http://www.eweek.com/article2/0,1895,2104464,00.asp






Can a Rootkit Be Certified for Vista?



During his presentation, Tan voiced concern that frequent UAC consent
dialog boxes will blend together to create a "click here to get work
done" attitude. "Frequent UAC consent dialog boxes-will this force
users to turn off the function?" he said. "Users will eventually get
annoyed with it if it impacts their normal day-to-day activity."
ADVERTISEMENT

However, Rutkowska said she was bewildered at the frequent arguments
that the boxes are annoying. "I've been using Vista two months now,"
she said, and within a few days of installation, she's rarely
presented with a UAC dialog box. "I think UAC, from a technical point
of view, is a very good thing," she said. "For normal users, this is
[a good security mechanism]."

One thing Rutkowska said she doesn't like, however, is Microsoft's
attitude. After the UAC criticisms started making the rounds,
Microsoft began to stress that UAC is not a hard security boundary,
like a firewall-rather, it's more of a guidance tool.

Unfortunately, that attitude means that Microsoft won't consider
potential avenues of attack to be bugs, Rutkowska pointed out.
"[Illicitly] elevating from low- to high-level [user privileges] won't
be considered a security bug," she said-when in fact such escalation
is a good indication that a machine has been compromised.

Another feature that protects the system in Vista is Windows Defender,
included previously as a separate Windows download. Defender detects
and removes any unwanted application, actively monitoring protected
areas. The feature is integrated with group policy and thus works with
Active Directory.


Another system-protecting feature is Vista's new Windows Firewall,
which expands on the firewall included in Windows XP SP2 but improves
on it by offering two-way protection. The earlier version didn't offer
outbound infection-an omission that meant an infected machine wouldn't
be stopped from spreading a virus outside of the network.

The final system protection feature added to Vista is Windows Security
Center, which checks and displays the status of the Firewall,
automatic updates, malware protection (Windows Defender) and other
security settings, including third-party security software such as
anti-virus programs.



Tan also criticized Vista's recognition of installation programs,
which checks compatibility databases, heuristics and a program's
embedded manifest-which declares to an operating system what it is.
The potential dangers of Vista's handling of installers, Tan said, is
that all installers run with administrative privileges, have full
access to the file system and registry, and have the ability to load
kernel drivers.

"As soon as you click OK, that application has complete administrative
capabilities, including downloading and installing rootkits," he
said.

Tan also criticized Internet Explorer 7 for its lack of Protected Mode
in the versions that don't run on Vista. Protected Mode makes the
browser run in a sandbox-i.e., it has limited read access to system
components and can't download Trojans or spyware from malicious
sites.

eWEEK Labs' Jim Rapoza called Protected Mode "by far the best value-
add of IE 7+." Click here to read the review.

That accounts for new system protection in Vista. As for data
protection, the new operating system comes with BitLocker Drive
Encryption-a feature that encrypts the entire Windows volume,
protecting against data being stolen when a laptop is stolen or lost.
Tan's only criticism of that feature was that it's available in only
the Enterprise and Ultimate versions of Vista and is lacking in the
Business version.

Other data protection features in Vista include EFS (Encrypting File
System), used to encrypt files and folders; Rights Management
Services, used to encrypt files persistently so they can't be e-mailed
outside of the organization without proper server permissions; and
Device Control, which enables better management of plug-and-play
devices such as USB drives.

Tan also touched on PatchGuard, which locks down the kernel completely
but also locks out some third-party applications, including anti-virus
programs. Besides the ire that this drew from security software
vendors, PatchGuard was actually cracked soon after Vista's
introduction.

Other flawed security solutions in Vista include Windows Defender's
lackluster performance, blocking a mere 47 percent of spyware in quick-
scan mode in anti-virus testing. OneCare also fell "well short" in
Virus Bulletin's VB100 test and flunk AV-Comparative's test
altogether.

"So Microsoft definitely still has some work to do in those areas,"
Tan said. Besides all that, a critical remote code execution bug in
Vista's vector markup language was released on Jan. 9; in testing of
Vista's strength against legacy exploits, Vista was found to have
exploits that would survive exploits in every category except
rootkits; key enhancements to Vista security are only available on 64-
bit platforms; and you need new hardware platforms to fully support
Vista, Tan said.

Cumulatively, it sounds bad, Tan said, but hackers and Tan agreed:
significant strides have been made in securing Vista. "It's a security
evolution, not a revolution," Tan said. "Vista is not a security
solution-it is a more a secure version of Windows."

Check out eWEEK.com's Security Center for the latest security news,
reviews and analysis. And for insights on security coverage around the
Web, take a look at eWEEK's Security Watch blog.

