You may have heard about the paper released at this week’s Black Hat conference, describing limitations in Windows’ memory protection schemes like ASLR, DEP, etc.  The paper is well-written, very detailed, and I’ve no reason to doubt that it’s pretty accurate.  Some points it makes are things that teams at Microsoft are already aware of and working to remedy (such as DEP not being enabled for IE, for example). 

But reading the paper made it very clear that the most exploitable targets these days aren’t even web browsers, they’re plug-ins like Flash and Java.  The article points out how the Java run-time (“JVM”) was made DEP-compatible with the ingenious change to make all of the memory it allocates be marked as executable.  So yeah, it works with DEP by making DEP irrelevant.  Hilarious.  And sad.

Flash is still not ASLR or DEP compatible.  We’re rapidly approaching two years from the release of Vista.  They’ve had way longer than that to prepare to take advantage of these very helpful security features.  Yet here we are in August 2008 and the most prevalent and successful browser add-ins do virtually nothing to ensure that they aren’t abused by attackers.

Now, to be fair, the attackers also mention .NET as a possible attack vector.  In fact, what they describe is pretty clever.  But that’s the thing, at least they had to be clever.  With Flash and Java they don’t, as those add-ins make no attempt to be secure.  And if you want to make a bet about which of those three (Flash, JVM, .NET) has its issues fixed first, I know where I’m putting my money.

As I read the initial details about Apple’s “Snow Leopard” release (ostensibly called OS X 10.6), I got to thinking… What do they mean that they’ve taken the focus away from new features?

From Apple.com:

Taking a break from adding new features, Snow Leopard — scheduled to ship in about a year — builds on Leopard’s enormous innovations by delivering a new generation of core software technologies that will streamline Mac OS X, enhance its performance, and set new standards for quality.

One word was striking to me, not for its presence, but for its absence.  That word is “security.”  A few years ago Microsoft was more or less caught with its pants down when it came to the wild world of the web.  But a couple years after Windows XP was released, Microsoft “got religion” on security and made some deep changes.  Those culminated in the release of XP SP2 – which consisted of a top-to-bottom review of the XP code and a major security-focused overhaul of its code.  It’s been said many times that certain high-level Windows execs thought XP SP2 should have been an entire OS release instead of a service pack.  That’s how big the changes were.  But who would ship a new OS with basically zero new features?  Well, now we know.

That has me wondering… why is Apple taking the focus off of new features for 10.6.  Especially when Leopard wasn’t exactly brimming with new hotness.  I think there are three reasons:

1) iPhone.  Jobs has shown a great ability to focus the entirety of Apple on a “north star” and drive toward it full-steam-ahead.  That’s what the iPhone is doing now, and to great effect.  However, this is not without cost.  Apple’s focus on the iPhone has left it with fewer resources to devote to other projects, particularly when it comes to software development.  Thus I have a feeling the crew working on OS X these days is a good deal smaller than the group that worked on Panther and Tiger.

2) Embedded devices.  Apple says they’re going to slim-down OS X in 10.6.  That makes sense, especially when you consider their affinity for flash-based devices.  If we’re going to see a Mac sub-tablet / super-sized iPhone device, this will be the OS for it.  It’s also likely a way to leverage some of those iPhone-focused resources in order to ship a version of OS X timed to counter Windows 7.

3) Security.  Apple’s PC marketshare is growing.  This is great for them, but only if they can hold onto it.  An onslaught of security nightmares, like those suffered by Windows XP a few years ago, would be disasterous.  They can’t afford to risk it.  Apple knows that they won’t be spared by attackers for much longer, not when their market is growing.  The untested nature of its software (untested by the “hacker” community) and its increasing prevalence on machines will make it a very tempting target soon enough.

So why is number 3 so important?  Because Apple can’t keep claiming that gaping holes in their software aren’t important.  They have an opportunity to have their XP SP2 without having their MS.Blaster / Code Red / Slasher / etc.  They can do something now to prevent malware from becoming as rampant on Macs as it was on Windows XP systems.  If they aren’t doing this, they’re being foolish, and they’ll get little sympathy from those who keep telling them to get their act together.

So how much time does Apple have left to figure this out?  I think not long.  Heck, the first shots may already have been fired.

Update: Apparently I misunderstood the timing of this e-mail, and it is actually from last year.  I’ve updated the post a bit to make that clearer and to be a little less harsh, since I don’t know that they’re still sending mails like this.  But the user is still having the same problem, and their web site still suggests the same solution, so it’s likely they are.  If you’ve received one like it, please let me know!

A Neowin forum member brought up what they believed was a conflict between UAC and Trend Micro Internet Security 2007.  After some discussion about it, they received this e-mail from Trend Micro’s support team:

Dear Lexonex,
Hello there! A pleasant day to you! My name is John from Consumer Escalation Team and I will be assisting you on this issue. To keep our records up-to-date, it is very important to RESPOND to this e-mail.

I have carefully read your email and have understood your concern.
Regarding Turning-off User Account Cotrol of WIndows Vista. This feature of Windows Vista is the same as the Suspicious Software Alarm System of Trend Micro Internet Security 2007. Turning-it off really does not harm your computer since you have this kind of feature working in your Trend Micro program. It even allows you not to have that annoying pop-up each time you install or open other programs.

