Microsoft Manager Says It Considered Banning Vista Virtualization

In a story for the Associated Press carried on many online news services this afternoon, one of the directors of Microsoft’s Windows Client Product Planning team appears to make a curious and perhaps astounding statement. Scott Woodgate is quoted as saying that a Black Hat security conference demonstration last August, where virtualization functions were exploited to plant an active rootkit onto a beta of the Windows Vista kernel, scared Microsoft to the point where the company seriously considered removing virtualization capability from Vista entirely.

Ostensibly, the AP article was about Microsoft’s decision to ban Home Basic and Home Premium editions of Vista from serving as guest operating systems in virtualization engines. This was a recent discovery for Macintosh users, though it was public knowledge for Vista users since last July, when Woodgate himself made the announcement.

“We also announced the first of our licensing changes to internalize virtualization into Windows Vista,” read an announcement on his personal blog. “Specifically customers who buy first software assurance and then deploy either Vista Enterprise or Ultimate can install 4 copies of the OS in a VM in addition to the copy on the physical machine for the cost of one license…Download VPC, create up to 4 VMs for various previously incompatible applications and get going.”

By implication, only the business editions of Vista were engineered to include virtualization, and among Vista testers, this was generally understood. However, it became a new discovery to Mac OS X users who attempted to load home editions of Vista into Boot Camp and other virtual environments. The story was run by many services with the subheading, “The puzzling story of why Microsoft prevents some users from upgrading to Vista.”

Virtualizing an OS as a guest, as many software architects will tell you, is not an upgrade of the host system; and many Macintosh users will certainly agree that the ability to virtualize or host Vista does not constitute an upgrade to OS X.

That fact aside, the curious puzzle remains as to whether Microsoft actively considered cancelling Vista virtualization so close to the operating system’s release, and with the Virtual PC 2007 project – an upgrade to Virtual PC 2004 specifically to enable hosting Vista – already well underway. BetaNews has approached Microsoft for further comment, and we’re told it may be forthcoming.

Last June, security researcher Joanna Rutkowska announced she was working on a personal project to create undetectable malware that exploited only publicly known computer functions rather than stealth. She called this project “Blue Pill.”

“The idea behind Blue Pill is simple” Rutkowska wrote for her blog last June. “Your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside virtual machine.”

Reports from the conference the following August state that Microsoft’s then-general manager for security Ben Fathi was present for Rutkowska’s presentation, which he watched intently. Fathi later told eWeek that her demonstration was successful merely because she was using a beta kernel, and that the exploit vector she chose had already been fixed in a later build. Indeed, as testers will recall, Vista virtualization was addressed in several builds between the public Vista Beta 2 and the final release candidate.

Fathi discussed Vista beta kernel patching for security holes in an interview with InfoWorld last September. “Creating guest operating systems that sit on top of hypervisors allow us to create better isolation mechanisms,” Fathi stated then, “so that even if malware comes in, it only affects one subset of the machine and not everything else.”

Last October, Fathi was moved to a leadership position within Microsoft’s Core Operating Systems division, but by that time, the finalization of Vista’s business editions was already, and release to manufacturing was but a few weeks away.

If management teams and executives at Microsoft had actually considered removing virtualization from Vista altogether, sometime within the 12-week period between having witnessed Rutkowska’s demonstration in August and releasing Vista’s business editions to manufacturing, it’s difficult at present to pinpoint when that consideration was made, or for how long.


Update ribbon (small)

7:45 pm ET February 23, 2007 – Late Friday, a Microsoft spokesperson provided to BetaNews an extensive defense of why virtualization functionality was omitted from home editions of Vista, although the company would not address the question of whether Microsoft – as Scott Woodgate told the AP – considered tossing out all virtualization from Vista after having seen a rootkit demonstration in August. Here is Microsoft’s statement in full:

For production machines and everyday usage, virtualization is a fairly new technology, and one that we think is not yet mature enough from a security perspective for broad consumer adoption. Today, customers using virtualization technology with Windows are primarily business customers addressing application compatibility needs or technology enthusiasts.

For that reason, Windows Vista Home Basic and Windows Vista Home Premium cannot be installed in any virtual machine technology, but Windows Vista Business and Windows Vista Ultimate can. This is regardless of the virtualization stack, applying equally to use with Microsoft’s virtualization technology, Virtual PC, and third-party virtualization technology.

Each virtual installation of Windows requires a new license just as it did for Windows XP except for Windows Vista Enterprise Edition which includes four installations in a virtual machine as part of a single license. Microsoft is committed to working with the hardware and software industry to improve the security of virtualization technologies moving forward with new hardware and software innovations.

