From: Richard M. Smith [rms@ComputerBytesMan.com]
Sent: Thursday, January 17, 2002
To: Bill Gates [email@example.com]
Subject: Security issues in Microsoft desktop products
I just got your Jan. 15th memo on Trustworthy Computing. There is lots of good stuff in it. I think it made all of the right points.
Because I've spent the last 3+ years looking at client-side security and privacy problems in desktop software (email readers, Web browsers, Word, etc.), I thought it might be useful to put together a list of problems that I am aware in Microsoft products. I am hoping that now is a good time to get the problems into the queue in order to get them fixed as part of the Trustworthy Computing initiative.
Here's my list:
- File sharing in Windows is seriously broken. If I share a disk drive under Windows it should only be available on my LAN, not the entire Internet. I can't see why a drive should be ever be available to everyone on the Internet, but that's how Windows works today.
- For us laptop users, there's got to be a method of easily telling Windows to only share a disk drive on a particular LAN. Last year, I was giving a talk at a university on cybercrime and privacy and my laptop was connected to the Internet for live demos. Ironically, someone logged into my drive C: and starting poking around on my hard drive during my talk. I want my drive C: to shared at home, but not when I take my laptop on the road. Windows needs to have some sort of option to make this possible.
- The Windows Scripting Host and HTML application (.HTA files) support should be turned off by default in Windows when a computer ships from the factory. These two features make it far too easy to distribute plain-text computer viruses. The joke I like to tell at security presentations is that the only time most people have ever used the Windows Scripting Host is to run email viruses like ILOVEYOU.
- Security in 802.11b wireless networking is less than optimum. Security decisions really shouldn't be left up to chip companies. Microsoft needs to take the lead on this issue and get proper security built into Windows for wireless networking. In addition, Microsoft needs to push the hardware makers to incorporate proper security systems in wireless access points, routers, bridges, etc.
- Getting security patches from Microsoft is too complicated in general. There needs to be one Web site that customers can go to which fixes security problems in all Microsoft products.
Outlook and Outlook Express Issues
- The Outlook 2000 security patch is a great idea for stopping email worms. However not all Outlook users appear to know about the patch. Microsoft needs to do a much better at marketing this patch and making it easier to download and install. Wired.com covered this issue back in December ( http://www.wired.com/news/technology/0,1282,48756,00.html).
- In Outlook Express 6, there is an option to automatically deleted executable files which come in as attached files to email messages. However the option is turned off by default. The default should be "on" just like it is in Outlook 2002. Hotmail should also be removing all attached executable files from email messages.
- A patch needs to be made available for older versions of Outlook Express that provides the new security features of Outlook Express 6. If this is too hard, then Microsoft needs to run a marketing campaign targeted at Outlook Express users to get them to upgrade to version 6.
- There should be an easy-to-use option in all Microsoft email readers (Outlook, Outlook Express, and Hotmail) to automatically convert HTML email messages to plain text messages before they are displayed. This option doesn't need to on by default, but for concerned folks this option would automatically guard against future HTML-related security holes. An interesting side note here is that the Mac Entourage email reader from Microsoft has this feature. A number of us have always wondered why Mac users get better security features from Microsoft than Windows users!
- Cookies should be disabled in HTML email messages to prevent snooping by Internet marketing companies. Here's a URL that explains the reasons: http://www.computerbytesman.com/privacy/cookleak.htm.
- Another good option to have in an HTML email reader is the ability to turn off the loading of external images. Entourage for the Mac has the option, but Outlook and Outlook Express for Windows do not.
Internet Explorer Issues
- Microsoft should work with the Internet marketing industry to phase out the use of third-party cookies which have been considered by many people as a security hole.
- The new cookie control features in IE6 are fine for advanced users, but too complicated for the average user to understand. I think a better approach is to add a simple cookie tosser to IE that deletes all cookies once a day. This feature will eliminate many of the privacy concerns with cookies without requiring Web sites to completely stop using cookies. For remembering logins at Web sites like Hotmail, Expedia, Yahoo, WSJ, etc., IE could have a simple interface to allow Web sites selected by a user to be protected from the cookie tosser.
- Before Web sites and Internet marketing companies start using SuperCookies, Microsoft should remove this "feature" from the Windows Media Player. Here's a description of the problem: http://www.computerbytesman.com/privacy/supercookie.htm
- Many people I talk with would like to turn off ActiveX controls on Web pages because of security concerns. However, it really is hard to do in Internet Explorer. The problem is that when people disable ActiveX they are then bombarded with warning messages saying that Web pages cannot be displayed correctly. The only way to get rid of these annoying messages is to turn ActiveX controls back on. Many people I've spoken to are left with the impression that Microsoft is attempting to force people to keep ActiveX turned on.
