Skip to content

Don’t leave the Windows open

Macworld logoI've been running Windows on my Intel Macs for quite a while now--I have Parallels, VMWare Fusion, CrossOver, and Boot Camp installed on two machines. Across all those installations, I've never done anything to protect my Windows installs from viruses and malware, other than using Windows XP Pro's built-in tools: the malicious software removal tool and the firewall. I wanted to see if Windows really was as susceptible to attack as everyone was claiming it was.

pwned

Yes, it was. I wrote about what happened for Macworld, as it was a most eye-opening experience for me--this particular Windows install hadn't done anything more "risky" than surf to a few well-known download sites, looking for some iPhoto-type applications for the PC. If this is the risk a Windows user faces every day if their machine isn't fully armored against outside attacks, I must ask...why do people choose to use this OS on a regular basis? It also made me quite thankful I've never worried about such things in all my years of Mac usage.

6 thoughts on “Don’t leave the Windows open”

  1. >>I’ve never done anything to protect my Windows installs from viruses and malware, other than using Windows XP Pro’s built-in tools: the malicious software removal tool and the firewall.

    You also mentioned you have Service Pack 2, and have Automatic Updates enabled (for what those are worth in malware protection; IMCO Windows "phoning home", via Automatic Updates or otherwise, is inherently a security hole, no matter what data is claimed to be sent or not sent).

    From the article:
    >>I wanted to get a real sense for what a Windows user was up against.

    What a Windows user is up against essentially is down to:

    - network ports left open by default

    - the bundled browser Internet Explorer's security settings set wrong by default (not high enough)

    - the bundled mailer Outlook Express being "a security hole with an e-mail feature": I strongly recommend uninstalling it and using a third-party e-mail client (Eudora, Thunderbird, Pegasus, etc.). Mail clients should send and receive e-mail, not be the all-talking/all-singing/all-dancing universal any-code-executor of the world.

    - Windows Media Player enabled to run unknown code from the Internet by default (change this behavior with SafeXP)

    - unnecessary and/or buggy system services left running by default

    - file extensions hidden by default (including several that have been specially-hidden in the Registry)

    - the default action for Registry files is Merge, and for script files is Open (!!!), rather than Edit (.BAT is a script file)

    - the default folder in which Outlook Express/Windows Mail saves e-mail file attachments is configured by default with NTFS's advanced permission 'Traverse Folder/Execute File' set to Allow, so users can still "accidentally" run unknown executable code arriving in Internet e-mail (what you want is to set that folder to the standard permission 'Modify', except with the advanced permission 'Traverse Folder/Execute File' set to Deny)

    - speaking of enabling users to run unknown executable code in e-mail file attachments, automatic .ZIP-file decompression is enabled by default in XP (disable it)

    - the default setup of Windows installs both Flash and the Windows Scripting Host (see the tree view under "Internet Utilities" and "System Tools & Utilities")

    - CD-ROM autorun enabled by default (see "Sony rootkit")

    - any installed wireless networking defaults to ad-hoc and not access-point-only

    - "Windows Genuine Advantage" in conjunction with Automatic Updates

    In short, a Windows user is up against a whole bunch of things that default Mac OS X does not do. (Please note that the foregoing is not so much a list of bugs as such, nor even of design flaws really, as much as it is a list of mistaken policy decisions.)

    "Actually, Windows is not that insecure, by itself. It's the applications that run on top of it (including the bundled ones) that have the security holes."

    >>Somehow, somewhere, my virtual Windows XP installation had been infected by a member of the rbot family of malicious software.
    >>[...]
    >>Thankfully, as seen in the screenshot, Windows found and removed this hack all by itself.

    But the point is surely that the Malicious Software Removal Tool shouldn't have been necessary. It functions as a band-aid on the real problem: wide-open security holes in Windows.

    >>To be completely honest, I have no idea how my machine got infected. This particular virtual machine hasn’t done much more than surf the net and run some Office applications. I used it to download a dozen or so possible iPhoto competitors (for a comparison piece I was considering writing). I thought I had only downloaded from "safe" sites such as CNet and Tucows, but maybe I accidentally went elsewhere while link hopping and downloaded an infected file (or visited a malicious Web page?).