Microsoft made statements indicating it would refrain from adopting virtualization functionality with the next version of its operating system as early as Spring 2005.

Super Size Patch Tuesday No Valentine

Just one day before Valentine’s Day, Microsoft plans to release twelve patches fixing a variety of issues in Windows, Office, Visual Studio, and several other applications. At least five of these patches will be rated “critical.”

There could be an easy explanation for the unusually large size of Patch Tuesday this month. Four patches slated for release last month were dropped at the last hour, including a Windows-Visual Studio update that appeared in the advanced notification but never appeared.

If all patches were delivered as expected, it would tie a record for most patches issued in a single month. The last time Microsoft issued this many patches was in August 2006, when ten patches fixed Windows issues, and another two fixed Office problems.

It is fairly likely that one of the Office updates will fix holes now being exploited by a range of zero-day attacks, most of which have appeared since December of last year. At least four unpatched issues exist, according to security researchers.

However, not all of them would be fixed, unless they are bundled into a single patch – only two fixes for Office are due, of which the highest rating would be “critical,” and another for both Windows and Office, which has been rated “important.”

Most of the patches will come for Windows — five in total – with at least one being rated “critical.” It is possible that the first confirmed flaw in Windows Vista could be fixed, which involves a memory buffer issue in the Win32 library.

BetaNews tests have shown the issue to also affect XP and older versions of Windows.

Of the rest of the patches, one each is expected for the following: an important patch for Windows and Visual Studio; an important patch for Step-by-Step Interactive Training; a critical patch for Microsoft Data Access Components; and a critical patch concern the company’s OneCare, Antigen, Windows Defender, and Forefront security tools.

As is standard practice, Microsoft has not released any details of the issues to be fixed by Tuesday’s release.

[originating url]

Microsoft Acknowledges Anti-Virus Failed VB100 Test

A Microsoft spokesperson confirmed to BetaNews this afternoon that it has learned its Windows Live OneCare anti-virus package has failed a test conducted by the respected British laboratory Virus Bulletin, disqualifying it from carrying the “VB100” logo denoting 100% detection of a selected battery of common “in the wild” viruses.

Screen Gallery: When is a firewall not a firewall? When it’s Vista’s built-in firewall

Whereas one job of a personal firewall is to block potentially malicious inbound connections to your machine, another is to block potentially malicious outbound connections. For example, if some malware does find its way onto your system and then it attempts to “phone home” with whatever sensitive data it may have found, a good personal firewall should stop most outbound communications dead in their tracks until the end-user explicitly allows it (one problem with such conditional blocking is that end-users are rarely presented with enough information on which to base a decision).

An old theme with the personal firewall that Microsoft offered for Windows XP (Service Pack 2) is how it was pretty useless given the way it only offered inbound blocking. In fact, back when that firewall first came out, I pointed out how it was worse than having no firewall at all. With no firewall, at least you know you have no firewall. But, with a firewall that doesn’t work, you’re led into having a false sense of security.

So, while Microsoft’s anemic firewalls are an old them, you’d think the problem would have been corrected in Microsoft’s Windows Vista. According to CNET’s Robert Vamosi, perhaps you should think again. Writes Vamosi:

In Windows Vista, Microsoft says its new Windows Firewall is now two-way, that it adds outbound protection, but a closer look reveals that this is more deceptive marketing spin. With Windows Vista what you get turns out to be a half-cocked firewall that’s hardly worth the upgrade.

Vamosi goes onto describe how Vista’s personal firewall has the blocking and tackling of outbound connections backwards.

With most personal firewalls (and network firewalls), an outbound connection is only allowed when the firewall wall has been programmed with a rule that allows it. That’s good. From the moment such a firewall is installed, nothing is allowed until a user (or network administrator) says it’s allowed. The first time after most personal firewalls are installed, those firewalls present users with a rules wizard each time an application on their PC tries to connect to the Internet. In most cases, the wizard makes it pretty easy for users to make one of four choices:

  • Block the type of outbound communication (specific application accessing a specific network port) this time.
  • Block the type of outbound communication permanently.
  • Allow the type of outbound communication this time.
  • Allow it permanently

But, with Windows Vista’s firewall, it works the other way around. All outbound communications are allowed permanently until a rule has been created to explicitly block it. Despite Vamosi having routinely voiced his concerns about Vista’s firewall before Vista shipped, Microsoft moved forward with what he believes to be a “half-cocked” design anyway. According to Vamosi, Microsoft’s explanation for its decision has been that having to walk through the many wizard-driven pop-ups that would occur shortly after the first time Vista gets installed would be a poor out-of-the-box experience and that users would become de-sensitized to the prompts. Vamosi disagrees and so do I. Offering an outbound-blocking that, out-of-the-box blocks nothing until an end-user or network administrator takes explicit and deliberate steps to block it.

