Microsoft has responded to Neowin with regard to the XP SP 2 problem story we ran yesterday, as reported by PC Magazine & e-Week. The open letter is an unedited version of what we received early this morning.
Dear Neowin,
We wanted to alert you to some misguided press reports that may cause Microsoft customers undue concern. Some articles have posted that claim there is a highly critical vulnerability that would allow a malicious user to spoof the Windows Security Center in Windows XP SP2 however this claim is not accurate. we don’t know how closely you have been following this issue, but we wanted to make sure you had the facts from Microsoft.
As you know Windows Security Center, found in the Windows XP Control panel, provides customers the ability to easily check the status of essential security functionalities such as firewalls, automatic updates and antivirus. Windows Security Center will inform users whether key security capabilities are turned on and up to date and will notify users if it appears that updates need to be made or if additional action steps may need to be taken to help them get more secure.
To clarify, there is not a vulnerability in the Windows Security Center. In order for an attacker to spoof the Windows Security Center, he or she would have to have local administrator rights on the computer (ed. XP Homes default user is 'Admin', and many XP Pro users set their account to admin status for a hassle free life). If an attacker were granted access to a user’s system, either by being granted them or attaining them by enticing a user to open a malicious attachment, the criminal actions the attacker could pursue include many that are far more serious than just spoofing the Windows Security Center. In Windows XP SP2, we have added functionality to reduce the likelihood of unknown applications from running on the user’s system including turning Windows Firewall on by default, Data Execution Prevention and Attachment Manager in Outlook Express, to name a few.
All the best,
Windows Community Team
View: Neowin: Win XP Sp2 Problem?
Dear Neowin,
We wanted to alert you to some misguided press reports that may cause Microsoft customers undue concern. Some articles have posted that claim there is a highly critical vulnerability that would allow a malicious user to spoof the Windows Security Center in Windows XP SP2 however this claim is not accurate. we don’t know how closely you have been following this issue, but we wanted to make sure you had the facts from Microsoft.
As you know Windows Security Center, found in the Windows XP Control panel, provides customers the ability to easily check the status of essential security functionalities such as firewalls, automatic updates and antivirus. Windows Security Center will inform users whether key security capabilities are turned on and up to date and will notify users if it appears that updates need to be made or if additional action steps may need to be taken to help them get more secure.
To clarify, there is not a vulnerability in the Windows Security Center. In order for an attacker to spoof the Windows Security Center, he or she would have to have local administrator rights on the computer (ed. XP Homes default user is 'Admin', and many XP Pro users set their account to admin status for a hassle free life). If an attacker were granted access to a user’s system, either by being granted them or attaining them by enticing a user to open a malicious attachment, the criminal actions the attacker could pursue include many that are far more serious than just spoofing the Windows Security Center. In Windows XP SP2, we have added functionality to reduce the likelihood of unknown applications from running on the user’s system including turning Windows Firewall on by default, Data Execution Prevention and Attachment Manager in Outlook Express, to name a few.
All the best,
Windows Community Team
View: Neowin: Win XP Sp2 Problem?
Build 9 24 August 2004
* Version number incremented to 1.1
* Redesigned user interface
* Added right click context menu to profile list on main window
* Added new services to service help (including new XP SP2 services)
* Added colors and minor modications to text window logging to fsasctl
* Added additional support for terminating the desktop (explorer.exe)
* Added running programs filter to programs window
* Added Tools menu option to allow user to set Program Options and launch the Service Manager
* Added Tool Tip help througout the program (can be disabled via Program Options)
* Added abilty to shutdown or restart the computer after fsasctl has finished execution (not available for Windows 9x/ME)
* Fixed bug where Comments embedded in program executables were not being displayed properly in the programs window
YES
*lots of popups*
I HATE MICROSOFT!
things like that don't just happen, either your security settings are too low or you let the active x component run.
Go here: http://www.mikx.de/scrollbar/
... with Windows XP SP2 and IE.
Now drag the scrollbar and check what went in your autostart folder.
STV
Unlike STV, I was able to reproduce it.
STV
Moeburn that is...
i am not among those users classified as stupid, i don't accept strange emails, never say Yes to any activeX...
Almost forgot. Spy bot search & destroy fanboys, this is NOT an invite for you to flame ad-aware. Kthx
Sometimes the forums here behave differently than expected. Sometimes it automatically makes a new comment, ignoring the reply button. VERY annoying bug.
Good job Microsoft making a quality product.
j/k
So next time someone wants to be clever and call others dumb and be down right insulting in doing so, just try and remember that the majority of people don't see computing as a hobby or their chosen career choice and where people should be at least responsible for installing AV and firewall software, pissing around with setting after setting is not something the average user should have to do.
With SP2 Microsoft is basically "locking the door" for the user. No it is not gonna be full proof, nothing will be short of not turning on a computer for "stupid users".
