Chris Pirillo’s annoyed by the Windows Firewall prompt


Yesterday, Chris Pirillo made a comment in one of his posts:

And if you think you’re already completely protected in Windows with its default tools, think again. This morning, after months of regular Firefox use, I get this security warning from the Windows Vista Firewall. Again, this was far from the first time I had used Firefox on this installation of Windows. Not only is the dialog ambiguous, it’s here too late.

I replied in a comment on his blog:

The reason that the Windows firewall hasn’t warned you about FF’s accessing the net is that up until this morning, all of it’s attempts have been outbound. But for some reason, this morning, it decided that it wanted to receive data from the internet.

The firewall is doing exactly what it’s supposed to do – it’s stopping FF from listening for an inbound connection (which a web browser probably shouldn’t do) and it’s asking you if it’s ok.

Why has your copy of firefox suddenly decided to start receiving data over the net when you didn’t ask it to?

Chris responded in email:

Because I started to play XM Radio?  *shrug*

My response to him (which I realized could be a post in itself – for some reason, whenever I respond to Chris in email, I end up writing many hundred word essays):

Could be – so in this case, the firewall is telling you (correctly) exactly what happened.

That’s what firewalls do.

Firefox HAS the ability to open the ports it needs when it installs (as does whatever plugin you’re using to play XM radio (I documented the APIs for doing that on my blog about 3 years ago, the current versions of the APIs are easier to use than the ones I used)), but for whatever reason it CHOSE not to do so and instead decided that the correct user experience was to prompt the user when downloading.

This was a choice made by the developers of Firefox and/or the developer of XM radio plugin – either by design, ignorance, schedule pressure or just plain laziness, I honestly don’t know (btw, if you’re using the WMP FF plugin to play from XM, my comment still stands – I don’t know if this was a conscious decision or not).

Blaming the firewall (or Vista) for this is pointless (with a caveat below). 

 

The point of the firewall is to alert you that an application is using the internet in a way that’s unexpected and ask you if it makes sense. You, the user, know that you’ve started playing audio from XM, so you, the user expect that it’s reasonable that Firefox start receiving traffic from the internet. But the firewall can’t know what you did (and if it was able to figure it out, the system would be so hideously slow that you’d be ranting on and on about how performance sucks).

Every time someone opens an inbound port in the firewall, they add another opportunity for malware to attack their system. The firewall is just letting the user know about it. And maybe, just maybe, the behavior that’s being described might get the user to realize that malware has infected their machine and they’ll repair it.

In your case, the system was doing you a favor. It was a false positive, yes, but that’s because you’re a reasonably intelligent person. My wife does ad-hoc tech support for a friend who isn’t, and the anti-malware stuff in Windows (particularly Windows Defender) has saved the friends bacon at least three times this year alone.

 

On the other hand, you DO have a valid point: The dialog that was displayed by the firewall didn’t give you enough information about what was happening.  I believe that this is because you were operating under the belief that the Windows firewall was both an inbound and outbound firewall.  The Windows Vista firewall  IS both, but by default it’s set to allow all outbound connections (you need to configure it to block outbound connections).  If you were operating under the impression that it was an outbound firewall, you’d expect it to prompt for outbound connections.

People HATE outbound firewalls because of the exact same reason you’re complaining – they constantly ask people “Are you sure you want to do that?” (Yes, dagnabbit, I WANT to let Firefox access the internet, are you stupid or something?).

IMHO outbound firewalls are 100% security theater[1][2]. They provide absolutely no value to customers. This has been shown time and time again (remember my comment above about applications being able to punch holes in the firewall? Malware can do the exact same thing). The only thing an outbound firewall does is piss off customers. If the Windows firewall was enabled to block outbound connections by default, I guarantee you that within minutes of that release, the malware authors would simply add code to their tools to disable it.  Even if you were to somehow figure out how to block the malware from opening up outbound ports[3], the malware will simply hijack a process running in the context of the user that’s allowed to access the web. Say… Firefox. This isn’t a windows specific issue, btw – every other OS available has exactly the same issues (malware being able to inject itself into processes running in the same security context as the user running the malware).

Inbound firewalls have very real security value, as do external dedicated firewalls. I honestly believe that the main reason you’ve NOT seen any internet worms since 2002 is simply because XP SP2 enabled the firewall by default. There certainly have been vulnerabilities found in Windows and other products that had the ability to be turned into a worm – the fact that nobody has managed to successfully weaponize them is a testament to the excellent work done in XP SP2.

 

[1] I’m slightly overexaggerating here – there is one way in which outbound firewalls provide some level of value, and that’s as a defense-in-depth measure (like ASLR or heap randomization). For instance, in Vista, every built-in service (and 3rd party services if they want to take the time to opt-in) defines a set of rules which describes the networking behaviors of the service (I accept inbound connections on UDP from port <foo>, and make outbound connections to port <bar>). The firewall is pre-configured with those rules and will prevent any access to the network from those services. The outbound firewall rules make it much harder for a piece of malware to make outbound connections (especially if the service is running in a restricted account like NetworkService or LocalService). It is important to realize this is JUST Defense-in-Depth measure and CAN be worked around (like all other defense-in-depth measures). 

