Tests and Scans
The Pit BLOG
Fixing Security in Windows
It's no secret that Windows has security holes so large you can drive a truck through them. My last article analyzed the difficulty Microsoft faces with Vista in winning acceptance of an improved security model. But this of course begs the question, what can Microsoft do to make a more secure computing environment for us all? Even if Microsoft is one of the most profitable companies run by the richest man in the world, I hope they can take a little constructive criticism.
A New Software Installation Model
Perhaps the largest threat to the security of our PC's is rogue software being installed without our knowledge. In the 90's, it started with viruses, and the problem has now morphed into the spyware and adware epidemic, and recently a new wave of botnets. (Botnets allow a single rogue computer criminal to control a group of PCs that inadvertently install its nefarious software.) Underlying all of these security issues is the same problem—software that installs without the user's knowledge and permission.
The reality is that rather than plug this huge security hole, Microsoft has been doing the opposite. Throughout most of the 1990s, Microsoft was making it easier to install software without much user effort at all, which led to installations without user's knowledge. Why? In the name of ease of use. The reasoning is that if the user doesn't need to know when or how to install software, the computer will be easier to use. Although this is true, those gains in user simplicity are insufficient to offset the security problems created in our PC's and the Internet as a whole. The reality is that our computers are less secure now than 10 years ago, thanks to our buddies in Redmond.
License agreements are critical events in a PC's life, but Windows treats them like a typical dialog box.
Installing software is an important event; it can significantly change the behavior, security, and reliability of your PC. Almost all software has some sort of license agreement associated with it. Although we all know that no one reads these agreements, some American judges have found that the license agreements are enforceable. So here is my question to Microsoft and Mr. Gates: If you agree that installing software is an important event, and license dialogs are binding legal agreements, shouldn't our computers help us manage these important events?
Windows ought to be recording all important information related to a software installation. Each installation event should be recorded in a small database. The information should include the date the software was installed, a copy of the license agreement, the user who agreed to the license, the version of the software, and so on.
Closing the Hole
Imagine if Vista could recognize when a software program is being installed, and more importantly when a license dialog is being shown. Vista could ensure that only users over 18 years old could enter into the license agreement. This would put an end to spyware companies targeting kids in order to get their payload on a parent's PC.
Once software installation becomes a recognizable event, we can write software to help users in making decisions about whether to install. For example, if a user had a license agreement in front of them, a software program could scan the license text and warn the user that the license agreement has the words "advertising" and "popup" in it. Programs like EULALyzer can do something like this today, but only if the user downloads and uses the software each time they install software.
But of course the biggest benefit is that it will allow us to lock down our PCs. We would be able to specify that only programs that have legitimate Add/Remove entries are allowed to run on our PCs. We would be able to tell Windows that if a valid license agreement is not accepted, then I don't want it running on my PC. Once Windows is storing our legitimate software in a database, Windows should block any and all non-authorized, non-registered software from running at all. This one step would eliminate spyware, viruses, keyloggers, and virtually anything else from being run on your PC without your knowledge. Wouldn't that be a breath of fresh air?
Of course, it isn't so easy to do. Microsoft would have to ask all software developers to change the way software installs onto PCs. Moreover, it would take multiple years for it to happen. And Microsoft can't make this happen alone. Devious people and companies will still attempt to sneak software onto our PC's. However, at the very least, this change will force them to do it in the wide open. Then it would be easier for people like Elliot Spitzer, New York's aggressive attorney general, to prosecute these miscreants.
Several years ago, Bill Gates declared security would become Windows and Microsoft's #1 priority. I can just imagine Gates's daughters Windows computer riddled with spyware. Even the richest man in the world is susceptible to their dirty spyware tricks, if they don't do something to plug Window's glaring security issues.