Thinking Outside The (Windows) Box, Part I

Over the past decade, Microsoft Windows has grown from a focused operating system into a desktop swiss army knife. Kick-start any new Windows PC and you’ll find a web browser (Internet Explorer), e-mail client (Outlook Express), and personal firewall (Windows Firewall). While these default applications simplify computing for end users, they are not always revered by network administrators. Internet Explorer and Outlook routinely make the SANS Top 20 list of Internet Security Vulnerabilities. As a result, many administrators are now taking a hard look at other alternatives.

Exploring other options

Microsoft went to court to defend its right to install Internet Explorer (IE) on every Windows desktop. But code bloat, complexity, and security vulnerabilities have crippled IE in a way that the US Justice Department could not. According to the SANS (SysAdmin, Audit, Network, Security) Institute:

“Internet Explorer contains multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious webpage or reads an e-mail. Exploit code for many of the critical Internet Explorer flaws are publicly available. These flaws have been widely exploited to install spyware, adware and other malware on users’ systems… In many cases, no patch was available at the time the vulnerabilities were publicly disclosed.”

To reduce these concerns, SANS strongly recommends upgrading Windows PCs to Service Pack 2. This long-awaited update included numerous security patches, including an IE Pop-Up blocker, an Add-On Manager, and many explicit download warnings. For additional detail, see What’s New for Internet Explorer and Outlook Express. If you cannot upgrade to SP2 immediately, SANS recommends that you stop using IE and move to an alternative browser.

In fact, IE’s security woes have created a healthy demand for alternative browsers. In Part 2 of this series, we will explore several popular freely-available web browsers. Changing browsers can help you avoid IE bugs, old and new. For example, Browser Helper Objects (BHOs)—add-on programs executed along with IE—are frequently exploited to install hidden spyware and adware programs. Using an alternative browser can eliminate this BHO threat. IE ActiveX Controls or Active Scripting are also common attack vectors. Using another browser that lacks ActiveX support can effectively neutralize these attacks.

On the other hand, there are many websites that depend on these and other IE features (like Microsoft proprietary HTML tags) for data presentation and user interaction. Moving to another browser can inhibit your ability to use websites that were designed for (or tested only with) IE. To address this issue, many users still keep IE around for emergencies, when they really must access a website that requires IE-specific features intentionally omitted from alternative browsers.

Security is one big reason for using an alternative browser. Although SP2 is widely acknowledged as a significant security improvement for IE, its security model is still complex and intrusive. End users are constantly presented with security decisions, but lack the information or motivation to make sound choices. Too many of us routinely click “Ok” or “Accept” when prompted to continue a web connect or download request.

Furthermore, Microsoft has a big target painted on its back. Attackers have already started picking apart alternative browsers, as, for example, this Top 20 entry shows. But there is no reason to expect that new exploits against IE will diminish. And so the game will continue: exploit, patch, exploit, patch, ad infinitum. Even with automated updates, patching is time-consuming and cannot eliminate “zero day” vulnerabilities—exploits for which no fix is already known. On the other hand, deploying an alternative browser to every desktop requires both patch management AND software distribution, so don’t overlook these administrative costs.

Finally, there other good reasons why alternative browsers are rapidly gaining favor. Many have capitalized upon common IE complaints, turning them into opportunities for improvement. Alternative browsers can be smaller, simpler, and faster than IE. They can require (and allow) less end user configuration. They may offer more user-friendly features like tabbed browsing and mouse gestures. Part 2 of this series will take a closer look at features that contribute to the popularity of other freely-available browsers.

Changing your Outlook

Browsers and e-mail clients go together like toast and jam. Outlook Express has been installed by default on every PC since Windows 95; full-blown Outlook is packaged with Microsoft Office. These programs may be less closely tied to Windows than IE, but at #4 on the SANS Top 20, they are compromised nearly as often.

For example, an Outlook Express remote code execution vulnerability was documented in June 2005, letting a malicious newsgroup server take complete control of a user’s PC. In February 2005, an OLE and COM vulnerability was found in many Microsoft Office products, including Outlook 2003. Due to the way those products access memory using COM structures, a privilege elevation loophole let any user to take complete control of the system. In late 2004, a buffer overrun vulnerability in JPEG image processing was found to allow remote code execution and complete take-over of PCs running Outlook 2003 and many other Microsoft products.

Beyond code bugs, Outlook is perhaps best known for its propensity to spread mass mail worms. Melissa and ILoveYou worms are Outlook oldies-but-goodies. Bubbleboy, the first worm spread by e-mail without opening an attachment, exploited the Outlook preview panel to run whenever users viewed an infected message. The now-infamous Nimda worm exploited Outlook’s MIME attachments and integrated address book. And the list goes on. To date, hundreds of worms have exploited the tight integration between IE, Outlook, and associated Personal Information Manager (PIM) data.

To deter these attacks, many administrators began to disable dangerous Outlook features like ActiveX Controls and Visual Basic Scripting as far back as the year 2000. More recently, XP SP2 included several Outlook Express security updates: treating e-mail as a restricted zone by default, warning users about suspicious attachments, and blocking embedded image display in HTML-formatted e-mail from unknown sources. To learn about these Outlook security and “anti-spam” patches, read this Microsoft bulletin.