[2] Others disagree with me on this point – for example, Thomas Ptacek over at Matasano wrote just yesterday: “Outbound filtering is more valuable than inbound filtering; it catches “phone-home” malware. It’s not that hard to implement, and I’m surprised Leopard doesn’t do it.”  And he’s right, until the “phone-home” malware decides to turn off the firewall. Not surprisingly, I also disagree with him on the value of inbound filtering.

[3] I’m not sure how you do that while still allowing the user to open up ports – functionality being undocumented has never stopped malware authors.

Comments (63)

  1. Peter Ritchie says:

    The Windows Firewall prompt, in this case, IS ambiguous though–to an average end-user.

    "Windows Firewall has blocked this program from accepting incoming network connections."  Clearly, to them, Firefox has been accepting incoming network connections.  They don’t know the distinction between incoming connections and incoming data.  Without knowing anything about sockets, "incoming network connections" is ambiguous and is read as "incoming network data".

    Windows Firewall is working as expected and Chris is being a little harsh; but he does make a point that even above-average users can misinterpret this dialog.

  2. Anonymous says:

    Did you see the post at blogs.msdn.com

  3. Anonymous says:

    Great post.  I find that in general Chris is annoyed by everything.  At one point he gave up on Vista because it didn’t run his fax software which he used everyday.  What I had to wonder is why someone so allegedly high tech would be doing using something as ancient as faxes.  

  4. Anonymous says:

    Am I the only one here who thinks that allowing malware to turn off the firewall is a very bad idea? Even a prompt saying "Malware.exe wants to disable your firewall. [Allow] [Deny]" would be better than the current behavior, IMO.

  5. Triangle, how do you tell the difference between malware and the user?

    If you can answer that question, then there are a number of game companies that would just LOVE to talk to you.

    Raymond gave a hint as to why this is so hard several years ago: http://blogs.msdn.com/oldnewthing/archive/2004/01/01/47042.aspx

  6. Peter Ritchie says:

    Do the firewall APIs that open ports not need some sort of privileged token to be called?  I.e. should something that is opening a port on the firewall only work when run with admin privileges?

  7. Peter: That’s a good question.  I’d assume that you need admin rights.

  8. Anonymous says:

    > Triangle, how do you tell the difference between malware and the user?

    You assume that everything is malware except for a few special programs, and make it so that only those programs are allowed to do "sensitive" things, such as turn off the firewall or overwrite system files. When the user wants to change something, they go through one of these programs. "But then I can just create an instance of one of those programs, and send window messages to it" – no you wouldn’t be allowed to send window messages to a program that has more privileges than you do. Only the user is allowed to interact with those programs.

  9. Triangle: So the malware injects it’s code into those special programs and does it’s thing.

    Even if you CAN block malware from opening up its own ports, how do you block IE or Firefox from accessing port 80?  Malware can attach itself to IE or Firefox (both of which have extension mechanisms that allow code to run with the privileges of the user) and can access port 80 just fine. If you can make outbound connections to port 80 on another computer, you can do anything.

    All you gain by adding an outbound firewall is make the life of the malware author slightly harder.

  10. Anonymous says:

    > Triangle: So the malware injects it’s code into those special programs and does it’s thing.

    Well, of course it isn’t allowed to do that. Jeez. When I said "send a window message", I meant "Send window messages, inject code into it, read/write into its address space, or in general do anything that would mess it up"

    > Even if you CAN block malware from opening up its own ports, how do you block IE or Firefox from accessing port 80?

    Well, malware would be allowed to open up ports. But allowing something to communicate with something else over the internet isn’t a security risk unless:

    A) it’s doing so over a raw socket, and can spoof or DOS people

    B) it sends the users private data over the wire

    Both of which could be considered ‘sensitive’ operations.

  11. Anonymous says:

    Good post, but I still like outbound firewall protection.  Not so much from malware, per se, but from all the tracking stuff the "legitimate, commerical" software does.

    I want to know if the app I purchased and installed is reporting home.  If the EULA doesn’t disclose what and why is sent home, or if I simply don’t want to share that information, I block the outbound connection.

    Sure, the app could have disabled the feature at install time, but I haven’t come across one yet that turns off the free version of Zone Alarm.  Lots of major apps report home, but not from my machine.

  12. Adrian: That’s fine.  And I agree with you that sometimes it’s interesting to see who’s phoning home.

    Triangle: I asked this before: How do you identify malware?  Don’t forget: As far as the operating system is concerned, "malware" is indistinguishable from "Firefox".

  13. Anonymous says:

    > Don’t forget: As far as the operating system is concerned, "malware" is indistinguishable from "Firefox".

    That is absolutely 100% fine. As long as firefox doesn’t try to open a raw socket, mess around with the firewall settings, overwrite system files, or any other sensitive operations, that is no problem.

  14. Triangle: It’s ok if it runs a botnet client, sends spam for the botnet herder, pops up advertisements and sends all your financial data to eastern europe?  Malware can do all of that without requiring any elevation at all.  

    You have a strange definition of "ok".

