Wednesday, February 01, 2006

Microsoft's OneCare Has Holes

Microsoft's OneCare service has holes.

Microsoft's OneCare (http://www.windowsonecare.com) is a beta service that attempts to be an encompassing security product/service to protect an end-user's PC. Among several things, it provides antivirus and firewall services and policy configuration.

Anyway, I have found the following issues with the service:

1. Any program using JVM can bypass any OneCare firewall restriction.

2. Any signed program will automatically bypass any firewall restriction.

Both of these issues are a concern to security people. Any blanket security bypass rule is a bad idea. It just invites malicious hackers and other malware goons to exploit it. These settings, if they hold past the beta period, are especially troubling in light of the success that spyware and adware vendors have been having. They already routinely use signed controls to install themselves onto users PCs, and certainly they will continue to use them to bypass this service.

Deny by default is a good rule of thumb. Allow by default never is. I applaud Microsoft trying to give consumers yet another way to protect their PCs, but blanket security bypass rules aren't part of the solution.

2 comments:

Anonymous said...

Microsoft's OneCare team has responded to the attestations previously made in this blog.

http://spaces.msn.com/windowsonecare

They confirm that any JVM program will be allowed outbound by default, but that you can turn off this default behavior. I had heard that the OneCare firewall applied to all Java programs, and not just JVM applets. I'll have to confirm.

The OneCare team also confirms that any program digitally signed by a certificate from a Microsoft Trusted Certificate Authority will be allowed past the firewall without interference, because "it is highly unusual for malware to be signed."

Mohiuddin said...

Thanks Roger for your comments.

This used to be the case, but now potentially unwanted programs (and spyware and adware) often digitally signed. Here's an article with more details on the subject.

http://www.revenews.com/wayneporter/archives/000477.html

I'm not sure I agree with their attestation that 95% of spyware is signed, but it certainly isn't highly unusual anymore.

Further, these same vendors will certainly start signing more of their code if OneCare's treatment becomes common.

To be fair to Microsoft, OneCare's outbound blocking mechanism can only occur after the victim already has allowed the program to be installed in the first place, and the current Windows Firewall has NO outbound blocking abilities at all. So, in the world of security issues, this whole topic isn't a raging story.

Still I'm bothered by OneCare's treatment of both of these program types.

In the same OneCare blog entry they say prompting users to make a decision about Java programs "would likely confuse" users. Can't this be said about any outbound program denial? Isn't a firewall supposed to "confuse" and alert the user so they can make a security value judgement.

I think the default for any firewall should be deny-by-default, allow-by exception. If not, what is the firewall really there for?

VCAP-DCA (VDCA550) - FINALLY NAILED IT

I feel proud to inform you that I have passed my VMware Certified Advanced Professional - Data Centre Design (VCAP-DCD) certification exam s...