Outlook is by far the most commonly-used e-mail client. As such, it will continue to attract considerable attention from malware writers. Clearly, one tactic to side-step Outlook attacks is to use an alternative e-mail client. For example, using another e-mail client would not have prevented you from receiving Nimda, but it could have prevented you from propagating Nimda by sending it to everyone in your address book.

This approach is hardly new; I myself have used an alternative e-mail client for years. But many businesses are heavily invested in Outlook and its extensive integration with other Microsoft Office products (e.g., Word, PowerPoint, Excel, Project, Access), as well as Exchange, Microsoft’s messaging server, and Outlook Web Access, the browser client interface to Exchange. As a result, for most large enterprises, adopting an alternative e-mail client may not be palatable.

On the other hand, alternative e-mail clients can be very attractive to small businesses and residential users—particularly those who just need a reliable, safe POP3 or IMAP client to retrieve messages from ISP-hosted mailboxes. Beyond avoiding Outlook exploits, alternative e-mail clients offer value-added features like simpler users interfaces, junk and phishing e-mail filtering, integrated virus protection, and Secure MIME or PGP plug-ins. Part 3 of this series will introduce several freely-available e-mail clients and illustrate why so many people prefer using them instead of Outlook Express.

Getting fired up

The only real surprise about the Windows Firewall is how long Microsoft waited to add this fundamental Internet security measure to the operating system. Until XP SP2, Windows users had no choice but to depend on third-party firewalls or risk exposure to the big bad Internet.

A new host connected to the Internet will be probed by port scans within hours. Using the Internet without a firewall was always unsafe, but broadband and wireless have heightened the risk. In a July 2005 Pew Charitable Trust Spyware report [.pdf], broadband users were more likely than dial-up users to report that a new program they did not install appeared on their computer. According to Pew, “The faster the connection, the greater the chance for unwanted software to sneak onto a machine.”

Desktop firewalls defend hosts from network attacks, like remote access to fileshares, spyware and adware “phone home” sessions that expose data, worms that propagate over the Internet, and trojans that let attackers take control from afar. Firewall programs fall into two camps: enterprise endpoint security suites and personal firewalls. Enterprise suites combine several security programs (including firewall) under one centrally-managed umbrella. Personal firewalls are designed for installation and configuration by residential users, home offices, and small businesses.

The SP2 Windows Firewall is one example of a personal firewall. Other commercial examples include Norton Personal Firewall, McAfee Personal Firewall Plus, and BlackICE PC Protection (to name just a few). In Part 4 of this series, we will examine several alternative personal firewalls that are freely-available for individual use.

Why use another personal firewall instead of the new Windows Firewall? For starters, you may need a firewall that supports non-XP PCs, or does not force everyone to upgrade to SP2. If you’re an ISP, hotspot operator, or school network administrator, you’re probably not in a position to mandate client operating systems. Note that we also did not discuss changing your OS to avoid IE or Outlook bugs. Running desktop Linux may be attractive for power users, but the goal of this series is to find freely-available alternatives that the average consumer can easily substitute for default applications on Windows PCs.

Those running XP SP2 should still seriously consider an alternative personal firewall. Microsoft is relatively new to this market, and the Windows Firewall is not as full-featured as many other personal firewalls. For example:

• The Windows Firewall blocks unauthorized inbound connections; this can help evade detection by portscans and deny remote connections aimed at backdoor trojans.
• However, the Windows Firewall does not block the outbound connections so often initiated by spyware, worms, DoS zombies, and blended threats.
• It does not permit Internet use only by trusted programs, or verify the integrity of those programs to prevent application spoofing.
• While the Windows Firewall permits exceptions, they are not as granular as many other personal firewalls, making it harder to accomplish goals like selective filesharing in a mixed-trust network.
• Windows Firewall policies can be tampered with through Registry modification (see CVE-2005-2765) and programmatically disabled through WMI, enabling bypass by malware that exploits a privilege escalation bug.

Broadband router firewalls and integrated desktop firewall services (e.g., AOL firewall) have impacted demand for stand-alone personal firewalls. Entry-level routers are rarely robust when it comes to firewalling—their usual default (allow everything out, block everything in) is like the Windows Firewall. Large providers like AOL, Comcast, and Earthlink can add commercial firewall software to their client packages. Regional ISPs who cannot afford that should still recommend personal firewalls to SOHO customers. Part 4 of this series will enumerate several personal firewalls that just might fit the bill.

Stay tuned…Whether you go with an alternative browser, e-mail client, or personal firewall, or you decide to stick with Microsoft Internet Explorer, Outlook, or Windows Firewall, considering your options is never a bad idea. In this introduction, we focused on security risks associated with these embedded Windows applications. To be sure, alternative programs have their own security risks—and deployment and helpdesk costs. But there are many alternatives out there, and we hope that this series helps you to understand what’s available and why you might choose to use them. Coming soon:

• Part 2: Free Windows Web Browsers
• Part 3: Free Windows E-mail Clients
• Part 4: Free Windows Personal Firewalls

This article was first published on ISP-Planet.com.