  15. Anonymous says:

    > It’s ok if it runs a botnet client, sends spam for the botnet herder, pops up advertisements and sends all your financial data to eastern europe?

    First of all, it wouldn’t be able to read any of your financial information. Remember, that’s sensitive data. But the rest of the things you mentioned go beyond the scope of /operating system level/ security. Those would be best implemented by the popup blocker and the firewall.

  16. Triangle: If you can read the data, then firefox can read the data.  If firefox can read the data, the malware can read the data.

  17. Anonymous says:

    >If you can read the data, then firefox can read the data.  If firefox can read the data, the malware can read the data.

    So you’re only safe if you never run any programs at all on your computer? If that’s the case, then it doesn’t seem the security system is doing much.

  18. Triangle: That’s why I’m claiming that an outbound firewall doesn’t improve your security.  An inbound firewall helps you by protecting you from threats outside your computer, but once the malware’s inside your computer, the firewall ceases to have value.  At that point, you have to rely on tools like antivirus and antispyware applications.

    See David’s post (above) for more context on the value of an outbound firewall – he called out some cases I had missed where it does have value.

  19. Anonymous says:

    > That’s why I’m claiming that an outbound firewall doesn’t improve your security.  An inbound firewall helps you by protecting you from threats outside your computer, but once the malware’s inside your computer, the firewall ceases to have value.  At that point, you have to rely on tools like antivirus and antispyware applications.

    I understand this. A firewall isn’t designed to protect you from threats already on your computer. But what I was claiming was that certain programs shouldn’t be allowed to disable the firewall.

  20. Triangle:  We’re in 100% agreement then.  There’s an easier way of saying "certain programs shouldn’t be allowe to disable the firewall" and that’s "normal users shouldn’t be allowed to disable the firewall".

    And that’s exactly what Vista (and OSX and Linux) does by forcing all users to run as normal users and prompt for elevations.

  21. Anonymous says:

    >  There’s an easier way of saying "certain programs shouldn’t be allowe to disable the firewall" and that’s "normal users shouldn’t be allowed to disable the firewall".

    And that’s exactly what Vista (and OSX and Linux) does by forcing all users to run as normal users and prompt for elevations.

    It’s easier on the operating system developers, yes. But, for the user, it is harder and less productive. It also doesn’t protect the user from malicious applications that might want to say delete all their files. And it produces dialog fatigue, to the point where the user will elevate any program for any reason just because it’s what their used to.

  22. Anonymous says:

    "So you’re only safe if you never run any programs at all on your computer?"

    Pretty much.  For best security, smash computer.

    Other than that, you can do a lot of the things most OSes do these days — restricting access to certain roles or actions to specific users or classes of users.  Whatever the user can do, malware can do.  There’s a lot of magical thinking when it comes to computers; security is definitely one area.  ("But what I was claiming was that certain programs shouldn’t be allowed to disable the firewall," seems to fall into this category.  The rule here has to be that only admins can disable the firewall, otherwise it becomes completely unenforceable.)

  23. Anonymous says:

    I’m not sure what the problem here is.  Isn’t there some kind of Win32 API call like IsEvilProgramThatDoesBadThings(LPCTSTR lpProgramPath)?  That way you can only let programs who aren’t evil turn off the firewall.

    No?  You ought to get to work on that Larry.  Ask Raymond to help.

    😉

  24. Anonymous says:

    Triangle: But do you have a better plan?

    Since you can’t trust the return address of caller it’s not possible to distinguish legitimate system tools and malwares whether it’s signed or not. And if you don’t allow people to disable firewall/add allow list to open port, people are going to hate it.

    Seems user privilege level is the only thing we can trust here… But I think perhaps it’d be better to allow programs to specify what specific privilege it requires in the manifest file, and have the information displayed in UAC prompt, so the user can know if they’re going to enable the program to do something unusual if the user know enough…

  25. Anonymous says:

    Great post Larry. I was however grateful for outbound firewall protection on a friends computer. It helped to track down the malware on their computer.

  26. Anonymous says:

    > Since you can’t trust the return address of caller it’s not possible to distinguish legitimate system tools and malwares whether it’s signed or not. And if you don’t allow people to disable firewall/add allow list to open port, people are going to hate it.

    When you move the mouse, or press keys on the keyboard, it generates an interrupt that traps the CPU into kernel mode. That is how you can tell the difference. USB mice & keyboards are slightly different, but the principle is the same: The kernel receives mouse and keyboard notifications directly. No return address snooping or anything of that sort is remotely required.

    As for generating fake window messages/etc: Sending a message to a program in a different address space requires going through the kernel also. Sending a message to yourself doesn’t; but that isn’t a security issue either. Furthermore, there are special registers in the CPU that only the kernel can write to, such as page registers and certain permission registers. Those can be used to store pointers to permission data about the process that was running before the CPU entered kernel mode.

  27. Triangle: What’s to prevent the malware from faking out whatever indication that you specify?  How do you KNOW that a message isn’t fake.  Remember that the malware has full control over your process, so it can fake out any system calls you make.

