The Inquirer-Home

The problems with Vista laid bare

Part Two What might have been
Thu Mar 22 2007, 10:07
SO, WHAT AM I complaining about? What should MS have copied that's more important than the 3D shininess?

When someone upgrades a computer or its operating system, what they're really doing it for is not The Shiny, it's in the hope that it will work better. Sure, glitz is cool, there's no harm in looking good - even the Linux geeks know that. What you want, though, is for your computer to be more reliable, faster or to do stuff it couldn't do before.

Apple's been delivering that for as long as OS X's been around. Each release not only sports new features, but so far at least, it's been faster than before as well. Well, Vista doesn't deliver that. It would have been pretty nifty, and certainly faster operating systems are possible - BeOS ran rings around Windows on the PC and around MacOS on the Mac, for example, not to mention around Linux on both. However, BeOS accomplished this by jettisoning all of the legacy baggage of Windows, MacOS and Unix - it was a clean-slate ground-up OS, probably the only one to get as far as the retail market in some decades. Windows Vista is based on NT, which although a new product in the early 1990s, also carries a huge legacy of backwards-compatibility with DOS and 16-bit Windows. Sixty-four bit versions of Windows finally lose this, but they've got a mountain of their own in 32-bit compatibility.

So, if you want your new version of Windows to still run the apps from prior versions, you're not going to get something substantially smaller and faster as well. You can have that, but only at the price of starting with a clean slate - meaning no old apps and no old drivers. And as the failure of Be showed, people aren't prepared to do that. Shame, really.

So what else could we have hoped to see in Vista? Smaller, nope. Faster, nope. New features, yup, got that. But what's the biggie, what's the one thing that all those smug Mac users and incomprehensible Unix weirdos go on about?

Security. There's no way around it. Windows is a security nightmare. The reason we all get thousands of spams, the reason that we have to run virus and anti-spyware checkers that slow our high-power electricity-guzzling scalding-hot PCs down to the speed of the ones they replaced, the reason that the whole Internet is bogged down with sending all those spams, the reason that criminals hold websites to ransom for millions of dollars a year: it is all Windows' fault.

It's because of the hundreds of millions of compromised PCs that form zombie armies, sending spams, participating in distributed-denial-of-service attacks and so on, all without their owners' knowledge. They still work, they're just a bit slower. Who notices? Next year, you just buy a faster one. (With Vista on it.)

Some argue that whatever the dominant platform is, it would have these problems. Any OS used by 95% of the world would be a magnet for the bad men, for the hackers and crackers and blackmailers and extortionists. Well, that may be; it's an unanswerable question, doomed to be eternally hypothetical unless something takes over from Redmond's hegemony and becomes the new near-monopoly. And that doesn't seem to be too likely just yet.

But if you know something about different OSs and the way they work, it's indisputable that Windows is less secure than most of its rivals. Sure, it's possible to lock it down; a properly-set-up Windows workstation on a well-built corporate LAN can be pretty safe. But outside of those corporate LANs, and even on the very many of them that are not well and properly designed and configured, Windows is a honeypot for malware.

There are several reasons for this.

For one, by default, the local user account or accounts on a Windows PC - be it NT, Windows 2000 or XP, doesn't matter - are administrators. They have full power and control over the PC: they can see anything, change anything, delete anything, install anything.

What's more, they have to be. Lots of Windows software assumes that you have admin privileges, and either won't work properly or in some cases won't work at all if you don't.

Another of the big holes in Windows is Internet Explorer. IE itself is not a bad browser, but the way it's been implemented and used is problematic. It's not only the web browser, it's also used to render a lot of the user interface. Secondly, Microsoft's model for dynamic content, ActiveX, is a security nightmare. The way ActiveX works is to download a normal Windows executable program - in geekspeak, a "native binary" - from the remote server, and then run it on the local machine with full local privileges. In other words, the stuff that you download from the Internet effectively becomes part of your installation of Windows, even if only temporarily. This sort of thing makes vandals' and security crackers' faces light up with delight and fills security consultants with the screaming heebie-jeebies.

So what could be done about this? How could Microsoft have fixed this in Vista if it wanted?

Firstly, the business of local accounts with full admin access. This is criminally stupid. No other serious multi-user OS works this way. There is a Right Way to do this, which everyone else does. (Well, all right, apart from a few heretics like Linspire and Puppy Linux, where you normally log in as root - but all the Linux pros regard those with creeping horror.)