    Well, on the evidence, Internet Explorer's default security settings are a popular vector for malware, so it's possible.

    >>Or maybe the machine was just sniffed out from the net and attacked remotely--but that seems somewhat unlikely. Windows sharing is off in my virtual machine, and my home network sits behind a router that uses network address translation (NAT) to hide the specific machines’ IP addresses from the net. I really don’t have a clue how my Windows XP install was infected, though.

    The article's link to the Win32/Rbot family lists a number of network ports that Rbot can infect through. The fundamental problem here is that Windows XP leaves a slew of network ports open by default, and this is the reason for the short time a typical default Windows instance has before being 0wn3d.

    Now, some would advise you to just run the built-in Windows Firewall to block ports, and in fact XP SP2 does so by default; the only problems are that it can be disabled programmatically, and that -- in the absence of a need to do LAN-type things -- it's merely another band-aid on the real problem. Therefore, I strongly recommend you eliminate this vulnerability by closing all open network ports. (Here is a GUI tool for closing some of them; TTBOMK there is no GUI tool for closing all of them, although between SafeXP and 'services.msc' you can come pretty close.)

    This way, even if you decide to run a firewall application and it gets penetrated or disabled, the ports themselves are closed and immune to penetration (unless malware starts opening them up by reversing the steps you took manually, which I haven't heard of yet).

    >>So what I have I learned from this? First, I’m glad I’m not a full-time Windows user, where it seems I really would have to worry about this stuff all the time.

    The great tragedy IMO is that Microsoft could have been the security heroes long ago, and saved their customers huge amounts of time and money, by simply emulating what Mac OS X does: ship with all network ports closed, and with either no browser or a properly-secured one. The evidence suggests Microsoft know how to do the latter, so they can't use ignorance as an excuse.

    >>Second, I’m very glad that my virtual machine is a completely self-contained unit, so that anything malicious won’t be able to do something like erase the files it finds on a shared folder. Third and last, I guess I’ll need to go find some good anti-spyware/malware program and install it on my virtual machines, as it seems there really are things out there that can infect my machine--seemingly without any action on my part!

    If you have closed all open network ports, secured the browser, enabled Automatic Updates (but watch out for that changing IE's security settings), and also run the MSRT at startup, then you've already done most of what a good anti-spyware/malware program can do for you: prevention rather than cure. There are a few more things you could do: e.g., uninstall Outlook Express (if you'd planned to use e-mail), and disable a few more of XP's unnecessary system services left running by default; but give securing only ports and browser a try for awhile and see how it goes.

    >>If this is the risk a Windows user faces every day if their machine isn’t fully armored against outside attacks, I must ask...why do people choose to use this OS on a regular basis?

    IMO it's down to price (disregarding hidden costs); ubiquity (leading to network effect); and last but not least, ignorance.

    I'm not sure "choose" is the right word for it -- it's more like "submit to the path of least resistance" ("Oh, it comes with the computer anyway, oh well").

    >>I was using IE7...

    I strongly recommend you immediately raise IE7's security settings. This will cut way down on the likelihood of malicious Web pages running unknown code. (I also recommend you disable IE7's Phishing Filter, which "phones home".)

    If you run Windows in emulation or VMs, then you deserve to know all this, so that you aren't burdened with the problems experienced every day by tens of millions of native-Windows users. I can't reach the millions, but perhaps I can reach a savvy few who 'get it'. Correct Microsoft's mistaken default-policy decisions -- i.e., emulate Mac OS X's default policies -- and Windows suddenly becomes a much-tougher nut to crack; you have nothing to lose by trying it but security holes and malware infections.

  2. Rob,

    Re my non-approved comment of seven days ago:

    Am I drawing the correct inference: that the naïve commenter who offers to Mac users running Windows some free help for that platform's security problems is just wasting his time and shouldn't bother?

  3. Mark:

    Sorry, but I never saw the comment. Spam Karma 2 trapped it as spam, and I only see a summary report ("30 spam comments trapped today.") There are typically so many caught each day that I don't have the time to review them all, so yours was sitting there in the trap.

    I have approved it, and it's now posted above, as you can see.

    Sorry (spammers suck!).

    -rob.

Comments are closed.