    The gaming companies have been fighting this particular battle for years (trying to stop cheaters) and they’ve not been able to solve it.

  28. Anonymous says:

    There is a big difference between someone "cheating" a game and a process trying to mess with other processes or with the user. The person cheating essentially has full control over the machine. They can patch your binary, your checksum code, your 2048-bit encryption scheme, etc. Malware (hopefully) doesn’t have *full* control over the machine.

    > What’s to prevent the malware from faking out whatever indication that you specify?  How do you KNOW that a message isn’t fake.  Remember that the malware has full control over your process, so it can fake out any system calls you make.

    Indications that a process is privileged? You store the permissions as part of the kernels’ process table metadata. If random processes have the ability to read/write into private kernel memory, you sir have a much bigger problem on your hands.

  29. Triangle: You’re missing my point.  The malware can do anything the user can do.  It can attach a debugger to a process running in the context of the user, it can modify the running code in that process.  And if it can modify the running code in the process, it can defeat any check you apply.

    Remember: The job at hand is trying to block malware that is running in the context of the user from trying to access the network.   I’m asserting that as long as you allow ANY code running in the context of the user to access the net, the malware can also access the net.  

    Your only other alternative is to run the code that’s accessing the net in a sandbox that the user can’t access.  Because you don’t want the user to be able to access it, you need to run it at a higher privilege level than the user (in general, you can modify things running at a lower privilege level than you).  And that is exactly the opposite of what you want to have happen – you want to run the web browsing experience at as low a privilege level as possible.

  30. Anonymous says:

    > Remember: The job at hand is trying to block malware that is running in the context of the user from trying to access the network.   I’m asserting that as long as you allow ANY code running in the context of the user to access the net, the malware can also access the net.

    There is no danger in having any program access the network (Minus source spoofing or potential DOSing, however the TCP/IP protocol covers both). The danger is the data the program is allowed to send.

    > Your only other alternative is to run the code that’s accessing the net in a sandbox that the user can’t access.  Because you don’t want the user to be able to access it, you need to run it at a higher privilege level than the user (in general, you can modify things running at a lower privilege level than you).

    I never said anything about a sandbox. Unless you consider running code at a low privilege level sandboxing it. And, even if you did consider that sandboxing, in what backwards system is the user not allowed to access something sandboxed? It’s the opposite: The code in the sandbox is restricted from interacting directly with the local machine, not the other way around.

  31. Peter Ritchie says:

    I think this conversation is going around in circles… Triangle, keep in mind, if you run anything with a login with admin privileges, that application is basically not restricted.  That’s the context that Larry is describing.  In that context there’s no way to tell what is and isn’t malware (actually, in any context you can’t differentiate, but in the admin privilege context there’s no way to automatically restrict certain applications).  If you don’t let the malware run in that context, it won’t have access to that privileged functionality, like writing to system files, and opening firewall ports (assumption for firewall points, I haven’t see anything that confirms our assumption that opening a firewall port requires the currently logged-in user (or the selected run-as user) have a specific security token–but it should be easy to confirm).

    Since network communications isn’t typically a privileged function firewalls are needed to allow certain applications access to certain ports, regardless of what the currently logged-in user’s privilege level is.  That’s historically been the problem with user-attributed privilege: without things like firewalls and CAS, you can’t restrict what applications can do and still run applications that are unrestricted without specifying which login to use to run each application (which is VERY tedious and requires system admin intervention on enterprise networks).

  32. orcmid says:

    I was going to jump up and down about your IMHO concerning outbound firewalls until I read the footnotes.  [1] works for me.  I understand that smarter malware will, if it can get buried that deep, disable the firewall software.  

    I haven’t been able to invent a case where malware could be running under LUA (hmm, maybe because of trojaning of some legitimate package?) and be installed, but I wouldn’t want to rule out such a scenario.  I haven’t thought about it enought and I’d rather be safe than sorry.

    I also like to know how many packages are distributed these days with phone-home arrangements (to "helpfully" check for updates they can’t auto-install in my LUA account anyhow).  I actually do block a lot of those, although it is a pain on XP where I can’t easily issue one-time exceptions to the firewall rule (not with OneCare at any rate).

  33. Anonymous says:

    Chris’s comment also implies that Vista’s firewall just randomly decided, after months of use, to suddenly prompt for permission with Firefox. It’s worth noting that Mozilla updated Firefox this week, on November 1, to version 2.0.0.9. That’s the same date that this screenshot was uploaded to Flickr and the same date as Chris’s blog post. In fact, the automatic update appeared here on my system about five minutes before I saw this article. Isn’t it possible that that the firewall took action because this was a new executable? Although Chris may have been using a program called Firefox for the past six months, he wasn’t using this version…

  34. Peter Ritchie says:

    malware running as an add-in to an application running under LUA should run, no?  The user has to explicitly "install" it though; but you could say that about most malware now-a-days.

    Doesn’t LUA check version information, so if an application is updated, it will prompt again?

  35. Peter Ritchie says:

    AddPortMapping requires that the application’s credentials under which it is running be a member of the Administrators group.