No, what you do is this: you take the keys to the admin account and you lock them away. It can have a password if you like, but it needn't - OS X and Ubuntu Linux, for example, set it to something random, so that you can't use it even if you know it's there. You don't show it to users, which XP gets right - but the trick that XP misses is that you must compel all ordinary users to have restricted, non-admin accounts. You make it impossible - or at least really hard - for normal accounts to have super-user powers. Ordinary users can see their own files, but not each other's or the protected ones of the OS itself, and they can't touch anything that might cause problems.

But obviously, sometimes, if you're running your own system, you have to do admin-type tasks. You have to be able to install apps and drivers, perform updates and so on. So, when the user tries to do something like this, you ask them for a password. Not the admin password - you don't let them have that, it's too dangerous - no, you just ask them for their own password again. Then that program, and that program alone, temporarily gets its privileges escalated to admin rights. The critical point being that the user never, ever logs in as the admin under any circumstances, because then, everything runs with admin privileges and that's just too dangerous.

So far, so good. This sounds a bit like Vista's User Access Controls, as parodied by the big suited CIA type in Apple's latest "Get A Mac" ad - doesn't it? It's not the same thing, though. Vista does it backwards; instead of compelling everything to the lowest level and raising it when necessary, in Vista, the programmers restrict the privileges of risky programs - so that Internet Explorer runs with reduced privileges, for example. And when you want to do something administrative, like changing hardware settings, Vista warns you that you're doing so - but all you have to do is say yes, you want to continue.

There are two mistakes here.

One is the idea of forcing dangerous, risky programs to run with reduced privileges, because this is the "blacklist" model of security: it's all right unless it's something that we know is not OK. The problem being that you need to keep your blacklist up to date, and if it isn't, you have a problem, because something that used to be safe may no longer be, or it may be something new that isn't in the list at all.

It's better to do it the other way round - the "whitelist" model: to assume that everything's dangerous and only allow the stuff that you know is safe to happen. Or if you don't know, not to have a whitelist at all - mistrust everything and always ask for permission.

Secondly, when the computer asks for permission, it doesn't do so with a simple "yes/no" prompt, because after a while, people get used to these prompts and stop reading them - they just click "OK" or whatever seems the easiest way to make the irritating message go away. Instead, you ask them to re-enter their password, and, it almost goes without saying, you compel them to have a password - not just a blank, and ideally, a good one, with a mixture of letters and numbers, even different cases. There are easy ways to remember these, such as using the initials of your address - like 53VMMS for 53 Veals Mead, Mitcham, Surrey, which no dictionary-based attack will ever find.

This isn't rocket science. It's what several successful desktop OSs already do. What's more, most of the necessary functionality is already built into XP and has been since NT 3: the "Run As" command. This lets an ordinary, unprivileged user run a single command as a different user, so long as they know the username and password of the other account. It does the same thing as the Unix "sudo" command, which is the basis of Ubuntu's security model, for example. The only change that would have been needed would be to change it so that the user gives their own password - pretty simple stuff.

It's simpler and safer than Vista's elaborate UAC system, which, if it winds you up, you can simply go into Control Panel and turn off - another fairly heinous security no-no. This in itself is a give-away, too - you can't just “turn off” the reduced privileges of a user account, but you can turn off the warnings on an admin account with extra safeguards.

So that's one difference that would have saved a lot of time and effort for better results.

There would have been a price to pay: as already mentioned, lots of Windows applications expect and demand admin rights and go wrong if they don't get them. This sort of fix would break all those programs, and for all its sins, Microsoft does bend over backwards to keep as much backwards-compatibility as it possibly can.

But the thing is, code that demands admin privileges is broken. It's not merely a bad idea, this is just plain wrong - and whereas Microsoft created the circumstances that led to this situation, to be fair, it didn't write all those broken apps. It really isn't Microsoft's fault if third-party vendors are supplying broken software.

Vista is a major rewrite of Windows. The new display model means that old graphics drivers don't work any more; nor do lots of other drivers. This and other changes mean that lots of programs don't work properly on Vista any more. Such as all of Apple's applications, from iTunes on down. I'm sure that was a complete coincidence.

Vista breaks lots of apps anyway. So did XP in its day, and 2000 before that, and NT before that. Indeed, the move from DOS-based Windows - 95, 98 and ME - to NT-based Windows - 2000 and XP - broke loads of old apps that relied on the DOS-based underpinnings of the old versions. It happens. It's the price you pay for improvements. Either the software vendors fix their apps, or you replace the apps - it's what anyone upgrading their OS to a new version faces anyway. But the change I propose would have been worth it. The stuff that would have been broken was already broken.

You don't get something for nothing - at least, not from a commercial outfit like Microsoft. No pain, no gain.

