They do make sense. You're missing something critical in the argument.
> So what’s interesting is MS say that UAC isn’t a security boundary. Which is some users to admin.
This is incorrect. UAC is for already-admin users; it's not "some users to admin". The security boundary exists around standard users, not admin users.
This might not be what you like, which I totally get, but it does make sense. If you want a security boundary, don't create a user in the Administrators group.
> If you want a security boundary, don't create a user in the Administrators group.
As a user aren't you essentially forced to this to have a usable desktop experience? I mean, sure, there is a boundary.. but it's drawn rather carelessly around the entire stack.
> If you want a security boundary, don't create a user in the Administrators group.
Which makes no sense. The fact that a user is in the Administrators group does not mean every single action they take should automatically have root permissions, or that using the UAC prompt to get root permission for a particular action shouldn't be treated as crossing a security boundary. On my Linux system, the fact that my user is in the sudoers group doesn't mean Linux just throws up its hands and says, oh well, can't enforce any security boundary now for what that user does. MS is simply punting here. But of course Windows was never designed for security, and what braindead security it does offer was bolted on as an afterthought.
I have a theory that there's basically two types of disagreements, disagreements on definitions, and disagreements on value systems.
In this case Microsoft values downplaying this issue, so when that is at the top of their value system their decisions should make sense following that.
Since this is just a pet theory I'm very interested to hear critiques on it.
Disagreements on definition are a little bit easier, because then you can just talk about the definitions and resolve your differences there... For example let's say IDK You're trying to sort out how to design a software system, and everyone is speaking in terms of design patterns, but they haven't yet spelled out the details of what those designed patterns are, then that could probably lead to a lot of confusion if when you say A I think of A', and another person is thinking of A''.
I like this. I first noticed this with gay marriage. Some would say "gay people should be able to do what they want and form 'civil unions' with all the tax and contractual benefits and requirements of marriage, but they shouldn't be able to get 'married'". For these people, it was all about the definition of a word.
Other people opposed gay marriage because it went against their values. No matter what you wanted to call it, they were opposed to gay people living together and sharing their lives.
I chose this example because it's the first time I noticed that some disagreements are about the definition of a word, and it's an especially clear example of that. It's silly how huge disagreements about a single word can become.
There are also people who disguise their value disagreement as a definition disagreement. This is a form of bad faith arguing.
Sorry, this is not a value system disagreement. It's definitions, pure and simple. As I mentioned in my sibling comment, the definition (and thus boundary) has been pretty sharp and clear for decades: the user group. If you're a standard user, such as in the "Users" or "Guests" groups, you're behind the boundary. If you're in the "Administrators" group, you're already past it.
Socratic logic argues you must first agree on the meaning of terms and definitions. Next is determination of what the facts are. Lastly is logical arguments. Guess which part is the most difficult?
Religious logic is like this. It presupposes a greater mystery that has been partially revealed to us. It also presupposes that our fallible logic cannot on its own understand the truth. In other words it defines faith as believing in the greater truth even if the world and every one says we are foolish to believe in such fairy tales.
This assumes Microsoft being a singular entity with a single set of values (or even a single set of definitions), which I believe is an incorrect premise. It’s misleading to think of organizations as if they were a single mind. (Not to speak of the fact that it’s quite common even for singular minds to have inconsistent values and beliefs.)
I've learned that if you want bugs fixed in Windows, pay for professional support. Same as corporate-managed open source software. The real question is why people bother doing free security research work for Microsoft, instead of spending their intellectual energy making desktop Linux better.
I don't understand why moving to system designs that require exploitation of the accessibility layer to turn a device into something semi functional.
Those OS go out of the way preventing features that hinder usefulness of the devices. Such as recording phone calls. Allowing the blocking of network IP addresses and domains. While supplying monolithic integration that is limited to all but the OS maintainers.
Google dialer does not allow for integration of 3rd party contacts. It is built around Google remote storage. Apple Messenger doesn't allow for conversing with non Apple device users except for insecure text messaging while promoting cyber bullying with green vs blue text.
Another security and business risk of using Google or Apple for content storage with limited recourse when they lock out our accounts.