    You can’t seem to get to INetFwOpenPorts.Add without either being in the Administrators group or some specific privilege (that Administrators have); but I haven’t tracked down the specifics…

  36. Dennis: I don’t think that there’s a vector for installing malware from low rights IE (LoRIE), but there absolutely is a vector for malware when running under LUA.

    You can deploy applications without requiring elevation on XP and Vista – all you need to do is to write to HKCU and you’re good.

    It’s harder for malware to hide itself in that case, but that hasn’t stopped stuff in the past.

  37. Anonymous says:

    I agree with both points of view.  I prefer having outbound filtering enabled (so at least I’m told when something is trying to phone home), but any such implementation in the default Windows firewall is going to have ISVs screaming for a "let my app through" API they can call during installation — and as soon as that exists, any benefit it provides from a security standpoint is purely an illusion (since it depends on how lazy the malware authors are).

    (And even if there wasn’t an API, if it stored the data in the registry or in a file in a non-cryptographically-secure manner then it’d have the same problem, just with a slightly taller hurdle.)

    In the end, though, I think it would be a decent solution to:

    1. have an API to create firewall exceptions that requires elevated permissions to run.

    2. store the firewall exceptions in a cryptographically secure manner (with the key in a non-user-readable file) to ensure that only the official API can create an exception.

    3. have a "paranoid" option (off by default) that prompts the user with exact details whenever a program calls the API.

    4. turn outbound filtering on by default.

    Again, none of this will (or can) protect against elevated apps.  (Or against FAT32 drives, since file permissions don’t work there.)  But it should help discourage bad behaviour in user-level apps.

  38. Anonymous says:

    It may be worth mentioning that it is possible in principle to design an operating system that meets Triangle’s specifications; the important point is that it is probably impossible (or at least implausibly difficult) to retrofit such a design on Windows (or MacOS or Unix).

    Current operating systems allow (essentially) every process in a given user’s space to represent the user, that is, to do anything the user is allowed to do.  I don’t believe this is necessary; however, it’s so fundamental to the OS design that changing it comprehensively would presumably require rewriting pretty much every application in existence, i.e., you’re talking about a new OS.  (In fact it may be worse than that, because moving an existing application to such an OS would probably require a much more significant rewrite than is usual when porting to a different OS.)

    Personally I’d still like to see serious research done on the subject, because to my mind this change is essential if we ever want to build computer systems that are adequate to the tasks we ask of them.

  39. Miral, interestingly enough, I believe that 1 and 2 are implemented in Windows today, 3 and 4 aren’t.  But what "exact details" would you want to let the user know about?  

    The only thing you know for certain is the PID of the process that requested the exception.  From that, you can guess the name of the executable that contained the code running in that process, but you can’t even guarantee that – unelevated malware can spoof anything other than just the process ID and the thread ID

  40. Anonymous says:

    Well, you should also know what it was trying to do (open a connection to 123.123.123.123 port 123, bind to port 321, etc, etc) that’d be useful to know…

  41. Anonymous says:

    Harry: I believe that it what Microsoft Research’s "Singularity" project is trying to do (or one of them anyway)…

  42. Anonymous says:

    Outbound host-based firewalls are NOT security theater.  That assertion needs to die.  Just because a few security experts don’t find any value in them, other customers absolutely do, and have posted here.  Outbound firewalls aren’t 100% effective against every kind of threat, they can be evaded, but that’s true about every single security countermeasure on the planet.  That erroneous belief (which seems pretty specific to Windows and to Microsoft) isn’t a valid reason for Microsoft to fail to program this popular customer request in XP and make it too complex to configure in Vista.  Microsoft has done too much thinking outside the box here to arrive at a firewall that doesn’t do what every other firewall on the planet can do.

    Once and for all:  outbound host-based firewalls are considered valuable by many customers because they 1) detect and/or prevent at least some kinds of threats, 2) raise the bar that malware must do to successfully compromise, 3) even if malware can disable a software firewall, you can then detect that change, which is very valuable, and 4) a simple password or crypto key on the firewall can go a long way towards preventing much malware from disabling or changing the firewall configuration, which is one of several ways firewalls are evaded.

    This belief on outbound firewalls is tied to another erroneous belief, that once a system is compromised, the game is completely over.  As a Microsoft customer, I have more work to do after a system is compromised, not less, and I need the OS to help alert me to compromises and do it’s best to minimize the risk of at least some threats.  Microsoft cannot and should not give up on compromised systems as it has in the past, as that leaves the customer hanging and relying on third-party software for help.

    With an outbound host-based firewall on, only some malware can get out on your system.  Is that not an obviously good thing?  Conversely, if you don’t use your outbound host-based firewall, then poorly coded, simplistic malware is now just as successful at getting out of your system as well coded threats from highly motivated attackers.  

    This whole argument is a testiment to Windows’ very poor ability to block local privilege escalation attacks.  You don’t see *nix experts arguing against the value of outbound filtering in IPTables etc., nor do you see them complaining about how annoying it is to run as a non-root user.  This is because *nix is much more successful at being able to prevent privilege escalation attacks while also allowing users to perform their jobs.  Unlike Windows, *nix has for years enforced ACLs on TCP/IP ports by default to prevent unprivileged users from binding, accessing and/or using them, for example, and set up virtualized chroot jails to control access to disk systems by malware that has compromised the system.  On Windows, by comparison, pretty much any compromise of any normal non-admin user gives an attacker every kind of access she could want: access to available files, free disk space, Internet bandwidth, and ability to access other network data and systems.

