bad time to try on additional vendor-centric user-gouging; the market could be ready to kick back, as it did against IBM's PS/2 PCs.