Right-now we don’t have any information yet if there will be a patch for that problem since it’s really about WIndows Vista’s permissions on the programs running in your computer. It’s like Trend Micro not being allowed by Windows Vista to work normally. And for the feature to run, it’s either we turn-off User Account Control or set some exceptions for other programs in User Account Control which right-now; WIndows’ Vista does not give an option.

If ever a patch should be created for this problem, it should be a patch from Microsoft so they can allow valid programs to run normally when User Account Control is on.

But we are not closing our options and are still testing if there is a way that the whole Trend Micro program as a whole can be permitted by WIndows Vista to run normally.
I hope I have answered your inquiries clearly.
I will patiently wait for your reply.
Please let me know if I can close this case already.
VERY IMPORTANT: In order for me to have a history of our correspondence, please do not delete the subject and the contents of this email.
Hope this proves useful and have a nice day
Best Regards,
Consumer Support Team
TrendLabs HQ, Trend Micro Incorporated

Apr 12 2007, 04:12 AM

Did he really just say that?!?  Let’s count the problems with this message:

1. Turning off UAC has a substantial impact on your PC security.
2. Trend Micro’s “Suspicious Software Alarm” is nothing like UAC.  It doesn’t even have the same goal!  That feature, as its name implies, is about preventing malware from getting on your machine.  UAC has nothing to do with malware.
3. It’s impossible for a third-party application or service to do what UAC does.
4. He blames their crappy software design on Vista!  If their developers think this way, you should run as fast you possibly can away from Trend Micro.
5. Every other virus scanner developer has gotten along just fine with UAC.  You know, because they actually know how to write software. 
6. “Either we turn off UAC or set some exception” – you don’t set any exceptions!!! You show an elevation dialog.  Or you run as a service like everybody else.  If your virus scanner is running in user mode, you’ve already failed.

Update: Now it’s been nearly a year since that e-mail was sent.  Have they fixed the problem?  It doesn’t look like it.  They still tell you the same thing on their knowledge base site!

My advice?  Get OneCare, AVG, eTrust, or another offering.  Just make sure it’s from someone who understands security and software development.

That is, assuming they have UAC enabled and are using IE7.  On Windows Vista with UAC enabled, Internet Explorer runs in “Protected Mode” which successfully protects you from all known web-based attacks that use this vulnerability.  How does it do that?  Basically, “Protected Mode” runs IE in a “sandbox” of sorts, and doesn’t allow it to access anything but its own files and registry keys.  If an attacker can successfully inject code into your web browser, and the browser is running in Protected Mode (also known as the “low” UAC integrity level) – that code is prevented from doing any harm.

To all the UAC naysayers – this is certainly only the first of many examples proving its value (especially it’s use in IE’s Protected Mode).

Warning #2:  Microsoft does NOT endorse any practice that reduces or disables UAC functionality, and neither do I.  I do NOT use this mechanism on my own machines, and run all of them with UAC completely enabled. 

However, if you’re going to turn it off anyway, at least consider the following…

There are TWO ways to effectively disable UAC.  They are:

1. Hit the big master switch that disables UAC.  This runs every application with admin privileges and access to everything on your system.
2. Enable the “Elevate without prompting” option.  This means requests for elevation automatically succeed, no prompt.

So how is method #2 different?

• Applications will still run with non-Admin privileges unless they request them.
• Requests for elevation will succeed automatically.
• Filesystem and registry virtualization (ie. the “sandbox”) will still be enabled for applications running with low privileges.
• Protected Mode IE will still work

You can do it by running this reg file which won’t even require a reboot.  However, it WILL set off the Security Center alert just like completely disabling UAC.  If you had previously disabled UAC using the other method, you will have to re-enable it and reboot first.

So if you currently have UAC disabled, or are going to – try this instead.  No, it is not nearly as secure as the default setup.  Remember, any application requesting elevation will get it without telling you!  But it’s better than just running with everything elevated all the time. 

Is it a problem that users are often too willing to click Allow or Continue buttons without knowing the full consequences of their action?  Certainly.  Please don’t think I am contending otherwise.  However, consider the following scenario:

1. Joe User starts up his Windows Vista machine and logs into an Administrator account with UAC enabled.
2. Joe opens up Mail Program Express* – which automatically runs with reduced privileges because of UAC.
3. Joe clicks on a malicious HTML e-mail message that triggers a buffer overrun exploit against Mail Program Express, which executes some malicious code.  Perhaps this code includes instructions to delete important system files, muck with the registry, or access sensitive information about your computer or other users of the machine.
4. The attack against Mail Program Express succeeds, and the code is run – but the code fails to have any impact on the system because it is running in the context of Mail Program Express – which does not have Administrator privileges.

At no point during this example is a UAC dialog thrown. 

Could a more sophisticated attack cause an attempt at privilege escalation?  Depending on the nature of the attack, it’s possible.  But in such a case, the user would be presented with a UAC dialog completely out-of-the-blue.  It would probably be an unsigned app (scarier dialog), and the user would probably say no.

So what does this mean?  It means that UAC is a lot more than just another warning dialog.  Don’t turn it off.  It just might save you a lot of heartache one day.

* this could be any benign application you use daily, especially internet-connected ones like mail readers, web browsers, chat clients, etc.