> Both UAC and sudo are just OS level cookie dialog boxes
To be fair, that's misconstruing UAC and CredUI/Secure Desktop a little. There probably is merit in switching to an isolated desktop session when seeking consent, or user credentials, despite the fact that UAC/the AuthZ part within a user account has flaws. I think another issue is probably that most user's exposure to UAC is on machine's they're the sole user and administrator of; it's a different ballgame in enterprises where the end user is probably the least privileged principal logged into a particular PC.
Windows et al have Sandboxed apps, but which apps and which users should be allowed to do system-level confirmation type changes? iOS and Android are (for the most part) on single user devices, you still need some sort of AuthZ system to decide who and which apps can change what on multi-user systems.
It's also interesting how on both Windows and Linux normal-privilege local accounts are, practically, root equivalent. In Linux, we train people to type "sudo" in front of anything system relevant. On Windows, we train users to click through UAC prompts. When was the last time sudo said "no" to somebody for a reason other than a password typo?
(UAC is marginally better than sudo: UAC is system managed UI, while sudo is just a program. An attacker can plug in a malicious shell alias for sudo and steal your password.)
IMHO, it'd be more convenient for users and more reflective of actual security posture to get rid of both sudo and UAC (in the default setup of course) and stop pretending that there's a firm security boundary between root and the primary human local user account.
On Linux, most modern user-facing applications are using polkit instead of sudo. You can actually just use pkexec instead of sudo in the terminal as well.
Instead of just running arbitrary commands as root, applications can use specific pre-defined actions like "org.freedesktop.udisks2.filesystem-mount". This shows a nice localized message to the end user about what the app is trying to do, so they can decide whether to allow it or not. The system administrator can also configure certain actions to not even require authentication, useful for e.g. flatpak updates, or to block certain actions altogether.
I think an equivalent way to phrase this that feels very different is:
"On both Windows and Linux the default installed users are, practically, root equivalent". I guess on the basis that the user performing the installation should be in control of the system (I mean, they are; they could've just not done the installation. Where are your access controls now, blank system!)
> When was the last time sudo said "no" to somebody for a reason other than a password typo?
Sudo doesn't say no to people, much like UAC doesn't say "no" to people. In both cases, people (admins) are meant to say "no" when they don't expect to be performing an administrative operation. People who are not admins and yet need to do such operations need an administrator to authorise it.
In both cases, if it's not a single-person system, whoever is setting the machine up should be setting up limited accounts for regular use.
On Linux, I do not install sudo, because I do not need very often to become root, and when I need that I usually want to do multiple operations.
I believe that "sudo" is useful only on multi-user computers (including company-owned and company-managed computers), where the administrator may want to give to some users the power to do only a restricted set of privileged operations.
I always use a different user account than root, mainly not for security, but to avoid any accidental mistakes, when I could delete or overwrite other files than intended.
I believe that this is a good enough reason to justify the need to type infrequently a password in order to change roles.
In my experience (on Gnome at least), Linux is moving towards Windows-style sudo protection. It lacks the "press ctrl+alt+delete to verify" trick.
Windows has the advantage that you don't need to script everything. You can wrap `runas`/`System.Management.Automation.PSCredential` around every other tool if you want to, you just don't need to in most cases.
So the kernel is enforcing file sharing rules (mandatory locking, in effect) by scanning on open all open file handles for conflicting mandatory locks, but doesn't check for memory mappings of these files with conflicting permissions. Oops. Seems like a straightforward fix though.
It's worth noting that Linux just got rid of its last vestige of mandatory locking. Now you can write a loaded executable without getting EBUSY. Interesting how exactly the same feature on one OS can be a load bearing part of the security infrastructure and on another OS legacy crud to be deleted.
I'm not by any means a security guru. I understand some basics, but I think I'm missing a conceptual model somewhere. What is it about Windows that makes it so damn hackable?
Can’t believe people have not pointed out the biggest reason of them all. Its the most widely deployed desktop os across rich targets (corporations). A lot of time and investment goes into cracking it.
The problem is that windows was developed before security was important. No one has made the necessary investments to create a truly secure computing platform.