    Believe what you want, but don’t allow Windows to be coded without vital, universally standard firewall features based on such a controversial non-standard belief.  That only leads Microsoft customers to buy and implement third party OSes and security software that is able to give the customers what they want.

  43. Anonymous says:

    Pirillo seems to have influential readers at MS. Wish he’d move on to whine about Media Player and Explorer so those would get fixed Before SP2. For now, after year of Vista I finally gave up and am back with XP. What a relief.

  44. Karl, I disagree.  That’s ok.  I do feel oblighed to point out that there are known examples of malware that disable the firewall (http://www.sophos.com/pressoffice/news/articles/2004/10/va_bagleaufw.html for an example – that was literally the first hit in my search for "worm disables firewall").

    If Windows had an outbound firewall that was enabled by default, the first thing that phone-home malware would do upon installation would be to disable the firewall.  Attempting to defend an infected machine against itself is just theater.

  45. Karl: Also, you seem to believe that chroot is an effective security barrier.  It’s not, and nobody who’s worked on *nix security believes it is (ref: http://it.slashdot.org/it/07/09/27/2256235.shtml and http://kerneltrap.org/Linux/Abusing_chroot).

  46. Anonymous says:

    Of course some malware can disable the Windows Firewall or other firewalls.  But 1) some cannot, and 2) at least you can detect when the firewall has been disabled.  Why is detecting compromises not useful?  Why is blocking some malware not useful?  And if so, then why do most of us use antivirus?  Antivirus can also be disabled by malware, and it isn’t 100% effective, but few sane people then argue that we shouldn’t bother using antivirus.

    Windows Firewall could more effectively prevent malware from disabling the firewall if it was implemented differently.  Weaknesses in the Windows Firewall implementation don’t automatically apply to outbound filtering in general.  Simply have a user put a user password onto the configuration, a password that is not known by the System account, and that raises the bar even more.  True, there are other ways to bypass host-based firewalls, but that’s no reason to give up and leave other holes open that we can mitigate.

    RE: chroot… the idea that chroot is not a useful security tool is popular, but that alone does not make it right.  The exact same flawed arguments are made against chroot: e.g. it isn’t 100% effective, so throw it away.  This isn’t how security works.  Security is about managing risk, reducing risk, not making it disappear.  Chroot may not be effective at inhibiting attackers or daemons that run as root, but that doesn’t make it useless for everyone.  You really have to be wary of any security statement that aims at being universally true for everyone.  Nothing in security is universally true for everyone.

    The discussion on chroot at wikipedia sums it up:

    http://en.wikipedia.org/wiki/Talk:Chroot

    It seems to me that chroot is another useful tool that too many are disregarding based on flawed assertions and cherry picking poor implementations and irrelevant examples that the countermeasure was never designed to prevent.

    But I agree with most everything else in the article, save the sentence about outbound firewalls being security theater.

    kind regards,

    Karl

  47. Anonymous says:

    Karl, I don’t think it’s unique to Microsoft at all. You must not have noticed the recent brouhaha over OS X Leopard shipping with a firewall that is *disabled* (incoming and outgoing) by default:

    http://www.heise-security.co.uk/articles/98120

    My experience with outbound firewalls is that they cause far more problems than the avoid. This is in part because they don’t solve many problems but more to do with how badly written and designed most software firewalls are. (e.g. Blocking a program or device driver without even informing the user that it was blocked, meaning that they either get confused about why things work and blame innocent software, or that they unknowingly have malicious software on their machines that is trying to access unwanted network resources, in which case the firewall is preventing that from happening but who knows what else that malicious software is doing…)

  48. Anonymous says:

    Malware can punch holes in the incoming firewall too, so why bother having an incoming firewall?  (P.S., a few years ago when I cleaned one friend’s PC, the way I noticed he had spam servers was because I could see the ports open in his firewall.)

    If a bad person can gain physical access then there’s no security.  So why bother putting security on a PC at all, since it’s all security theatre and there’s no security.  After all, a burglar can always get physical access.

    Various countries have various standards on how people inside a building can escape from the building in case of fire.  Some countries have security:  the people burn to death unless the factory owner or guard comes with a key.  Others have lower amounts of security but more safety, i.e. people can hit a crash bar on a door to open it, or people can hit a crash bar which will automatically ring an alarm while opening the door, or people can break a glass box which contains a key to open the door.  In the latter two cases, what’s the point in having an alarm or having detectability since anyone who wants out can get out?  Well, a lot of people think there’s a purpose to them.

  49. Norman: Because the incoming firewall’s not trying to stop malware that’s currently on the computer.  It’s trying to stop malware that’s NOT on the computer.

    Once the malware gets on the computer, it’s game over.

    But until the malware can get on the machine, the firewall is extremely valuable.