- Another ActiveX bug is that problem of bullying at Web sites. If a Web site attempts to download an ActiveX control, a person can always say no. However, if one returns to the same Web page, a Web site can redownload the same control and a user is asked again if they want the control or not. A Web site can do this forever into a person is beaten into submission and accepts the control. Internet Explorer needs to be changed so that if a user answers "No" on a particular control, it won't be download ever again. To see how bad this problem can be, try uninstalling the Macromedia Flash ActiveX control and then watch all of the Web sites that attempt to reinstall it.
- An even better solution to ActiveX download issues is to make downloads be "opt-in" instead of "opt-out". That is a user must push a button on a Web page to initiate the download of ActiveX control. A Web site is not allowed to initiate the download on their own. Many Web sites already do the "opt-in" method. However, far too many Web sites resort to "drive-by-downloads" which require a user "opt-out".
- The typical Windows systems ships today with between 100 to 200 ActiveX controls which are marked safe for scripting. Many of these ActiveX controls come from Microsoft. Some also come from computer manufacturers and others are installed by computer applications. Many of these controls have never had proper security audits and probably suffer from security problems like buffer overflows, crash bugs, and unsafe methods. A Microsoft team should be put together to look at this one issue. I wrote about this "accidental Trojan horse" problem back in 1999: http://www.computerbytesman.com/acctroj/index.htm. Unfortunately like other security issues, this problem seems to be getting worse, not better.
- A related ActiveX issue, is that is difficult to determine for a particular system what "safe for scripting" ActiveX controls are installed on the system. There needs to be a simple auditing tool from Microsoft that can produce this list.
- Microsoft needs to have an enforcement mechanism for violations of the Authenticode license agreement. Too many ActiveX controls with Authenticode certificates have been shipped with Trojan horse-like capabilities in violation of the Authenticode license agreement. Yet there is no method of getting software developers to live up to the promises that they made when they signed the Authenticode licensing agreement.
- All ActiveX controls which are marked safe for scripting should be required by Internet Explorer to have an Authenticode certificate, not just controls downloaded from the Internet. Far too many ActiveX controls are installed on computers by software applications that have severe security holes in them and are marked safe for scripting. By requiring an Authenticode certificate, ActiveX vendors would be required to do security checking before releasing their controls.
- The about: protocol has been a continuing source of security holes and is of very little use on Web pages. To guard against future problems, all uses of the about: protocol should be treated as about:blank by Internet Explorer.
- The rules about cross-domain referencing should be tighten up in Internet Explorer so that an email message or Web page can never access objects from the local hard disk using the file: or res: protocol. This change should eliminate many security holes which allow an attacker to read private files from the hard drive. Objects that should be disallowed include images, script files, frames, and XML files.
- To prevent data spills ( http://www.computerbytesman.com/privacy/banads.htm) where one Web site gives away personal information to another Web site, the rules about the handling of referring URLs should be tighten. In particular, a referring URL should be included in the HTTP GET request for an embedded object only if the object comes from the same domain as the Web page it is located on.
- Georgi Guninski is the number one bug finder for Internet Explorer security holes. Some of the security holes that he has found have never been fixed. The IE team needs to do a complete review of his bug list to make sure everything has been taken care of. He's got online demos of the problems he has found at this URL: http://www.guninski.com/browsers.html
- The USERDATA feature for storing data client-side has a host of security and privacy problems and probably should be eliminated. Cookies are bad enough, lets not make the situation any worse. The most basic problem is that the feature allows Web sites to bypass all of the cookie and P3P controls in Internet Explorer.
Best of luck,
- Word really needs an option to completely turn off macros. The requirement for digitally signed macros which was introduced in Word 2000 has gone a long way at stopping macro viruses. However, there have been a number of security holes found in Word which still allows unsigned macros to be executed from a Word document. For paranoid folks like myself who never use macros, we would like to be able to turn them off completely.
- There appears to be a lot of people still running Word 97. Can the security fixes that were introduced in Word 2000 be made available also to these folks?
- The revision log which shows the last 10 people who have edited a Word document should be removed. Here's a funny example that shows why this log can be a problem: http://www.computerbytesman.com/privacy/msftar99.htm.
- Can something be done about Web bugs in Word documents? More information about this issue, see: http://www.privacyfoundation.org/privacywatch/report.asp?id=39&action=0.
Richard M. Smith