Ideally a secure computing platform would have reproducible builds built on public inspectable infrastructure like fdroid. It would also virtualize all untrusted applications in a sandbox and implement the least privilege model.
Today we have the worst security. There is unknown, probably untested and insecure code running at every ring, from the CPU's ME, to the UEFI components, to the OS 3rd party drivers.
SeL4 has a fully verified kernel but it doesn't do virtualization yet.
> The problem is that windows was developed before security was important.
I disagree. Plenty of systems have added security as an afterthought and were just fine for the effort.
The problem is most people just want to play video games. They don't care about security. They don't actually want security if it frustrates their efforts to play games or reduces the computing power available for the game.
Look at houses. We could have amazing high security locks everywhere if we wanted. We don't. We don't perceive ourselves as needing them. It turns out "tamper evident" is a decent level of security for the real world and allows homes to be partially secure while being totally livable.
> The problem is that windows was developed before security was important.
But wasn't that Windows rebuilt from the ground up as Windows NT, which had more advanced security features out of the box than basic Unix/Linux (allow/deny ACLs vs octal permissions, SAM database vs /etc/passwd flatfile, SIDs vs manually assigned/reusable UIDs)?
(And some other cool design features that never got used, like POSIX/OS2 subsystems being on equal footing as the "regular" Windows32 subsystem.)
The same can be told of UNIX, lets not forget the first worm was targeted at UNIX systems, and the root cause keeps being a regular CVE in C and C++ projects.
I like how you started out with a reasonable comment and then ended in a Hacker News word soup of random security memes. It’s like going, “the problem is Python is interpreted, and the design of its interpreter makes it difficult to optimize” and then following up with “this is why we need everyone to write their code in Rust and assembly. There’s this thing called Mojo that looks like Python and has the performance of Rust that we could use”. Like, ok, thanks for your insight? None of it is actually useful or relevant in answering the question.
> windows was developed before security was important
I disagree - At best you could say DOS was developed before users knew security was important... Microsoft has explicitly ignored security since DOS - because functionality sells better than security. Anyone who has worked with Unix systems has always understood just how much of a sieve Microsoft OSes are. Anyone with wisdom has said that about Windows from the very very beginning. Windows anti-virus has been a thing for a very long time.
If your prior is the number of extreme security vulnerabilities in one year - the implication is that there are lot of undiscovered extreme security vulnerabilities.
And competent WaaS (Weaponisation as a Service) now exists to quickly deploy exploits for obscure weaknesses or recently discovered weaknesses. Users and companies no longer have a few weeks grace before mass exploitation occurs.
Use Windows, get pwned. The counterfactual is difficult: it is hard to prove you haven't been pwned... Anti-virus defence is often too late (plenty of examples eh!).
I've seen very careful users/developers get caught out again and again.
Not to say Windows is alone. Routers and other end devices are just as bad. And Android doesn't appear great to me either.
> Ideally a secure computing platform would have reproducible builds built on public inspectable infrastructure like fdroid. It would also virtualize all untrusted applications in a sandbox and implement the least privilege model.
Also, be careful what you ask for. Such a system would likely require Secure Boot to be enabled a-la Android, complete with userspace detection of a system which does not have Secure Boot enabled, for DRM implementations similar to a game console. We're already close, but UEFI bugs, virtualization, hundreds of TPM variants, and bus attacks have left holes.
The prevalence of 3rd party kernel-level code is an important factor too. Lots of windows malware relies on a vulnerable 3rd party kernel driver at some point.
By comparison, 3rd party kernel modules are rare and looked down upon on Linux and outright banned on macOS.
To note, Windows isn't allowed to completely block third party kernel code.
I don't have the reference at hand but it was part of their various anti-trust fallout, as it would give them an unfair advantage regarding to their own products.
The alternative to that is Android and IOS where we don't have full control over our own devices unless we jailbreak them, which itself breaks so many critical apps on the mobile device stores that it's frequently not worth it to root the device.
No - the problem here is moreso the sheer complexity of Windows and the variety of devs involved and the push for backwards compatibility.
