Recently we’ve heard some rumblings about Windows OneCare and our default firewall settings. I wanted to set the context for this debate (we assume you’ll engage) by highlighting the most important aspect of Windows OneCare’s approach to security: aggregating all the key technologies in one package so we can make it easy for you to take care of your machine. We believe users should not need to buy multiple products, and don’t want to spend an inordinate amount of time modifying settings for each of these applications. In fact, most folks don’t really want to think about it at all. But, the fact is, keeping your machine safe is the first critical step in enabling you to do all the things you want to do.

So, Windows OneCare tries to layer in the key protection technologies, set at a level that won’t disrupt the normal activities of most people, all in one package. As the loyal beta testers and blog readers know, I’m talking about a two-way firewall, anti-virus, (soon-to-be) anti-spyware, backup and maintenance.  Each of these components is important, but running any one in isolation would put you at risk. That’s why we have the green/yellow/red meter, to make sure you have all these technologies working together.  

The Windows OneCare firewall provides a critical layer of defense by monitoring network traffic that could place your computer at risk.  We manage the firewall to be as proactive as possible in allowing popular applications, while prompting the user when an unrecognized application is invoked. So, like most firewall vendors, we continually add to and update our list of known applications so these can be allowed programmatically.*  In addition, by default we allow any signed (by a Microsoft Trusted Rooted Certification Authority) application because it means the software developer can be traced; it is highly unusual for malware to be signed.

It is within this context that I wanted to comment on the recent discussions of the Windows OneCare default policy on Java VM. By default the firewall auto-allows Java VM (virtual machine) because it is widely used by third party applications, and is a popular and trusted program among our users. This policy is consistent with the framework above: blocking Java VM would result in many applications being disabled, but prompting users to accept or block would likely confuse them. And if a malicious program – running on Java VM - made its way on to your computer, the Windows OneCare anti-virus solution would be the second line of defense.  We produce signatures for Java malware the same as for native code malware, and if we have a signature for the application, it would be blocked just like any other malware detected by Windows OneCare. This is where a multi-layered defense becomes not just helpful, but rather table stakes in the protection game.

Based on consumer feedback, we’ve designed Windows OneCare to provide as much automated protection as possible to enable a simplified experience. We are confident that the service strikes the right balance to deliver comprehensive security protection with an easy-to-use service. As always, we welcome your comments and input on these issues.

* For the techies out there, if you do not want programs covered by our policy to be auto-allowed, go to the firewall tab in settings and move the slider bar up. With this setting you will be prompted the first time a program tries to access the Internet. Our recommended setting is “Auto,” because most users want the program to be intelligent in making these decisions, and don’t want to see popups for every application. But if you are so inclined, we do provide you the opportunity to ratchet up the firewall to suit your needs.

As always, thanks to those that posted thoughtful comments to the blog over the past week (I have my definition of “helpful,” which may be different than yours…) J. It was helpful to see the comments that reflect some of what we’ve heard in our surveys and direct feedback, especially around the frustration of getting multiple blocks on the same program, and default behavior of our firewall to block unknown applications. On the first point, I’d say this is an issue that we – along with all firewall providers – are continually working to improve. There is no “end-point” to security or firewall development, given the dynamic nature of the industry and the constant evolution of software programs. However, as we continue tuning the firewall over time it will do an increasingly better job of recognizing when the same application gets flagged. On the second point – default blocking of unknown applications – we continue to assert that it is better to be safe than sorry. It only takes one unknown application getting through to compromise your system, so until we know something is safe, we need to prompt for your approval.

While you may already be tired of hearing this line from us, our first priority truly is safety. When an application only changes slightly, or a new application is “flagged” by our firewall, we must assume that it is not safe. Again, while it can be frustrating to repeatedly allow applications, think of it like getting into your car. Each time you get behind the wheel you need to put on your seat belt. Even if you’re only going for a short ride, you have to assume it’s safer to be buckled up, rather than hoping that the three-block drive you’re about to make won’t end up in an accident.