At the end of the day typical users (see how i call them typical and not stupid like the majority of people here) are never going to secure their own systems EVER. MS should have realised this by now and should be looking at taking this burden upon themselves, that would obviously mean taking on more testers and programmers but we are talking about largest and richest software company in the world its not unreasonable.
Home runs in admin by default for two reasons. 1 it dosent have different levels of permission 2 as you said in your earlier post non-computer professionals dont want to learn computers, why put them in a "Guest" account? so they can come screaming "I cant install my copy of BF 1942, says i dont have permission!".
The fact remains the same. MS CANNOT make your machine (or anyone elses) 100% secure, because they are NOT you. To revive the example from an earlier reply, if you left your door unlocked and got robbed you cant blame the lock or door manufacturer. They cant guarentee that you wont lock the door every time you leave. Same with MS they cant determine what a "Malicious" program is, let alone block it. We all hate Ad-Ware, but there are people who use it, knowingly. The moment MS stepped in as a "Police" force in IT they would be hauled back into court. They already went to court for similar actions and lost...
The fact remains the same people are the ones responsible for their machines. In all honesty the "average" user is referred to as dumb with good reason. I dont like to call people dumb, but the "average" user breaks all common sense when they get on a computer. They get an active-x pop-up asking them to install XYZ and they hit "Yes" not because they know what it is, because they want the dialog gone. If they took a few minutes to read it and determine the source then they would be alott safer. Active-X has its problems (no sand-bo
However MS do not have the balls to implement such a method of security as they are to worried about developers getting upset about a common place practice, or is it the whole inconvienice of users having to type in a password i can't remember.
That warez kidie at the top must be browsing porn and clicks yes on everything, good luck in your computing life my friend!
It was at PC Mag and eweek. I think big companies like that could do better.
Noob1: I got some e-mail viruses from you the other day
Noob2: No, it can't have been mine - Windows says I'm protected. It must be a forged address or something.
It surely wouldn't be hard to use some kind of signature only allowed to approved programs.
If MS had an "approved" list it would cost companies money to get on that list (as it would cost MS money to evaluate these companies and their software product). That would render any free Anti-Virus tools immediatly incompatible as well as any company who dosent invest. It would have people up in arms against MS on that move. The security center isnt a catch-all solution. Its designed to get the average user more pro-active in their systems security. Just like the seat belt light in a car. Its designed to get you more active in the role of putting your seat belt on, but if you dont then you dont...
/longest run-on sentence ever
They ship it with admin as default because thats what most people are used to. They would be screaming all down MS's throat if MS did anything other, because they would be required to relearn PC's to some degreee.
And I' m a windows developer who has attended tons of MS developer conferences. MS constantly preaches to developers to code for the least capable account and not to use Admin level requirements unless ABSOLUTLY nessasry. You cant fault MS for the mistakes or hamperings of other developers. You should instead contact those developers and complain as in this case they are the ones in the wrong.
An example of this is I bought the Pioneer 107D and use the software that came with it. As a standard user I can only create an image file of the stuff I wish to burn. But as an admin I can create an image and then burn it.
Many windows programs are not created with multiuser in mind.
BTW get nero it can burn CD's in non admin accounts...
MS constantly tells developers not to develop for admin accounts unless nessasary, but as with people being told not to drink and drive, they still do it.
To be fair to MS i seem to remember them talking about going for a least privilege system for Longhorn. However as todays official announcement shows thats a long way off, and its a measure that should of been implemented years ago.
BTW how can you make these programs behave nicely for multi-user, is there a way for an adminitrator to do this?
To be fair to MS i seem to remember them talking about going for a least privilege system for Longhorn. However as todays official announcement shows thats a long way off, and its a measure that should of been implemented years ago.
I am a developer and i attend MS developer conferences regularly. They press security and least privilage on the development community as best they can (its a major part of every conference for every technology). There is nothing more they can do about it. Mac and *Nix dosent prevent developers from doing the same things that the majority of Windows developers do. Not every Mac or *Nix application is written to be used outside of root as well. MS has been preaching Multi-User support since NT 3.51 was introduced. The lack of support for it is due to programers not wanting to code for it. If you want programs that stick to MS's guidelines only buy programs bearing the "Designed for Windows ****" Logo.
As i said earlier you cant blame MS for the mistakes of other developers, its not their creation.
Developers and End-Users are a big part of the security problem. MS or any other software vendor creating software that interfaces with other software cant change that. The only solution is to make both developers and end users smarter about security. MS is doing the most they can in that area.
Before you mouth back with another "but *nix developers dont write unnessasry root requiring code" point me to where it says the OS will stop a program running in root from running because it needs root "unnessarily". Because no OS stops any user from logging in as admin/root provided they know the password...