The exploit under discussion is an attack on Windows Update, it doesn't AFAICT involved running privileged code as the user. Also the default Windows user has been non-Administrator for many years now. It's true you can fool users into elevating a shell or whatever, but that's true for pretty much all platforms.
It'd be a lot less easy if the OS didn't seem to require full privilege escalation for a lot of tasks you don't need that for in linux. One of the major problems that leads to escalation is poor separation of concerns
What makes you think that it's "so damn hackable"?
Also, this particular attack requires administrator privileges and bypasses a security boundary that doesn't even exist on e.g. Linux. Linux doesn't have driver signatures and root can easily install a new kernel module.
Just a quick look at 2024's CVEs, 0days for Windows is a security nightmare. Not singling out Windows specifically, but they have a lot.
Browsers only just recently patched browsers being able to be served javascript that scans local devices on 10.* and 192.168.* etc hitting IoT devices with exploits and payloads, hell even hitting open listening sockets on localhost and 0.0.0.0 -- that's cross platform, how many years did that go under the radar?
And now Windows is getting 'Recall' which will monitor and scan your every PC action to remember it for you using ML; I don't see that going back at all /s
It allows it's users to actually use their computer as a computer instead of a glorified phone.
MacOS nannies you left and right, preventing you from doing things you want to do because Apple says no.
Windows historically didn't have such restrictions because it's a desktop operating system and not a gimped phone. They're slowly being added, but it takes time to overhaul an entire architecture while maintaining backwards compatibility (which MacOS also doesn't care about at all).
Linux is of course far more "hackable" but there aren't as many computer illiterates using it.
LOL you should be upvoted as your comment perfectly captures the blind arrogance of the software industry.
When you call people computer illiterate, you are blind to the technocrat injustice imparted onto the general populace.
> The obnoxious behavior and obscure interaction that software-based products exhibit is institutionalizing what I call "software apartheid":”
> ― Alan Cooper, The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity
> “When programmers speak of "computer literacy," they are drawing red lines around ethnic groups, too, yet few have pointed this out.”
> ― Alan Cooper, The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity
You too can see the light and rise above the elitism of computer literacy. You know, there are many smart people that are too prideful to put up with what computer people demand as computer literacy. They suffer in silence, you will not have their loyalty, and they will switch to competing software the moment they are able to.
- The EULA absolves Microsoft of any liability whatsoever. So they share in none of the risk. Imagine if physical items were like this: hit one bump and your pickup is destroyed. Scissors fall apart irreparably once they contact any material that's not paper.
- MS putting backwards compatibility (mainly done for business customers) above everything, at all costs. The peanut butter factory in Indiana that's been running WFW since '89 must never be inconvenienced, even if it means tens of thousands of people have to take their brand new computers to the shop (at their own cost!) multiple times per year because of spyware infections.
- Not valuing innovation. A culture where engineers are just a necessity to keep the money-making machine running. All the excitement was drained about the end of the '90s. They made a couple nominal hits with the Surface, Xbox, and Azure, not going to discount that.
Windows isn't especially hackable, they've been taking security seriously and doing a decent job for at least a decade, and honestly these days it's a lot better than the alternatives.
Really the issue is because it's used on something like 95% of desktops. More eyes on windows means more bugs being found.
A lot better than the alternatives in terms of security?
Even if we only consider alternatives in wide use like ChromeOS or macOS, I wouldn't in any serious way consider Windows to be more secure. More compatible yes, but not more secure.
Yep, the almost impenetrable security of the last few Xboxes shows that Microsoft does have it in them to architect a very secure platform, even against physical attacks, but they don't have the luxury of doing such a clean-slate design with Windows. They can almost never afford to break backwards compatibility and the Xbox approach of running each instance of legacy software in its own fully isolated virtual machine wouldn't really scale to a multitasking environment.
For those not keeping score, the Xbox One only recently got a very limited jailbreak a decade after release, that only works on old firmware and only allows access to the innermost level of sandboxing, with the outer system sandbox, hypervisor, bootloader and optical drive handshake remaining unbroken to this day.
In principle, there's something about Windows object system being much a much more complex abstraction than Unix's streams.
