Windows of Vulnerability No More?


By Stephen H. Wildstrom Every once in a while, Microsoft (MSFT) sweeps up all the bug fixes and patches that have accumulated for Windows or major software such as Office or Exchange Server and packages them as a service pack. But Windows XP Service Pack 2, released on Aug. 5 after many delays, is a very different animal. It's a major rewrite of the operating system focused almost entirely on enhanced security. And it makes some aspects of Windows use significantly less convenient -- but a lot safer.

Microsoft will begin making SP2 available for manual download within a few days and start delivering it automatically to English-language users of the Windows Update service before the end of August and in other languages as they become available. But the 80 megabyte download is a challenge to anyone without broadband Internet access, so Microsoft will also offer free CDs.

Many of the most significant changes in SP2 affect the Internet Explorer Web browser, which has emerged as the source of Windows' most serious vulnerabilities. IE was designed to make it very simple and convenient for Web sites to download programs to Windows PCs. But the mechanisms designed to keep such downloads safe have proved hopelessly inadequate, and the bad guys have found all sorts of ways to take advantage of the vulnerabilities to deposit spyware, Trojan horses, and assorted other nastiness onto PCs, sometimes without requiring any action by the user.

WARNING SIGNS. The new browser, which is only available for Windows XP and only as part of SP2, behaves very differently. It starts by blocking any attempt by a Web site to download to a PC any file other than an image or a sound that's part of the Web page itself unless the user has explicitly requested the data. Instead of delivering the file, IE beeps and puts up a notification just below the toolbar saying "To help protect your security, Windows Explorer has blocked this site from downloading software to your computer. Click here for options."

When you click, you can tell IE to proceed with the download. If the file is a program, you will then be asked if you want to run it or, in some cases, whether you want to save it to disk. You will face a third level of challenge if Windows cannot determine that the software was digitally signed using a valid digital certificate (see "How a Digital Signature Works" for an explanation of how this technology works). If there's no valid signature, Windows will warn you against installation, though you can still override the advice.

This system, which Microsoft calls AuthentiCode, has been around since Internet Explorer 3.0 and is based on Internet standards. Until now, however, Microsoft's efforts to push the use of AuthentiCode have been half-hearted -- Windows raised only the mildest objections to installing unsigned programs.

WHAT'S IN A SIGNATURE. Many software publishers, including some who deal in security applications, haven't bothered signing their downloadable programs. For example, the Firefox browser from the Mozilla Foundation, a clean and very fast alternative to even a safety-enhanced Internet Explorer, isn't signed, so the new version of Windows will balk at installing it. Ad-aware software from Lavasoft and Spybot Search&Destroy, two leading anti-spyware programs, also lack proper signatures. On the other hand, Apple's (AAPL) iTunes for Windows and the Google Toolbar were properly signed and installed without a hitch.

Code signing serves two important purposes. First, it creates accountability by telling consumers who the actual source of programs is. Second, it protects against valid programs being hijacked and replaced with malicious substitutes (yes, this has happened, but fortunately not with widely used programs).

Fortunately, Service Pack 2 gives publishers a big incentive to sign their programs since consumers will properly balk at overriding Windows' objections to installing programs without valid signatures. Obtaining a digital certificate and signing code isn't very difficult and costs as little as $400. It's long past time for all software publishers to get with the program. Wildstrom is Technology & You columnist for BusinessWeek. Follow his Flash Product Reviews, only on BusinessWeek Online


Ebola Rising
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus