Hi Devin & Susan; Its been a while, I hope both of you are doing well:) At the risk of being flamed merely for my professional affiliation I'm going to jump into the fray...
Some people are misusing security-related language. Its not feasible to objectively measure the degree of security between applications. You can compare the number of vulnerabilities reported, but if there are 10 researchers digging into Firefox and 1,000 digging into IE of course more flaws will be discovered in the latter. IE is a lot easier to deploy and manage in an enterprise due to Group Policy and the IEAK, one could argue that that fact alone makes it much easier to reduce the risk of users getting exploited due to loose security settings. What people have been talking about in this thread is the fact that IE users are impacted by more malicious attacks than other browsers. The underlying causes for that have been argued ad nauseum on this mailing list, /., and many other places; I don't see much point in pursuing that;) I agree with Susan that logging into Windows without administator privileges is doable today, especially for well-managed networks. We have many customers who have done this, some who have done this for many years. It will be a lot easier with Vista, but its not overwhelmingly difficult for most organizations today if you plan ahead and properly test your applications. It only becomes impossible on networks with thousands of applications, but organizations with that many unique apps deployed tend to not have any kind of centralized management going. They'll have to get a handle on managing their huge network and their painfully long list of apps before they could migrate to LUA. By the way, most of the LUA bugs we've been seeing over the last year or two have been from home-grown apps, not COTS. Devin, you compare the level of awareness about LUA in the Windows community with that in the Linux and Unix communities. Its not a reasonable comparison to make because the percentage of users who are not computer professionals in the Linux and Unix communities is miniscule whereas the vast majority of Windows users know far less about computers than the folks on this list. Last time I checked Linux that was being marketed to home users was configured to logon as root by default too. Devin, you switched the discussion to home users. Its quite easy if there's one person who knows how to manage machines, for example my wife has never had admin privileges. She clicks on every link she ever sees in a browser or email and yet she's never had spyware. She can do what she needs to on her PC, and asks me to install ActiveX controls or other software. I agree that LUA in the current versions of Windows isn't really feasible for more typical consumers though, they can't really understand the concepts of privilege levels, switching contexts, or when its appropriate to escalate privileges and approve software installs. Vista will make much of this very easy, but unfortunately users are still going to make bad security decisions and install the dancing pigs screensaver bundled with the rootkit and keystroke logger. Technology can only do so much, users who make bad decisions will be exploited regardless of what browser (or email client, or P2P app, etc) they are using. Regards, Kurt -----Original Message----- From: Devin Ganger [mailto:[EMAIL PROTECTED] Sent: Monday, April 03, 2006 12:53 PM To: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Cc: [email protected] Subject: RE: New IE flaw and exploit sites/migration to non-MS browser At Saturday, April 01, 2006 6:47 PM, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: > IE version 1 .. and what was the threat model at that time? Folks on > 9600 baud modems and the Melissa virus? Irrelevant. The point is that IE *at that time* was less secure than its competition, running under the same threat model. > Any current Microsoft product with the XP logo has to run as LUA these > days. Yes, I know that. But there is lots of software out there that doesn't have that little logo, yet users need to run it. And while we're at it, that little logo is no guarantee that the software is more secure or well-written. Let's not make the mistake of thinking that "able and willing to pay the fee to buy the logo" = "qualitatively better software" because it isn't true. > No...the vendor needs to code appropriately. This isn't 1998 and > we're running modern software. While I absolutely agree with that, you've missed my point. The UNIX world for years has gotten the concept of making the user create at least one non-admin account during installation, so that root can be used just for the things that access is needed for. And yes, there are plenty of people even today who run their day-to-day sessions as root. (I shudder at the mere thought of running KDE or GNOME as root.) And yes, there are bone-headed coders out there who write UNIX software that can really only be run as root, but they are a lot fewer than the ones on Windows -- and the user community is quick to point out what a bad practice that is and give the developer a well-deserved roasting. Why is that? Why is it okay for Windows XP to create the first user and give it admin privileges? It's not okay. This is a flaw in the Windows default installation for workstations that has been floating around ever since Windows NT 3.1. The criticism has been voiced for a long time. Microsoft employees have vocally wondered the same thing for years. (Note that XP doesn't do that if you join it to a domain during the installation, so someone clearly gets that creating new users as admins is inappropriate in *some* contexts.) > The "it's too hard" won't cut it anymore. I wasn't saying that. You asked a question -- is IE more insecure than other browsers, or is it how securely users are running their workstation. The answer is "both." Users are running more insecurely (because even today, they are *encouraged to do so by the operating system*) AND IE is less secure than other browsers. > Yell at the vendor..and I'm > not talking Microsoft here... google on LUA instructions (there's many > community resources starting out there) and most of the time... if I > don't tell the user in my office they don't have admin rights... they > don't know they don't have them anymore. Yes, there's a lot of guidance on LUA *NOW*. That wasn't the case when XP rolled out. Microsoft sure hadn't yet gotten the LUA bug at that time. And things that you and I find obvious because we're in the business of knowing them *aren't* obvious to everyone. They definitely aren't obvious to the average home user who got XP pre-loaded on their computer, walked through the installation steps where they put in their name and XP created their admin-enabled account for them, and started using their new software insecurely *by default*. Can Windows be run securely under LUA? You and I both know it can, and we both know the tools and resources to do it. How many of those tools and resources that we need to figure out which rights a given piece of software needs in order to run as a non-admin user actually come with Windows? How many of them come from Microsoft? Why wasn't LUA enforced back in 2000 when RunAs was introduced with the OS, instead of waiting years later for Vista? Why is it okay to expect our users to become security experts in order to protect themselves, instead of expecting the default install of the OS to make them as secure as possible by default even when they're installing stand-alone machines? Can IE be secured so that folks can use its features and still not be at a high level of risk? Absolutely. Is it that way by default? No, not on the workstation-grade versions of Windows. -- Devin L. Ganger Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 x 109 15311 NE 90th Street Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.702.8455 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
