Windows security – sigh!
I doubt that Windows will ever be sufficiently secure. I suppose I’m a skeptic or a cynic, or something. Here I’ll comment on the recent java flap, and on a post at opensuse forums, where somebody thinks linux should change its security model to be more like Windows.
Java security woes
The has been a lot of discussion, over recent weeks, about security problems in java. It seems that there were some flaws that were being exploited. I first heard of those problems in thread, such as these, at the security forum of www.dslreports.com
Many people took the warnings seriously, and disabled java.
Personally, I didn’t worry much about the warning, though I did mention them to my wife. I don’t use Windows for much, and when I do use it, I normally login as a limited user. As a limited user, an attempted exploitation of a java flaw would probably not do much damage.
My wife did disable java on her system. She always logs in as an administrator, and I have been unable to persuade her to follow safer practices.
The java update
A few days ago, a java update came in (to SE7 update 13). At that time, I was running Windows 7 on my laptop, beginning my preparation of my income tax return. A small notifier in the tray alerted me of the java update. I clicked on the updater, and told it to proceed. That, of course, requires administrative permission. I was prompted, and entered the password for an admin account.
Frankly, I do find that annoying. My preference would be for the java updater to only alert me when I am logged in as an administrator (such as when doing the monthly microsoft updates). But Sun, and now Oracle, never seem to get that straight.
The updater began. Shortly thereafter, it popped up an error message. It had failed to download the files for the update.
I later logged in as an administrator, went to the control panel, and opened the java applet in the control panel. I requested that it check for updates. It did so, and the update installed correctly.
Two days later, I was running Vista on an older desktop system – mostly, I was running Windows to allow the anti-virus to update. And the same thing happened with java. The updater advised me that an update was available. I said yes. I was prompted for an administrator password, which I provided. And then the update failed. I again had to login as an administrator to finish the job.
Windows security incompetence
With the same thing happening twice, this looks like a software problem rather than a temporary network connection failure. I found no mention of this in online comments that I read about that java update.
Here are my guesses about what happened:
- Nobody at Oracle bothered to test their patch on a limited user account.
- Most of the people discussing this online are using adminstrator accounts for routine Windows work.
If my guesses are correct, then I can only shake my head and wonder about the foolishness.
Presumably, many people believe that the protections provided by UAC are sufficient. Clearly, they are not. If UAC were sufficient to protect an administrative login, then that java update should have failed for UAC protected administrators, just as it failed for me as a limited user. For that matter, if the UAC protections were adequate, then exploits of java flaws should not have worked (except on older XP systems, without UAC).
That opensuse forum thread
Recently, somebody started a forum thread “What is the deal with Linux and root/admin privileges in the modern era” with a rant about the need to occasionally provide the root password in linux. That seems to think that linux needs to me modernized, by making its security more like what we see in Windows.
No thank you. I’d prefer to keep the current security model. Sure, there are a few things that I would like to see changed, such as allowing system WiFi connections without a root password, perhaps only for members of a “network” group. But, on the whole, the linux/unix security model is reasonably sound. I do not find it onerous to occasionally need the root password, just as I don’t find it onerous to login to Windows as a limited user.