  50. Anonymous says:

    Still, it’s not an all-or-nothing proposition.  Sure, some malware will poke a hole in the firewall to operate; once it becomes standard then probably most will.  But "most" is not "all" and therefore it is still providing some tangible benefit.  In addition, it will also protect against the legions of apps that aren’t actually *trying* to be malware but are nevertheless phoning home when users might not want them to.

    Having said that, in the hands of the unwashed masses this would probably end up being UAC all over again ("why is this fricking computer asking me if I want to let RandomFTPProgram access the Internet?"), so I think the main conclusion is that you can’t really win either way.

    And incidentally, the "full details" I meant earlier are things like the target hostname/IP and port number, and as much info about the calling code as can be obtained.  You should at least be able to find out the main process executable and the immediate calling DLL, if any (though I know it’s not possible to build a full chain between the two).  If you can’t even do that reliably then Windows’ entire operational model must be fundamentally broken.

  51. Anonymous says:

    Sorry, my previous posting neglected to say that it was intended 100% as a proof-by-contradiction sort of thing.  There have been lots of assertions that various security measures are worth zero and should not be provided or used, due to the fact that they aren’t fully effective silver bullets.  I tried to show that even though we only have lots of bronze bullets, bronze bullets are useful.

    > Once the malware gets on the computer, it’s game over.

    It’s some games over.  If the user gets a chance to detect the malware, then the malware’s game is over.  If a user discovers a keylogger before typing their banking password, they might guess that they shouldn’t type their banking password.

  52. Anonymous says:

    You all (especially Karl Levinson) should re-read note [1].

  53. Anonymous says:

    Exactly.  We should get rid of the phrase "game over."  What does game over mean?  That we should keep the keylogger or malware on the system without even detecting it?  No thanks.  Microsoft needs to give us a way of detecting compromises.  The outbound firewall, and protecting and monitoring changes to its configuration, would be one way of doing it, if Microsoft would stop arguing against what most of the customers want.  If Microsoft thinks its job is over once the system is compromised, that’s a significant problem.

  54. Anonymous says:

    The major problem with Windows firewall is that it is no option to deny specific IP addresses – only to block all and allow specific addresses through.

    I have a public site that gets hit frequently by a couple of spammers: I know their IP addresses and they are too stupid to change them frequently enough to keep me off-scent, but I can’t firewall them out because I need the rest of the world to have (http) access.

    Grrr.

  55. Baffled: It appears that the firewall has that capability.  I don’t know if the UI exposes that functionality, but you should be able to achieve that with code (or possibly with the netsh command).

    Karl: "Game over" to me means: It’s time to reformat the hard disk and find your last known good backup.  You have no idea of knowing what’s been compromised, so the only SAFE option is to reset the machine.

  56. Anonymous says:

    The last time I made custom settings on Windows XP’s firewall, I could specify a subnet (IP address and mask) to allow listening while denying the rest of the world.  I didn’t see a way to set a subnet for denial while allowing the rest of the world, the way Baffled needs (though it might be there, just not immediately visible).

    Some third-party firewalls do exactly what Baffled needs.  So do hardware firewalls, which I really recommend to Baffled.

    > "Game over" to me means: It’s time to reformat the hard disk

    OK, excellent.  But meanwhile, please don’t make extra contributions to help malware continue pumping out spams until being detected, please don’t make extra contributions to help malware continue hiding from detection, etc.  Security measures are useful.  OK, footnote [1] said that, but the phrase "game over" is ambiguous and had appeared to mean security measures were considered no longer useful.

  57. Anonymous says:

    I’ll add one more thing.  Reformatting the hard drive is popular advice, but in the real world, things are a lot less black and white.  Few if any people and enteprises can afford to format their hard drives every single time there is confirmation or suspicion of any and all malware (including neutered ones like js.bytverify whose presence no longer indicate an actual infection).  We know there are different kinds of malware, only some of which would benefit from formatting.  In real world practice, you don’t always know for sure whether there is an actual malware, you just have a suspicion.  Lines have to be drawn as to when a format is desirable, and decisions sometimes must be made based on knowing only half the facts, guesswork, hunches and available budget.  In a lot of cases, it can be entirely sensible to decide not format a hard drive.

    And if the compromise happened because of an unpatched weakness in your security policy or procedures, re-applying the base image isn’t going to prevent the system from being re-compromised.

    What I’m getting at is that if outbound firewalls aren’t 100% effective before a compromise, there’s still the period of initial detection, information gathering and decision making between the point of compromise and the point of formatting or other remediation where outbound firewalls are still useful.  Because Microsoft thought outside the box and didn’t give outbound firewalls or even outbound IP connection logging to Windows XP, customers had to continue using non-Microsoft security software, which if nothing else was at least a missed financial opportunity.

  58. Peter Ritchie says:

    I’ve never met and admin that wouldn’t remove the computer from the network when their anti-virus/malware of choice told them there was an infection that couldn’t be removed and not add it back in until it was clean.  If it could be removed by their AVS, that means reformatting.

