This has definitely not been the summer of love for those dealing with Microsoft-related security issues. Security problems seem to appear at every corner, often leading to the ability for malicious programs to be invoked without any further operating system check.
A major difference between Microsoft Windows operating systems and other alternatives is the ability of Windows to automatically download and execute programs in one easy step. This seamless integration works when clicking on a program from a large variety of source locations: Internet Web sites; e-mail messages; internal file servers; and removable media; and includes executables, MS Office documents, ActiveX controls and Java applets.
Pretty basic stuff. But the simplicity of integration offered to end users is now causing a world of problems, which will only get worse. Now we must ask ourselves, is there a way out?
There are a few different approaches to protecting Windows systems from malicious executables. These solutions focus on pieces of the problem. Virus scanning will prevent execution of programs that fit a pattern of known malicious code, but this is just playing catch up with the bad guys. If you are unfortunate enough to download a virus in its first few days of existence, you are usually in big trouble. Virus development toolkits are available in the underground, giving crackers the ability to create polymorphic viruses, changed just enough to escape detection by a virus scanner.
Other content management solutions seek to stop malicious code in the browser context, by watching for downloads and stopping the execution of introduced code. Popular browsers themselves can be set with a restrictive security profile, to prevent the execution of ActiveX controls, or to disable Java or Javascript. Unfortunately, disabling rich content for users often makes critical Web sites unusable.
Still other solutions for the problems that have plagued Windows attempt to catch viruses and other forms of malicious code at Internet and Mail Gateways. These solutions, while often very practical for catching a lot of the known problems today, lull IT managers into a false sense of total systems security, because they are offering protection at the perimeter, which will not necessarily be the major source of malicious code in the future. Inside jobs, particularly in high-stakes security breaches, will be the norm.
When considering what you will need to run Windows securely in the future, you need to assume that malicious code will find its target. By dynamically changing the signatures of malicious code, social engineering an inside job, or any other number of means, bad software will find the opportunity to be executed on the user's workstation. Part of the answer may be to build the capability for Windows to sandbox applications.
Sandboxing means preventing applications from accessing key resources and causing damage. The sandbox protection could stop a program when it tries to perform specific flagged tasks, such as writing to the registry, deleting files or sending e-mail messages.
Sandboxing is a familiar concept with Java application developers. The Java application can not access resources outside of its execution environment, such as directly accessing the hard drive. However, it is completely unrealistic to change all of the legacy Windows applications and development tools. Instead, low-level solutions must be employed to intercept application requests for undesirable actions. A program that can interrogate a policy database to determine if the application is exhibiting undesirable behavior can wrap applications. Applications that try to violate a policy, such as deleting files, can be terminated. An analogy from the Unix world is TCP_wrappers, a package that intercepts activity and enforces policies for network daemons. TCP_wrappers can, for example, stop an FTP request from an unauthorized network address by intercepting requests intended for the FTP daemon and checking with a policy file.
Sandboxing for Windows on a fairly generic device driver level could prove to be a real boon to the fight against malicious code, particularly if it can be integrated with centralized real-time policy databases. A restrictive policy could proactively stop many unknown viruses. If a new virus that is slipping through the policy settings is discovered, the settings can be modified, essentially giving administrators the ability to create their own virus definition in real time.
Sandboxing is not a replacement for existing virus protection, but rather is a complementary function to add more restrictive policies and potentially catch additional attacks. AntiVirus signature files by definition allow everything except that which is explicitly denied, which is the opposite of what most corporate security policies try to prescribe. Sandboxing, combined with wise policies, can provide capabilities to prohibit the unknown, rather than always trusting it. If we can get Windows to play nicely in a sandbox, we all might be able to enjoy recess more.
RELATED LINKS
Finjan Software offers breakthrough security technology to "sandbox" risky executable files
Content Technologies' "What is Content Security?"
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