But the reality is not that. Windows is just surrounded by layers and layers of bad code with atrocious interfaces. Any architectural weakness doesn't even register.
I'm kind of with Microsoft on this one: the administrator can do arbitrary things to the computer, film at 11. Is there a nuance that I'm missing that raises the severity of this?
See also Raymond Chen's summary of this class of attack:
My thought exactly. If someone is already able to replace arbitrary DLLs on the system (a precondition for this "exploit" to work), all bets are off, and their ability to bypass driver signatures is probably the least of your concerns.
In practice there's no good defence against this, but Windows is designed to protect itself against these kinds of attacks if all components work together. With secure boot + driver signature validation + DLL signature validation, you can't just run any code by putting it in a DLL file. You're not hacking any normal computer by replacing user32.dll with virus.dll.
Downgrade protection is quite a hard problem to solve without at least breaking the automatic recovery tools. In theory Microsoft could register the versions of every system file somewhere, sign+hash that, and store it some place secure, but then they'd need to deal with reverts of system components after a failed update or restored system images becoming unbootable.
In practice, I don't see the use case for this attack, though. You can just put a legitimate, signed driver with a known exploit inside your executable and load that. Microsoft chooses to keep unpatched, vulnerable drivers rather than break hardware support for millions of users.
Seems like the attack is suspiciously simple: Fool the update process into installing old versions of kernel components with known vulnerabilities. I'm no expert, but surely MS has already thought about this and has a blacklist or revocation facility or whatever?
Is the root cause here an OS design issue or just a process failure where they failed to note the broken/bad hashes in the correct spot? The latter is much easier to fix, but the (slightly spun, as always) security announcement seems to claim the former.
Well the demo is showing a crossing of something that ms has defined to not be a real security boundary: "Administrative processes and users are considered part of the Trusted Computing Base (TCB) for Windows and are therefore not strong isolated from the kernel boundary." [0]
On the Linux side, SELinux which sets guardrails on the root user at the kernel level is mandatory for protecting classified information. Thus, there is most certainly a security boundary between root, let alone regular users with "admin" groups/perms, and the kernel.
How can Windows, which is used all over the government, have a policy that admin users can do whatever they want with the kernel without it being a security vulnerability?
Wow! I remember the hard time we all had at [1] (doing deep packet inspection drivers for [2]). when Microsoft first required driver signing in Windows. The workflow seemed, at first glance, even tougher than getting an app approved on the Apple Store, with documentation that was far from clear. Personally, this feels like a huge setback considering the resources companies have poured into complying with Microsoft’s requirements, only to see it exploited in this way. Of course, vulnerabilities are always out there, but it would have been reassuring if someone had uncovered this one earlier. Kudos to Alon Leviev and SafeBreach for discovering it.
Readit News
Then they say admin to kernel (in this case) isn’t a security boundary.
While also saying that driver signing enforcement is a security feature.
Which is what’s being bypassed here.
But they claim in this case it’s not crossing a security boundary.
Please make sense.
They do make sense. You're missing something critical in the argument.
> So what’s interesting is MS say that UAC isn’t a security boundary. Which is some users to admin.
This is incorrect. UAC is for already-admin users; it's not "some users to admin". The security boundary exists around standard users, not admin users.
This might not be what you like, which I totally get, but it does make sense. If you want a security boundary, don't create a user in the Administrators group.
As a user aren't you essentially forced to this to have a usable desktop experience? I mean, sure, there is a boundary.. but it's drawn rather carelessly around the entire stack.
Which makes no sense. The fact that a user is in the Administrators group does not mean every single action they take should automatically have root permissions, or that using the UAC prompt to get root permission for a particular action shouldn't be treated as crossing a security boundary. On my Linux system, the fact that my user is in the sudoers group doesn't mean Linux just throws up its hands and says, oh well, can't enforce any security boundary now for what that user does. MS is simply punting here. But of course Windows was never designed for security, and what braindead security it does offer was bolted on as an afterthought.
I have a theory that there's basically two types of disagreements, disagreements on definitions, and disagreements on value systems.
In this case Microsoft values downplaying this issue, so when that is at the top of their value system their decisions should make sense following that.
