Virus Issue 2

[CB]

Andre Truter wrote:
> 
> 
> But I still think that the design of certain parts of Windows is just
> opening up doors for virus writers, etc.
> You can use VB to write a program that can do anything on a system by
> using ActiveX controls and OCX components.

Two points here: firstly, you can only 'do anything' if the host process 
is running as Administrator. That's the big problem. So the golden rule 
for running Windows should be to only use Administrator when absolutely 
needed; just as per root with Linux. MS *has*, I completely admit, 
encouraged default use of Administrator for ordinary users. But it's not 
necessary; bad policy rather than bad design.

Secondly, I don't think ActiveX components running with IE as host 
(which is really where the problem lies rather than with ActiveX as 
such) is part of the 'design' of Windows either. It's a bit of 
smoke-and-mirrors designed to embrace and extend web browsing. It's 
incredibly stupid, and probably immoral, for sure.

> 
> Linux has been designed to not allow stuff like that.  The application
> needs to be run as root to have access to any system resources, except
> if there is an exploit but in Windows you don't even need an exploit
> to do this.
> 

I'm not sure I follow this -- in Windows (as long as permissions and 
user privileges are set up correctly, which pre-Windows 2003 they were 
not) Administrator is necessary to have access crucial system resources, 
similarly to root with linux.

Actually Windows has quite a fine-grained security system for access to 
all resources. It is probably a bit too complex for a typical windows 
administrator to really handle, and the default set up has in the past 
(before 2003) been crap, but it is quite capable of being run securely 
in the hands of someone competent.

> 
> I am not out to just bash Windows, I am just trying to explain why I
> think viruses has been running wild on Windows, but on no other
> operating system.

I think the reasons are really: (1) promiscuous use of RPC (most of the 
early worms used this as primary transmission mechanism). (2) promotion 
of irresponsible OS configuration defaults by MS (god only knows why 
they haven't been sued over this) (3) Casual, over-hasty introduction of 
client technologies designed to give Windows an *appearance* of fancier 
features than other OS's, especially for 'commodity apps' (eg. email - 
Outlook Express -- and web browsing -- IE).

Without these three 'features', I believe viruses & worms would not have 
been the issue they have been. I know there are also things affecting 
services (esp. buffer overruns), but the mass of problems has been on 
the client.

Note that I'm not defending MS here. All three issues were foreseeable, 
and are MS's fault. I am defending the engineers who built the OS 
fundamentals though.

> Hopefully MS will really put an effort into security with Longhorn, as
> all thier previus attempts has proven to be futile.
> Or am I wrong here?

Their efforts have been ridiculously incremental and slow in coming, but 
not quite futile. Windows server 2003 is by default much more secure 
than 2000 was. MS really missed the boat with XP though. The problems 
were well-known by then, but they did hardly anything about them. I 
guess they knew that they needed to get a real consumer OS out of the 
door because everyone was getting so mightily pissed off with the Win 
'95 family. They also knew that if they got the security wrong Joe 
Consumer wouldn't have the money to sue them, so they thought they'd 
just be able to fix the default security config stuff later.