But it gets worse.

Vamosi goes on to note the difficulty in taking those deliberate steps and to validate his findings, I tried it myself and created an image gallery so you can trace my steps. But first, here’s what Vamosi said:

Writing exceptions is fine, except if you are a solo home user with no idea what to block or even how to block it. Home users of Windows Vista are again paying the price for having a stripped-down operating system designed for a corporate enterprise running on their PC. Unless you are an IT administrator, unless you know where to look, you’re unlikely to tweak the advanced firewall settings.

And, as you will see from my image gallery, adding outbound blocking rules to Vista’s personal firewall couldn’t be more unintuitive. Even for experienced users. For starters, after I installed Firefox, nothing stopped it from accessing the Web (confirming that applications are, by default, allowed outbound access). Looking to disallow Firefox from accessing the Internet, I clicked on what, to me, was the most obvious thing to click on in order to engage the “block”: a link in Vista’s Control Panel that says “Allow a program through the Windows Firewall” that appears under some big bold text that says “Windows Firewall.” Seems obvious enough, right? But, as you will see from the the various firewall configuration dialogs I encountered, not only won’t intuition get you nowhere, the dialogs are actually counter-intuitive. For example, when one goes down this rather obvious path to configure the firewall, there is no context whatsoever when it comes to distinguishing between inbound and outbound blocking. Vista users can expect to encounter advanced terminology like “exceptions” and “ports” which is doubly confusing because of the following explanation:

Exceptions control how programs communicate through Windows Firewall. Add a program or port exception to allow communications through the firewall.

First, as I just mentioned, it makes no reference to inbound or outbound blocking. But just the fact that it says “programs communicate through Windows Firewall” sounds “outbound” to me. It doesn’t say “how remote computers and sites communicate through Windows Firewall.”

So, in contrast to what Vamosi says, it sounds like in order for an application to communicate through Vista’s firewall, it has to be added to the list of programs and explicitly “allowed.” How else would you interpret the above language? But, as I already told you, within seconds of installing Firefox, it was given carte blanche access to the Internet thus disproving my interpretation. My first assumption was that maybe the text has it backwards; Perhaps this exceptions list works the other way around and anything that’s on it is blocked from communicating. But adding Firefox to the list had no impact. So then, what is this list for? Thinking I might be able to get my answer by studying a single entry on the exceptions list a little more closely, I went back to the exceptions list (which is pre-programmed with a bunch of stuff I don’t recognize), single-clicked on the only item that was checked (Core Networking), and clicked the “Properties” button which yielded the following graphic:

As you can see it has a link that says “How do I view and edit all properties?” Eureka! I thought. That’s where I’ll get to see how the Windows Firewall is configured to block either in or outbound communications with the Core Networking component.

Sadly, as you will see from my image gallery, I was taken to a list of Frequently Asked Questions and even worse, none of them were the question I clicked on. But, while I was there, one of the FAQ questions seemed to address the confounding language in the UI that I encountered earlier. It asked “What does allowing a program trough the firewall mean?” I clicked it and here’s what it said:

Allowing a program through the firewall, sometimes called unblocking, is when you create an exception to enable a particular program to send information back and forth through the firewall [DB’s note: There it is! Back and forth! So, is this both in and outbound?] You can also allow a program through the firewall by opening one or more ports.

Unfortunately, as my little test with Firefox revealed, this FAQ answer is pretty much useless.

As it turns out, there is a way to configure outbound blocking in Vista’s firewall. If you go to Control Panel > System and Maintenance > Administrative Tools > Windows Firewall with Advanced Security, you will see Vista’s current lists of inbound and outbound and outbound rules (see graphic below, sorry about the text pixelation.. this often happens when resizing graphics).

Added bonus for me: the Firefox rule that I created earlier appeared on the inbound list. So now we know what that’s for! But, there are still three major problems. First, the one Vamosi alluded to in the first place. Applications should be blocked by default. Second, when accessing the primary UI for Vista’s firewall, it is there that users should have very wizard-driven access to both in and outbound rules (or, at the very least, a fast link to get to the rule authoring tool over in Control Panel’s admin area). Third, the rule authoring interface is really for rocket scientists. For example, when I went to browse for an application to block, it started me in the System32 directory instead of just giving me a list of applications. Then, where I should have had the opportunity to block specific domains (something any firewall should be able to do in its sleep), I was only allowed to key in IP addresses.