Since this is just a pet theory I'm very interested to hear critiques on it.
Disagreements on definition are a little bit easier, because then you can just talk about the definitions and resolve your differences there... For example let's say IDK You're trying to sort out how to design a software system, and everyone is speaking in terms of design patterns, but they haven't yet spelled out the details of what those designed patterns are, then that could probably lead to a lot of confusion if when you say A I think of A', and another person is thinking of A''.
Other people opposed gay marriage because it went against their values. No matter what you wanted to call it, they were opposed to gay people living together and sharing their lives.
I chose this example because it's the first time I noticed that some disagreements are about the definition of a word, and it's an especially clear example of that. It's silly how huge disagreements about a single word can become.
There are also people who disguise their value disagreement as a definition disagreement. This is a form of bad faith arguing.
Sorry, this is not a value system disagreement. It's definitions, pure and simple. As I mentioned in my sibling comment, the definition (and thus boundary) has been pretty sharp and clear for decades: the user group. If you're a standard user, such as in the "Users" or "Guests" groups, you're behind the boundary. If you're in the "Administrators" group, you're already past it.
That's all there is to it.
Religious logic is like this. It presupposes a greater mystery that has been partially revealed to us. It also presupposes that our fallible logic cannot on its own understand the truth. In other words it defines faith as believing in the greater truth even if the world and every one says we are foolish to believe in such fairy tales.
Both UAC and sudo are just OS level cookie dialog boxes. Let's get rid of all three.
We need to give up on the UAC/sudo/etc. style of user based privilege escalation and instead sandbox apps, not users, just like Android and iOS do.
UAC is not a security boundary by design.
> It’s important to be aware that UAC elevations are conveniences and not security boundaries …
- Mark Russinovich, Microsoft Corporation [1]
[1] https://web.archive.org/web/20080101143433/http://www.micros...
Those OS go out of the way preventing features that hinder usefulness of the devices. Such as recording phone calls. Allowing the blocking of network IP addresses and domains. While supplying monolithic integration that is limited to all but the OS maintainers.
Google dialer does not allow for integration of 3rd party contacts. It is built around Google remote storage. Apple Messenger doesn't allow for conversing with non Apple device users except for insecure text messaging while promoting cyber bullying with green vs blue text.
Another security and business risk of using Google or Apple for content storage with limited recourse when they lock out our accounts.
To be fair, that's misconstruing UAC and CredUI/Secure Desktop a little. There probably is merit in switching to an isolated desktop session when seeking consent, or user credentials, despite the fact that UAC/the AuthZ part within a user account has flaws. I think another issue is probably that most user's exposure to UAC is on machine's they're the sole user and administrator of; it's a different ballgame in enterprises where the end user is probably the least privileged principal logged into a particular PC.
Windows et al have Sandboxed apps, but which apps and which users should be allowed to do system-level confirmation type changes? iOS and Android are (for the most part) on single user devices, you still need some sort of AuthZ system to decide who and which apps can change what on multi-user systems.
This is about drivers...
(UAC is marginally better than sudo: UAC is system managed UI, while sudo is just a program. An attacker can plug in a malicious shell alias for sudo and steal your password.)
IMHO, it'd be more convenient for users and more reflective of actual security posture to get rid of both sudo and UAC (in the default setup of course) and stop pretending that there's a firm security boundary between root and the primary human local user account.
Instead of just running arbitrary commands as root, applications can use specific pre-defined actions like "org.freedesktop.udisks2.filesystem-mount". This shows a nice localized message to the end user about what the app is trying to do, so they can decide whether to allow it or not. The system administrator can also configure certain actions to not even require authentication, useful for e.g. flatpak updates, or to block certain actions altogether.
> When was the last time sudo said "no" to somebody for a reason other than a password typo?
Sudo doesn't say no to people, much like UAC doesn't say "no" to people. In both cases, people (admins) are meant to say "no" when they don't expect to be performing an administrative operation. People who are not admins and yet need to do such operations need an administrator to authorise it.
In both cases, if it's not a single-person system, whoever is setting the machine up should be setting up limited accounts for regular use.
