Posted by Corrine in Security
Both Ed Bott of Ed Bott’s Windows Expertise and Robert McLaws of Windows Now have had their turn this week being upset with what, in my book, can be construed as sensationalism, irresponsible journalism, Microsoft bashing, or a combination of all three. (See Ed’s remarks here and here and Robert’s here and here.)
Now it is my turn.
In the hope of educating as many people as possible, I have been following and reporting on the latest “Storm” worm as it has evolved from the first reports by F-Secure. While checking headlines in my RSS feeds, I spotted “Storm” Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable and followed the link to Information Week to read the article.
I hoped that I would cool off by not commenting on the article after reading it yesterday or have a different perspective today. If anything, it is just the opposite.
First, a couple of quotations from the InformationWeek article:
“Microsoft’s soon-to-release-to-consumers Vista, however, does appear at risk, added Symantec Tuesday. ‘It appears most if not all variants could execute on Vista,’ the spokesman said. ‘The only way the Trojan would be unsuccessful is if somehow Vista is able to detect/prohibit the e-mail. This seems unlikely.'”
Now my comments:
Let’s start with the story headline which includes “Vista may be Vulnerable”. This story is about a nasty trojan but it appears the only way to get attention by journalists these days is including the name “Microsoft” or “Vista” in the title.
The next mention of Windows Vista is in the beginning of the article which includes the statement that “it appears Windows Vista . . . is vulnerable. . .” Yet, neither there nor anyplace else in the article does the author provide any indication whatsoever of how or why Windows Vista may be vulnerable to this trojan, distributed as an attachment in emails.
Now we move to the end of the article where the next mention of Microsoft and Vista appear, this as a quotation attributed to a Symantec spokesman in which the spokesman made an ridiculous statement referring to the operating system deleting or prohibiting the email.
That is right, the Symantec spokesman is suggesting that the operating system, not the anti-virus software, should be deleting/prohibiting trojans. (Didn’t I read somewhere that Symantec was one of the companies complaining that Windows Vista has too many restrictions?)
Other than the ridiculousness of the Symantec representative’s statement, why do I find that quotation and the earlier innuendos irresponsible? It is this simple: The “Storm” worm is propagated as an attachment to spam emails. Assuming the email gets past the user’s email filters, it requires user intervention to open the email and to then click open the attachment.
By the author’s own admission:
“Anti-virus companies have updated their signature databases with fingerprints that identify and then delete (or quarantine) the Trojan as it arrives. Other defensive advice includes filtering traffic on UDP ports 4000 and 7871, update anti-spam products, and configure mail gateways to strip out all executable attachments.”
So, for the trojan to reach the user, there must be a situation where the user and the ISP have no email filter and the user allows executables in their email program (or clicks on the .exe attachment in webmail). Since A/V companies have updated their databases, we then must presume that the user either does not have an anti-virus software installed or it is not up to date.
Remember, the article author and Symantec spokesman indicate that Windows Vista may be vulnerable. Thus, they must also have forgotten to indicate that the trojan having by-passed email filters and anti-virus software, the user has Vista user “administrator-like” UAC (User Access Control) authority in order to allow the executable to run. We would further have to assume that the user does not have any real-time protection (i.e., Windows Defender, AVG Guard, Ad-Watch, WinPatrol, and the like). Thus, a Windows Vista computer can be infected. However, that does not make Vista vulnerable. It means that the computer own/operator is responsible.
I would strongly suggest that both Gregg Keizer and his Symantec spokesman head over to the Windows Vista Blog and read Jim Allchin’s excellent presentation of “Security Features vs. Convenience“, noting in particular the bold text in the following quotation:
“. . . we created a mode of UAC called admin approval mode. In this mode (which is on by default for all members of the local administrators group), every user with administrator privileges runs normally as a standard user; but when an application or the system needs to do something that requires administrator permissions, the user is prompted to approve the task explicitly. Unlike the “super user on” function from UNIX that leaves the process elevated until the user explicitly turns it off, admin approval mode enables administrator privileges for just the task that was approved, automatically returning the user to standard user when the task is completed.”
I hope everyone takes the time to read the above article by Jim Allchin and realizes that articles like the one in InformationWeek and those that Ed Bott and Robert McLaws referred to have a purpose — sensationalism and as Ed states, “fact-free journalism”.