"spamhotmail" <spamhotmail@yahoo.com> wrote in message
news:1174161141.040706.90590@o5g2000hsb.googlegroups.com...
> http://www.eweek.com/article2/0,1895,2104464,00.asp
>
>
>
>
>
>
> Can a Rootkit Be Certified for Vista?
>
>
>
> During his presentation, Tan voiced concern that frequent UAC consent
> dialog boxes will blend together to create a "click here to get work
> done" attitude. "Frequent UAC consent dialog boxes-will this force
> users to turn off the function?" he said. "Users will eventually get
> annoyed with it if it impacts their normal day-to-day activity."
> ADVERTISEMENT
>
> However, Rutkowska said she was bewildered at the frequent arguments
> that the boxes are annoying. "I've been using Vista two months now,"
> she said, and within a few days of installation, she's rarely
> presented with a UAC dialog box. "I think UAC, from a technical point
> of view, is a very good thing," she said. "For normal users, this is
> [a good security mechanism]."
>
> One thing Rutkowska said she doesn't like, however, is Microsoft's
> attitude. After the UAC criticisms started making the rounds,
> Microsoft began to stress that UAC is not a hard security boundary,
> like a firewall-rather, it's more of a guidance tool.
>
> Unfortunately, that attitude means that Microsoft won't consider
> potential avenues of attack to be bugs, Rutkowska pointed out.
> "[Illicitly] elevating from low- to high-level [user privileges] won't
> be considered a security bug," she said-when in fact such escalation
> is a good indication that a machine has been compromised.
>
> Another feature that protects the system in Vista is Windows Defender,
> included previously as a separate Windows download. Defender detects
> and removes any unwanted application, actively monitoring protected
> areas. The feature is integrated with group policy and thus works with
> Active Directory.
>
>
> Another system-protecting feature is Vista's new Windows Firewall,
> which expands on the firewall included in Windows XP SP2 but improves
> on it by offering two-way protection. The earlier version didn't offer
> outbound infection-an omission that meant an infected machine wouldn't
> be stopped from spreading a virus outside of the network.
>
> The final system protection feature added to Vista is Windows Security
> Center, which checks and displays the status of the Firewall,
> automatic updates, malware protection (Windows Defender) and other
> security settings, including third-party security software such as
> anti-virus programs.
>
> Tan also criticized Vista's recognition of installation programs,
> which checks compatibility databases, heuristics and a program's
> embedded manifest-which declares to an operating system what it is.
> The potential dangers of Vista's handling of installers, Tan said, is
> that all installers run with administrative privileges, have full
> access to the file system and registry, and have the ability to load
> kernel drivers.
>
> "As soon as you click OK, that application has complete administrative
> capabilities, including downloading and installing rootkits," he
> said.
>
> Tan also criticized Internet Explorer 7 for its lack of Protected Mode
> in the versions that don't run on Vista. Protected Mode makes the
> browser run in a sandbox-i.e., it has limited read access to system
> components and can't download Trojans or spyware from malicious
> sites.
>
> eWEEK Labs' Jim Rapoza called Protected Mode "by far the best value-
> add of IE 7+." Click here to read the review.
>
> That accounts for new system protection in Vista. As for data
> protection, the new operating system comes with BitLocker Drive
> Encryption-a feature that encrypts the entire Windows volume,
> protecting against data being stolen when a laptop is stolen or lost.
> Tan's only criticism of that feature was that it's available in only
> the Enterprise and Ultimate versions of Vista and is lacking in the
> Business version.
>
> Other data protection features in Vista include EFS (Encrypting File
> System), used to encrypt files and folders; Rights Management
> Services, used to encrypt files persistently so they can't be e-mailed
> outside of the organization without proper server permissions; and
> Device Control, which enables better management of plug-and-play
> devices such as USB drives.
>
> Tan also touched on PatchGuard, which locks down the kernel completely
> but also locks out some third-party applications, including anti-virus
> programs. Besides the ire that this drew from security software
> vendors, PatchGuard was actually cracked soon after Vista's
> introduction.
>
> Other flawed security solutions in Vista include Windows Defender's
> lackluster performance, blocking a mere 47 percent of spyware in quick-
> scan mode in anti-virus testing. OneCare also fell "well short" in
> Virus Bulletin's VB100 test and flunk AV-Comparative's test
> altogether.
>
> "So Microsoft definitely still has some work to do in those areas,"
> Tan said. Besides all that, a critical remote code execution bug in
> Vista's vector markup language was released on Jan. 9; in testing of
> Vista's strength against legacy exploits, Vista was found to have
> exploits that would survive exploits in every category except
> rootkits; key enhancements to Vista security are only available on 64-
> bit platforms; and you need new hardware platforms to fully support
> Vista, Tan said.
>
> Cumulatively, it sounds bad, Tan said, but hackers and Tan agreed:
> significant strides have been made in securing Vista. "It's a security
> evolution, not a revolution," Tan said. "Vista is not a security
> solution-it is a more a secure version of Windows."
>
> Check out eWEEK.com's Security Center for the latest security news,
> reviews and analysis. And for insights on security coverage around the
> Web, take a look at eWEEK's Security Watch blog.
>
>

Already turned it off. When you have to click 4 different approval boxes
just to add a new folder to your start menus program group that is going too
far. Microsoft should have allowed you to set what it does and doesn't
watch. Then it might have been something one could live with.

=(8)