Before moving on to the actions we’re considering to increase the number of users with firewall turned on, I wanted to briefly put this discussion in context. We won’t be satisfied until all of our users are in a green state. While some might view that as being overkill – I’ve had some people tell me we should just relax and let users do what they want to do – that’s not our mission. Obviously we’ll let users do whatever they want; the key issue is WHY. Why might users ignore prompts, or adjust settings, that make them vulnerable? Certainly there are expert users out there that know exactly how to manage their environment and don’t want Windows OneCare to aggressively promote a particular course of action. But that’s what we do – we take a strong point of view on what makes the machine more secure – and if we can help the average user take that action without bothering them, then we’ll do it. Backup, auto-updates, regular tune-ups – these are things that users could do on their own, but first they need to buy or set-up the applications properly, and then they must remember to do them on an ongoing basis. Windows OneCare tries to take care of your machine. Even if a tiny fraction of our users are in a vulnerable state, we’ll continue asking questions, probing our users and benchmarking best practices in the security industry to ensure we prompt our users to do what we know makes sense for the vast majority of machines.

With that as a (long) intro, we have assessed a few options to help users get their firewalls turned back on. One consideration is to do what Rob suggested on the blog – and is something NIS does – put in a “snooze” option. The benefit of this approach is that it only allows the firewall to stay off for a discrete period of time. The main draw-back is that users may turn off the firewall for a specific purpose, then find that it gets turned back on without their awareness, breaking an application they were in the middle of using. Another option we considered is periodically prompting users that have their firewall turned off - via a dialog box - to either turn on the firewall or view relevant information about common firewall issues. The downside is it introduces another dialog box; the upside is that it reminds only users with their firewall off that they should turn it back on, and provides contextual help for those that have had trouble with it in the past. A third path we evaluated was to turn the firewall back on after each product update. While that would help turn a lot of firewalls back on, it might surprise users that were not expecting a firewall change. A final consideration is to do nothing at all. Ultimately each individual will make his or her own decisions about firewall settings, but it would be hard for us to watch any of our customers operate in a vulnerable state.

So, we’ll continue to monitor user feedback, analyze the issue, and discuss internally. We appreciate your continuing feedback on the issue, and I’ll be sure to keep you in the loop if there are any changes that might impact your user experience. Thanks for being an active (and opinionated) audience.

Yoav

Happy New Year, and welcome back to the blog. It has been a fairly quiet few weeks, until the WMF vulnerability was announced a few days ago. While you can read more about the actual vulnerability on Microsoft’s main website (http://www.microsoft.com/technet/security/advisory/912840.mspx), the good news is – for Windows OneCare users – if your current status is green or yellow, you are already protected from known malware that tries to attack this vulnerability.  Because the Windows patch that fixes this completely is not due out until next Tuesday, we recommend that users take extra caution and do not open unsolicited e-mail, browse unknown or solicited Web sites, and avoid downloading graphics files. While the exploit was quickly understood, and Windows OneCare sent updates out within hours of the vulnerability being found in Windows, this kind of issue is a reminder that real-time protection is critical. Windows OneCare is much more than just anti-virus software of course, but this example shows why this kind of protection is critical to our overall mission of taking care of your PC.

In addition, by now most users should have received a Windows OneCare advisory letting you know that there is a WMF vulnerability, but users in a green or yellow status are protected. In the past we have received very favorable feedback on these advisories; it is always a balance between potentially frightening users, and keeping them informed. Because Windows OneCare will attempt to be silent and operate in the background where possible, we believe the bar is quite high to send out an advisory. In a situation such as the one that has developed over these past several days, we felt it was appropriate to inform our users. As always, we welcome your feedback on sending the advisory, as well as any specific suggestions on how we can make these even more impactful and helpful to our broad user base.

Before signing off for this week, I did want to provide a bit more information on the exploit itself. For the full text, please go to: http://www.windowsonecare.com/secinfo/wmf1228.aspx, the key paragraph is:

“On Tuesday, December 27, 2005, Microsoft became aware of public reports of attacks on some customers involving a vulnerability in the Windows Meta File (WMF) code area in the Windows platform. Microsoft has completed development of the security update for the vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins on the second Tuesday of the month. Windows OneCare users who are green or yellow will automatically receive this patch through Windows Update when it is released.”

Let’s hope the rest of 2006 is exploit-free (unlikely, but hey, I’m an optimist), and we can focus our primary energies on folding in all the great suggestions you’ve been posting to the blog. We can’t thank you enough for the detailed descriptions of what you would like to see. I can assure you we’ll be hard at work implementing these new features in the coming year.

Wishing everyone a healthy and happy new year.

Yoav

PS - I’ve been trying to post fairly regularly, but after getting flamed by chaz on New Year’s Day that I’m not updating frequently enough, I’ll re-double my efforts to post at least once a week.