So, the bottom line is that once again (actually, nothing has changed), the Windows Firewall is actually worse than having no firewall at all since (a) its presence leads you to believe that your computer is protected by a firewall when it really isn’t (a false sense of security), (b) the system offers nothing in the way of a suggestion that encourages users to establish outbound rules, and (c) is nearly impossible for mortals — the majority of Windows users — to configure.

It would behoove Microsoft to follow Vamosi’s advice on this by doing two things. First, engage outbound blocking by default. Second, when, through its “blocked by default” policy, a dialog box asks the user what Windows should do next, make sure it’s dirt simple. Third, as a part of that dirt simplicity, allow inbound blocking by not just IP address, but by domain or subdomain as well. For example, every time a Web page (including some of ZDNet’s) pulls content in from the amch.questionmarket.com subdomain (as opposed to just questionmarket.com), my browser has to think about it for well over a minute before the page finally loads, if it loads at all. The problem has me wishing that, by configuring my firewall to block certain domains, my browsers will simply overlook those domains when it hits Web pages that call upon them. Microsoft will get bonus points for adding right-click firewall rule programming from Internet Explorer.

[originating url]

Process Scanner from Process Library

Process ScannerIt’s happened to all of us at some time or another; our computer starts to act up, operate slowly, or exhibit some other sort of suspicious behavior. Since we’re all chronic downloaders, we know there’s a very good chance that some nefarious process is running on our machine that we’d rather wasn’t.

In the past, this meant using a process explorer like the built-in Windows Task Manager or a better 3rd party option, and ferreting out process names that we don’t recognize. Personally, I’d then simply punch the process name into Google, and check out the first few sites that came up – usually this would be enough to give me a good idea of what I was dealing with. But thankfully, I won’t have to do that manual process any longer.

Probably the best known site for doing Windows process name lookups is Process Library. Thankfully, Process Library now offers a little utility called Process Scanner that you can download to your machine, run, and get a report back on all of the processes that are currently active on your system, and their likely security threat level and performance impact level.

It took me literally less than 2 minutes to download, install and scan my system with Process Scanner. Thankfully, I didn’t find anything to be worried about. But I’ll keep it in my hip pocket as yet another great free security tool.

[originating url]

Second zero-day flaw found in Word

A second security vulnerability has been discovered in Microsoft Word in less than a week.

The zero-day flaw, which is could let an attacker gain remote access to a person’s system, affects Word 2000, Word 2002, Word 2003 and Word Viewer 2003, according to a Microsoft security advisory posted Sunday night. Word 2007 is not affected, Microsoft said.

“From the initial reports and investigation, we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis,” Microsoft stated in its advisory.

Nonetheless, security provider Secunia said Monday that it is rating this latest Word security flaw as “extremely critical” because it is unpatched and because malicious attackers are currently exploiting the vulnerability.

In this case, attackers are taking advantage of a flaw that arises when an unspecified error occurs when processing a Word document, Secunia said in its advisory.

Microsoft noted that the vulnerability is different from the security flaw discovered in Word last week, which also is a zero-day problem. In order to activate that flaw, a person would need to open a malicious Word file that was hosted on a Web site or an attachment that arrives via e-mail.

The software giant is not expected to have patches available for the flaws when it issues its monthly round of security updates Tuesday.

Six Patches Coming on Patch Tuesday

Microsoft will issue six security patches next Tuesday, of which at least two will have a rating of critical. Missing from this list is a patch for a recently discovered zero-day flaw in Word: no updates are scheduled for the Office suite.

All of the patches except one will fix various issues for the Windows operating system, with one of those being critical. The sixth will be a critical patch for users of Microsoft’s Visual Studio programming application.

While Microsoft never discloses the nature of the patches in order to protect users, sometimes past disclosures of vulnerabilities can give clues to the company’s moves. For example, the Visual Studio flaw may deal with an exploit first disclosed in early November.

That vulnerability apparently put users at a possible risk for remote code execution, say experts.

Left unpatched is a zero-day exploit for Word 2003 and earlier versions. Earlier this week, the US-CERT team from the Dept. of Homeland Security warned that a previous patch seemed to be ineffective against a “malformed string vulnerability” within those applications.

Microsoft said that it was working on correcting the new vulnerability, but apparently the new exploit had been disclosed late enough that the company was not able to issue a patch in time for next Tuesday. It would not be out of the ordinary, however, for the company to release an out-of-cycle patch.

In addition to the security update, Microsoft also plans to issue an updated version of the Microsoft Windows Malicious Software Removal Tool.

Besides the security updates, Patch Tuesday will be quite busy on the non-security patch front. Four high-priority updates will be released through Windows Update, with 10 coming through Microsoft Update, the company said in its monthly advisory.

[originating url]