So much for the user account thing. The other big hole in Windows is Internet Explorer. IE7 is an improvement. It's got a lot of beneficial changes: things like tabs and RSS support make it more powerful and usable and things like the built-in phishing protection are a step in the right direction.

But the big problems with IE are still there. For one, ActiveX. It was a bad idea in 1995 and it's a worse one now. No other browser works this way. The Mozilla family is derived from Netscape, which has its own plugin system and uses relatively safe, "sandboxed" environments for running interactive content, such as Flash and Java. In the beginning of the Web, Netscape was the dominant browser, and though I bet few people remember it now, the up-and-coming Internet Explorer supported Netscape plug-ins so that users moving to IE didn't lose all their advanced features. That support was dropped around the time of IE 5.5, as by then IE had triumphed and was the new power on the Web.

It used to do it. I'm sure it could do it again. ActiveX should never have happened, but it's not too late. It still could be banished. Sure, it would break quite a lot of websites, but thanks to the success of Firefox and Mac OS X, there are fewer and fewer sites around that are completely specific to IE running on Windows any more. For all the gains in security, it would be worth forcing some web designers to rework their sites.

Microsoft has, belatedly, realised that the "safe sandbox" approach is the way to go - it's the basis of the "managed code" of .NET. All .NET programs run in a sort of protective sandbox. It's time to banish unmanaged code from the Web, too. Just slapping warning notices all over it - "Did you notice the Information Bar at the top of the window?" - is not enough.

The other problem with IE is also fixable: its shell integration. Internet Explorer first appeared as an optional extra for Windows 95. (NT3 never got a 32-bit version of IE. If you downloaded IE for NT3, what you got was the 16-bit version for Windows 3, with the Windows 3 bits that didn't work on NT taken out.) It only got bundled with Windows 95 OSR2 and became integrated into the Windows shell with Windows 98.

Funnily enough, this is around the same time that Netscape was suing Microsoft for anticompetitive practices - viz., unfairly bundling its free browser with Windows to displace the commercial Netscape offering.

Microsoft's defence was that IE wasn't a standalone product, it was part of the OS, a component of Windows. (Although Windows 95 didn't actually come with it originally - and neither did any older version of Windows. And that you could install Windows without it, or remove it from Windows once it was installed.)

Right after this, Microsoft integrated IE deeply into Windows 98. The new and improved "Active Desktop" in Win98 was driven by IE: Explorer window contents were generated in HTML which was rendered by the core DLLs of IE, as were JPEG images. Remember that message when setting a JPEG as your wallpaper? "To display this image, Active Desktop must be enabled." If you use a Windows Bitmap (BMP) as the wallpaper, Explorer can display it itself, because BMP is a native format. JPG isn't, it's a Web format, so IE is used to display it.

The thing is that it's a bad idea to use the same code to display remote content from the Internet as for the local user interface. Remote content, by nature, can't be trusted - you don't know who provided it or what it does. So programs displaying that content need to be really paranoid and careful, and you ought to run them in a self-contained, isolated process that can't affect anything else that's going on.

Local content, on the other hand - like a list of the contents of your own hard disk - you have to trust. The user interface of the machine must be able to view and manipulate anything on the machine, or it can't do its job.

These are two different roles. Using the same code for both is a bad plan, for several reasons.

For one, any exploits or vulnerabilities in the web browser automatically become vulnerabilities of the whole machine when that browser is part of the OS and always running. If the baddies can somehow sneak a dodgy file onto your computer, then even if you're disconnected from the Internet, if you open that file, your box is owned; the vulnerability is always present. You can't really firewall a computer from itself.

Secondly, the two roles demand different functions and different ways of working. The local interface should be fast and slim and sleek, because there's no delay in retrieving the information to be displayed: it's right there on the machine already, and up to a point, it can therefore be trusted. Faster PCs are making it harder to spot, but on Windows 98 machines, you could often catch a glimpse of Explorer showing a grid of blank icons before it fetched and rendered the actual images - just like watching a web page display slowly over dial-up. The fact that better performance makes this invisible doesn't excuse it being there in the first place when it shouldn't be.

The remote interface needs to be careful, paranoid, isolated from local storage, and it needs to cope with delays in stuff appearing. It needs to be complex and capable, to handle elaborate, fancy web sites, whereas the local file browser is only going to be displaying simple, known quantities - lists of files, previews of images and so on.

It may sound like having two sets of code to render and display images and so on is needless duplication, but that happens a lot on computers - it's a fact of life. Your kidneys and liver both perform functions of filtering your blood and removing nasties from it, but they're different enough versions of the superficially similar job that it's worth having two different types of organ to do it.