I believe that "sudo" is useful only on multi-user computers (including company-owned and company-managed computers), where the administrator may want to give to some users the power to do only a restricted set of privileged operations.
I always use a different user account than root, mainly not for security, but to avoid any accidental mistakes, when I could delete or overwrite other files than intended.
I believe that this is a good enough reason to justify the need to type infrequently a password in order to change roles.
Windows has the advantage that you don't need to script everything. You can wrap `runas`/`System.Management.Automation.PSCredential` around every other tool if you want to, you just don't need to in most cases.
It's worth noting that Linux just got rid of its last vestige of mandatory locking. Now you can write a loaded executable without getting EBUSY. Interesting how exactly the same feature on one OS can be a load bearing part of the security infrastructure and on another OS legacy crud to be deleted.
Dead Comment
Ideally a secure computing platform would have reproducible builds built on public inspectable infrastructure like fdroid. It would also virtualize all untrusted applications in a sandbox and implement the least privilege model.
Today we have the worst security. There is unknown, probably untested and insecure code running at every ring, from the CPU's ME, to the UEFI components, to the OS 3rd party drivers.
SeL4 has a fully verified kernel but it doesn't do virtualization yet.
I disagree. Plenty of systems have added security as an afterthought and were just fine for the effort.
The problem is most people just want to play video games. They don't care about security. They don't actually want security if it frustrates their efforts to play games or reduces the computing power available for the game.
Look at houses. We could have amazing high security locks everywhere if we wanted. We don't. We don't perceive ourselves as needing them. It turns out "tamper evident" is a decent level of security for the real world and allows homes to be partially secure while being totally livable.
But wasn't that Windows rebuilt from the ground up as Windows NT, which had more advanced security features out of the box than basic Unix/Linux (allow/deny ACLs vs octal permissions, SAM database vs /etc/passwd flatfile, SIDs vs manually assigned/reusable UIDs)?
(And some other cool design features that never got used, like POSIX/OS2 subsystems being on equal footing as the "regular" Windows32 subsystem.)
I disagree - At best you could say DOS was developed before users knew security was important... Microsoft has explicitly ignored security since DOS - because functionality sells better than security. Anyone who has worked with Unix systems has always understood just how much of a sieve Microsoft OSes are. Anyone with wisdom has said that about Windows from the very very beginning. Windows anti-virus has been a thing for a very long time.
If your prior is the number of extreme security vulnerabilities in one year - the implication is that there are lot of undiscovered extreme security vulnerabilities.
And competent WaaS (Weaponisation as a Service) now exists to quickly deploy exploits for obscure weaknesses or recently discovered weaknesses. Users and companies no longer have a few weeks grace before mass exploitation occurs.
Use Windows, get pwned. The counterfactual is difficult: it is hard to prove you haven't been pwned... Anti-virus defence is often too late (plenty of examples eh!).
I've seen very careful users/developers get caught out again and again.
Not to say Windows is alone. Routers and other end devices are just as bad. And Android doesn't appear great to me either.
It very much does virtualization. And, as far as I am aware, it does it better than any other OS.
Incidentally, seL4 just had its seL4 Summit 2024[0].
0. https://www.youtube.com/playlist?list=PLtoQeavghzr0ZntMmRPwg...
Also, be careful what you ask for. Such a system would likely require Secure Boot to be enabled a-la Android, complete with userspace detection of a system which does not have Secure Boot enabled, for DRM implementations similar to a game console. We're already close, but UEFI bugs, virtualization, hundreds of TPM variants, and bus attacks have left holes.
That was a long time ago, the 1980s and 1990s. Windows has been transformed since then, particularly with Windows 10.
By comparison, 3rd party kernel modules are rare and looked down upon on Linux and outright banned on macOS.
I don't have the reference at hand but it was part of their various anti-trust fallout, as it would give them an unfair advantage regarding to their own products.
PS: an analysis of that situation during the Crowdstrike issue, with the relevant bits of the EU ruling: https://www.computerweekly.com/news/366598838/Why-is-CrowdSt...
No - the problem here is moreso the sheer complexity of Windows and the variety of devs involved and the push for backwards compatibility.