  59. Anonymous says:

    "Few if any people and enteprises can afford to format their hard drives every single time there is confirmation or suspicion of any and all malware"

    Uh, right.  They can afford to continue pumping out spams, hosting phishing sites, and delivering their own customer databases to their new owners.  This reminds me of immigration departments that can’t afford to keep out terrorists so they harrass innocent people instead.

    Fortunately in some countries some laws are temporarily coming around to partly agree with a sense of responsibility.  Enterprises can’t afford to neglect to format their hard drives every single time there’s confirmation of malware.  (Suspicion is harder to say.  I wonder if police still need search warrants to seize suspicious hard drives.)

    Individual people?  Maybe that also depends on where you are.  In some countries, when a pirated copy of Windows XP stops working, a non-techy user pays a tech the equivalent of around 500 yen to reinstall a pirated copy of Windows XP.

  60. Anonymous says:

    Peter: Formatting a system when a virus is detected but cannot be removed isn’t the only scenario I’m talking about.

    I also believe always formatting when a virus is detected but cannot be deleted is also not necessarily sound advice.  Some (many?) popular antivirus products tell you that they’ve detected way old viruses like js.bytverify and can’t clean or delete them.  This isn’t a real threat, and doesn’t need to result in a costly formatting.

    Norman: "Pumping out spams" is easily blocked by a smart enterprise, by only allowing mail servers and not workstations to send outbound email.  But isn’t this an argument for the usefulness of the Windows Firewall outbound filtering?  "Hosting phishing sites" shouldn’t be relevant here, as we’re talking about workstations that shouldn’t be reachable from the Internet over inbound HTTP.  "Exfiltrating customer databases to attackers," I’m not sure what you have in mind, but again it would seem to be an argument for the outbound firewall.

    Everyone agrees that a known compromised workstation should be removed and remediated, that’s not what I’m talking about.  I’m saying that in the real world, there are a lot of grey areas where malware either isn’t detected and keeps on running, or where malware is wrongly suspected on a clean system.  In the real world, budget is more important than security, because security is only there to ensure the success of the business mission, and if you run out of money on reimaging every workstation every day, the mission fails.  I’m saying there are a lot of grey areas where malware isn’t confirmed and a decision has to be made either way.

    "Just format the system, it’s the only way" is overly simplistic advice.  This advice should NEVER be given without vital caveats about being sure that new virus samples have been captured and sent to the antivirus vendor, consider investigating to see what the attackers did or took or if they’ve infiltrated other systems, seeing whether there’s a flaw in your image that needs to be fixed, etc.  Once an attacker compromises one system with malware, a frequent next step is to crack other passwords so that other systems can be compromised without using any attacks or detectable malware, just passwords alone.  Before you format the first system, you’d want to consider keeping the logs to identify other systems.

  61. Anonymous says:

    Yes I made arguments in support of outbound firewalls, and repaving machines when malware has been detected.  Due to ambiguity in the meaning of "game over", I thought some people were asserting that after malware gets in we should give up, we should abandon efforts to detect it, and we shouldn’t try to slow it down until we detect it.  I was arguing against that meaning of "game over".

    Some of my arguments had attempted to be along the lines of "proof by contradiction", starting with a hypothesis that it’s OK to give up, and then showing why it doesn’t make sense to give up.

    Some forms of pumping out spams can be blocked by enterprises.  Port 25 blocking by an enterprise’s outbound firewall was helpful, and still should continue because if enterprises stop bothering with it then spammers will start using it again.  Malware can still make a machine join a botnet and send a copy of an enterprise’s customer database via outbound port 80 to spammer-controlled sites.

    > grey areas where malware either isn’t detected

    Well sure, who’s arguing to reformat hard drives when no malware has been detected?

    > vital caveats about being sure that new virus samples have

    > been captured and sent to the antivirus vendor

    Right, I would recommend swapping the hard drive instead of reformatting the existing one.  Let the old one be analysed at leisure.

  62. Anonymous says:

    I’m not going to argue the toss over "game over", but there are some valid points that I think are being missed all around.

    First up is the time interval between malware getting on and you detecting it.  Some malware can be extraordinarily effective at hiding itself.  Whatever course of action you decide, it should be your goal to reduce that time interval as much as possible.  An outbound firewall can help here, by flagging a "hello! unexpected network access happening here" alert.

    Yes, some malware will disable (or attempt to disable) an outbound firewall.  But some won’t.  Exact same scenario as AV.  In a situation where you’re compromised, surely it’s the responsibility of the product vendor to give you the best chance possible for early detection?  Getting that alert, or noticing that your outbound firewall is disabled, both seem like good early warning signs to me.

    And early detection will give you the opportunity to take whatever course of action you deem appropriate before the damage is done.

    Now, one thing that got me riled is the "protecting your computer against itself" comment.  This is overly simplistic.  In a scenario where you’re compromised but don’t know it, your computer may be potentially attempting to compromise other people’s computers.  That is not nice.

    Whatever side of "game over" you subscribe to, it’s difficult to justify not having an outbound firewall in these circumstances.  Even if it does become disabled, if it can give you a better chance of containing the compromise to your own machine, then it has already paid it’s due.