The web browser ought to be a separate subsystem with no connection to the machine's own user interface, freeing it to be large and clever. The local file browser should be simple, fast and responsive. There's no need to turn the view of the local filesystem into HTML, then pass that HTML through the web browser. Yes, it makes it easier to have fancy, customisable views with task-specific bars down the side and so on, but this is an inefficient way of doing it.

(And yes, I know that KDE does the same thing with local and remote browsing, but then, firstly, KDE runs on a proper, secure OS with restricted privilege levels, secondly, it has no worries about ActiveX to contend with, and thirdly, its developers are considering replacing Konqueror as the file manager in the next version. Personally, I shifted to GNOME years ago, anyway.)

Windows 95 didn't include IE, so the Windows Explorer didn't do any of this HTML stuff. And the same Explorer powered NT4, too. Yet it was the same basic GUI as we have today - task bar, Start menu, folder windows and all. The Windows 98 Explorer brought in lots of handy extras - customisable toolbars and window views, thumbnail icons, JPEG wallpapers, drag and drop Start menu editing, all that sort of thing. Some of its features are really hard to live without, like multithreaded file operations - while it's copying or moving files, you can get on with something else. The old Win95/NT4 Explorer froze up until the operation was finished. The old progress bars didn't work, either - they showed the progress of each file, not the whole operation, so all you saw during multi-file operations was a blurred, flickering bar that was constantly being redrawn - telling you precisely nothing about how far the job had got.

But fixing the old Explorer wouldn't be that hard. Adding in working progress bars, multithreading, thumbnails and customisation and so on does not have to mean using IE to display everything. Netscape is dead and gone and the Mozilla Foundation doesn't care; nobody is going to force Microsoft to remove IE from Windows now, or demonstrate that it's an integral part. It is, now, and has been for nearly a decade.

A simpler, cleaned-up IE with no ActiveX, which played no part in the local GUI, would make Windows safer against attack. A simpler renderer for local JPEG and HTML content, so that HTML Help files and so on still work, would be an easy job. At the same time, the use of the IE renderer to display everything from Windows Messenger chats to emails in Outlook and the display in Media Player brings IE's vulnerabilities to all those programs as well. They ought to be using a simpler, safe renderer too, rather than the full-on IE browsing code.

In an ideal world, I'd like to see IE completely replaced. There are enough HTML rendering engines out there - Mozilla's Gecko, KDE's Webkit, as used in Apple's Safari browser, Opera's code and so on. No need to use an open-source one - just buy Opera or hire the developer of the Apple browser iCab, say. There were too many bad decisions made in the course of IE's development, some of them motivated by commercial concerns like the Netscape lawsuit, rather than technical considerations - which should rule such a sensitive, critical piece of software.

Yes, getting rid of IE would break some websites, but then, IE7 does that anyway, and IE8 will doubtless break more. It would be a price worth paying.

These are the sorts of changes that could have made a really big difference to Vista. Not bolting on new code to hedge around the dangerous bits with warning messages and reduced execution privileges, but adopting the same models that everyone else uses - limited user accounts, hidden or inaccessible admin logins, and strict isolation of untrusted remote content from local files, handled by different rendering engines.

These are big changes and they would have caused lots of problems, but that always happens anyway. It's unavoidable. They wouldn't have by any means fixed Windows altogether and made it a completely safe system, but they would be big steps in the right direction.

It's never going to happen now - it's too late for Vista, and after this, there will probably never be such a big change in Windows again, until it's replaced with something new.

But here's a fun thought. What if Microsoft were held legally responsible for all those vulnerable, insecure Windows installations out there? You may not have heard of it, but there's a special lightweight edition of XP for turning old PCs into thin clients. It's called Windows XP Fundamentals. It's the core of XP with almost all the features removed - it can't even "ping" an IP address - but it's still the same old XP. Only this version can run on pretty much any old box that will run Windows 98: 64MB of RAM and a few hundred meg of disk is enough.

How about a special free update of Windows for all those people who won't or can't upgrade to Vista, given away as a free upgrade, just like Outlook 98 was given away free on magazine cover disks to get people to replace the woefully buggy Outlook 97. An enhanced "Vista Fundamentals", with a fixed, safe Explorer, no privileged accounts and a sanitized IE, and none of Vista's whizzy new features, given away for nothing to anybody with an existing version of Windows. That would go a long way toward persuading people to finally abandon all the old versions of Windows and upgrade. And lots of those people might then be tempted into buying the full Vista.

No, I know, it'll never happen. But wouldn't it be nice if...? µ

See Also
The problems with Vista laid bare
Part One What we got and why


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?