Friday, November 11, 2005

Microsoft Security Initiatives

Microsoft “Security Initiatives”: Security or just Business?

A few weeks ago I wrote an article called “Windows Mobile 5 Snafu” published originally at and later at this site under the name of “Houston, We have a problem”. In that article I was talking about how Windows Mobile 5 did not “see” MUI files if the “Security Prompt” feature of the OS was activated. At that moment I did not have enough information about what Microsoft did in WM5 so I assumed that it was a bug. Today I know that as usual what seems to be a bug is in reality a new feature of this Operating System. Let me clarify something here, I still think that it’s a bug. Why? Because when you are permitting to run or install any application by Answering YES to that prompt, that authorization should be passed to MUI files needed by that “user authorized program”. But according to Microsoft, quote: “On Smartphone 2002, MUI files did not require signing. With Smartphone 2003 and moving forward, MUI files need to be signed along with the other required binaries (EXE, DLLs, and CABs).”   And this applies to Windows Mobile 5. When an application is signed the Operating System will not ask you for authorization to run/install any application and the application is going to be able to read the MUI file. If the application is not signed the OS will ask you for authorization but no matter what you answer was, the OS wont let the application read the MUI file because this one is not signed.

MUI files (Multilingual User Interface) files are used to keep different sets of objects that can be retrieved during the load process of the application. That allows programmers to select the proper language to be used in the executable or to choose the proper configuration to be used according to conditions present in each individual device. The requirement of signature in MUI files tells me that Microsoft thinks that MUI files could be used by Viruses to attack mobile devices. So this requirement is understandable but if you are allowing users to install applications that are not signed you have a bigger risk than when you let users decide what to install or run in their devices so to me does not make any sense to authorize the executable and do not authorize the MUI file.  

But this is just a minor problem taking in consideration that no too many programs use MUI yet and there is some ways around this issue that can be used by developers as long as “Microsoft Security Initiatives” are not implemented fully like in SmartPhone devices.  And I say this because many Pocket PC users do not know what is going on with SmartPhones. Let’s take the Motorola i930 currently sold by Nextel in USA. This phone is completely “application locked”. What this means? This means that those owners can’t install anything that has not been digitally signed by Nextel. To get an application signed by Nextel the author has to submit that application for an approval and paid for the signature. The cost of the signature in the case of Nextel is unknown to me yet but taking in consideration what others Microsoft’s partner ask, the amount could be within $300 to $2000 depending of how many times you are allowed to sign that same program. This explains why Nextel has signed only 18 applications so far and why i930 owners have started an Online Petition to decertify this SmartPhone.  I don’t know what do you think about all this but from where I’m from there is an old saying “If you see that the house of your neighbor is on fire, you better start checking yours because it could be the next one”.

But I know how we all humans are. Why to worry about something that has not hit us yet? Well, to think in this way is completely wrong. We have seen how this “Security Initiative” affects MUI files but I’m sure that many VGA Device Owners are looking for versions of ozVGA and SE_VGA to use in their new Windows Mobile 5 devices not knowing that these two applications have been affected for almost the same issue.

In Windows Mobile 5 as we already know “only drivers signed with a privileged certificate (regardless of the device's security policy) can be loaded during the boot process.”  Well, the DLLs used by ozVGA and SE_VGA were extracted from a QVGA ROM and in the process of extracting these files they lost the so-called “privilege signature”. These DLLs contain the images for mainly the majority of the buttons used in the OS and if they can’t be seen/used by the OS because they are not signed all these images are not seen/shown when users have applied all changes needed to the OS to change the screen resolution using ozVGA and SE_VGA.

There are many people looking for a work around but believe me, I have been looking for a solution to run Tweaks2K2 in the i930 of Nextel since that phone was released to the market. Beside to have legally signed all files there is not any way to go around the problem. Do you think that authors of these two applications will pay several hundred dollars to have their FREEWARES signed? Do you think that an application like Tweaks2K2 will be “approved” by Nextel?

I know that some users have found a way to use the DLLs with ozVGA. They have used a privileged certificate from the developer’s tools to sign the DLLs and then they have installed that developer’s certificate in the device where they want to use these DLLs. This means that from that moment anything signed with that certificate will be able to do in these devices basically what ever it wants to do. In another words, Microsoft has pushed users to fully open their devices to any attacker.

Now my main question to Microsoft is: How good is a security system that pushes users to do things like this? Is really this security system good for users or it’s just another way to make money? I’m sorry Microsoft but this is my honest opinion about your “Security Initiatives”.


At 7:00 PM, Blogger cmphcnq2 said...

So what are the workarounds? Would updating HKLM\Security\Policies\Policies "fix" it once and for all?

At 7:06 PM, Blogger CTitanic said...

Updating the policies do not fix the whole problem because the problem is the whole security feature now implemented in our Pocket PCs.

At 7:23 PM, Blogger cmphcnq2 said...

But would it at least address the MUI issue (I am mainly concerned about the use of MUI for VGA apps)? My x51v has been shipped yesterday, and it will replace iPAQ 5555/2K3 (which became unusable after 2 years due to a cheap connector that has already been replaced once ... but this is another story), and I'm trying to understand which of my favorite apps I won't be able to migrate to X51v.

At 7:25 PM, Blogger CTitanic said...

Yes, it will take care of the MUI issue.

At 7:45 PM, Blogger cmphcnq2 said...

I found 3 solutions to MUI issue in different newsgroups: tweaks2k2 (will the Lite version be enough?), SetSecurity.exe and changing the registry. Do they all do the same thing? Does the fix need to be applied before the software install, or it doesn't matter?

At 8:17 PM, Blogger CTitanic said...

better use sesecurity.exe. You can apply this hack at anytime. It does not matter when.


Post a Comment

<< Home