Also, this particular attack requires administrator privileges and bypasses a security boundary that doesn't even exist on e.g. Linux. Linux doesn't have driver signatures and root can easily install a new kernel module.
Linux supports signed kernel modules (and not just on paper, this is a widely deployed feature).
Browsers only just recently patched browsers being able to be served javascript that scans local devices on 10.* and 192.168.* etc hitting IoT devices with exploits and payloads, hell even hitting open listening sockets on localhost and 0.0.0.0 -- that's cross platform, how many years did that go under the radar?
And now Windows is getting 'Recall' which will monitor and scan your every PC action to remember it for you using ML; I don't see that going back at all /s
MacOS nannies you left and right, preventing you from doing things you want to do because Apple says no.
Windows historically didn't have such restrictions because it's a desktop operating system and not a gimped phone. They're slowly being added, but it takes time to overhaul an entire architecture while maintaining backwards compatibility (which MacOS also doesn't care about at all).
Linux is of course far more "hackable" but there aren't as many computer illiterates using it.
When you call people computer illiterate, you are blind to the technocrat injustice imparted onto the general populace.
> The obnoxious behavior and obscure interaction that software-based products exhibit is institutionalizing what I call "software apartheid":”
> ― Alan Cooper, The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity
> “When programmers speak of "computer literacy," they are drawing red lines around ethnic groups, too, yet few have pointed this out.”
> ― Alan Cooper, The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity
You too can see the light and rise above the elitism of computer literacy. You know, there are many smart people that are too prideful to put up with what computer people demand as computer literacy. They suffer in silence, you will not have their loyalty, and they will switch to competing software the moment they are able to.
- MS putting backwards compatibility (mainly done for business customers) above everything, at all costs. The peanut butter factory in Indiana that's been running WFW since '89 must never be inconvenienced, even if it means tens of thousands of people have to take their brand new computers to the shop (at their own cost!) multiple times per year because of spyware infections.
- Not valuing innovation. A culture where engineers are just a necessity to keep the money-making machine running. All the excitement was drained about the end of the '90s. They made a couple nominal hits with the Surface, Xbox, and Azure, not going to discount that.
Really the issue is because it's used on something like 95% of desktops. More eyes on windows means more bugs being found.
Even if we only consider alternatives in wide use like ChromeOS or macOS, I wouldn't in any serious way consider Windows to be more secure. More compatible yes, but not more secure.
For those not keeping score, the Xbox One only recently got a very limited jailbreak a decade after release, that only works on old firmware and only allows access to the innermost level of sandboxing, with the outer system sandbox, hypervisor, bootloader and optical drive handshake remaining unbroken to this day.
Dead Comment
But the reality is not that. Windows is just surrounded by layers and layers of bad code with atrocious interfaces. Any architectural weakness doesn't even register.
See also Raymond Chen's summary of this class of attack:
https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...
Downgrade protection is quite a hard problem to solve without at least breaking the automatic recovery tools. In theory Microsoft could register the versions of every system file somewhere, sign+hash that, and store it some place secure, but then they'd need to deal with reverts of system components after a failed update or restored system images becoming unbootable.
In practice, I don't see the use case for this attack, though. You can just put a legitimate, signed driver with a known exploit inside your executable and load that. Microsoft chooses to keep unpatched, vulnerable drivers rather than break hardware support for millions of users.
Is the root cause here an OS design issue or just a process failure where they failed to note the broken/bad hashes in the correct spot? The latter is much easier to fix, but the (slightly spun, as always) security announcement seems to claim the former.
And then schedules the update again...
What is a fairly common thing to happen...
In that Vimeo account there are ton of other security discoveries. Eg WhatsApp running python script. Is this real or scam?
Another recent case: https://arstechnica.com/security/2024/03/hackers-exploited-w...
[0] https://www.microsoft.com/en-us/msrc/windows-security-servic...
How can Windows, which is used all over the government, have a policy that admin users can do whatever they want with the kernel without it being a security vulnerability?
[1] https://www.nektra.com/
[2] https://www.verizon.com/business/en-nl/products/security/man...