Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Chris Pirillo's annoyed by the Windows Firewall prompt

Chris Pirillo's annoyed by the Windows Firewall prompt

  • Comments 63

Yesterday, Chris Pirillo made a comment in one of his posts:

And if you think you’re already completely protected in Windows with its default tools, think again. This morning, after months of regular Firefox use, I get this security warning from the Windows Vista Firewall. Again, this was far from the first time I had used Firefox on this installation of Windows. Not only is the dialog ambiguous, it’s here too late.

I replied in a comment on his blog:

The reason that the Windows firewall hasn’t warned you about FF’s accessing the net is that up until this morning, all of it’s attempts have been outbound. But for some reason, this morning, it decided that it wanted to receive data from the internet.

The firewall is doing exactly what it’s supposed to do - it’s stopping FF from listening for an inbound connection (which a web browser probably shouldn’t do) and it’s asking you if it’s ok.

Why has your copy of firefox suddenly decided to start receiving data over the net when you didn’t ask it to?

Chris responded in email:

Because I started to play XM Radio?  *shrug*

My response to him (which I realized could be a post in itself - for some reason, whenever I respond to Chris in email, I end up writing many hundred word essays):

Could be - so in this case, the firewall is telling you (correctly) exactly what happened.

That's what firewalls do.

Firefox HAS the ability to open the ports it needs when it installs (as does whatever plugin you're using to play XM radio (I documented the APIs for doing that on my blog about 3 years ago, the current versions of the APIs are easier to use than the ones I used)), but for whatever reason it CHOSE not to do so and instead decided that the correct user experience was to prompt the user when downloading.

This was a choice made by the developers of Firefox and/or the developer of XM radio plugin - either by design, ignorance, schedule pressure or just plain laziness, I honestly don't know (btw, if you're using the WMP FF plugin to play from XM, my comment still stands - I don't know if this was a conscious decision or not).

Blaming the firewall (or Vista) for this is pointless (with a caveat below). 

 

The point of the firewall is to alert you that an application is using the internet in a way that's unexpected and ask you if it makes sense. You, the user, know that you've started playing audio from XM, so you, the user expect that it's reasonable that Firefox start receiving traffic from the internet. But the firewall can't know what you did (and if it was able to figure it out, the system would be so hideously slow that you'd be ranting on and on about how performance sucks).

Every time someone opens an inbound port in the firewall, they add another opportunity for malware to attack their system. The firewall is just letting the user know about it. And maybe, just maybe, the behavior that's being described might get the user to realize that malware has infected their machine and they'll repair it.

In your case, the system was doing you a favor. It was a false positive, yes, but that's because you're a reasonably intelligent person. My wife does ad-hoc tech support for a friend who isn't, and the anti-malware stuff in Windows (particularly Windows Defender) has saved the friends bacon at least three times this year alone.

 

On the other hand, you DO have a valid point: The dialog that was displayed by the firewall didn't give you enough information about what was happening.  I believe that this is because you were operating under the belief that the Windows firewall was both an inbound and outbound firewall.  The Windows Vista firewall  IS both, but by default it's set to allow all outbound connections (you need to configure it to block outbound connections).  If you were operating under the impression that it was an outbound firewall, you'd expect it to prompt for outbound connections.

People HATE outbound firewalls because of the exact same reason you're complaining - they constantly ask people "Are you sure you want to do that?" (Yes, dagnabbit, I WANT to let Firefox access the internet, are you stupid or something?).

IMHO outbound firewalls are 100% security theater[1][2]. They provide absolutely no value to customers. This has been shown time and time again (remember my comment above about applications being able to punch holes in the firewall? Malware can do the exact same thing). The only thing an outbound firewall does is piss off customers. If the Windows firewall was enabled to block outbound connections by default, I guarantee you that within minutes of that release, the malware authors would simply add code to their tools to disable it.  Even if you were to somehow figure out how to block the malware from opening up outbound ports[3], the malware will simply hijack a process running in the context of the user that's allowed to access the web. Say... Firefox. This isn't a windows specific issue, btw - every other OS available has exactly the same issues (malware being able to inject itself into processes running in the same security context as the user running the malware).

Inbound firewalls have very real security value, as do external dedicated firewalls. I honestly believe that the main reason you've NOT seen any internet worms since 2002 is simply because XP SP2 enabled the firewall by default. There certainly have been vulnerabilities found in Windows and other products that had the ability to be turned into a worm - the fact that nobody has managed to successfully weaponize them is a testament to the excellent work done in XP SP2.

 

[1] I'm slightly overexaggerating here - there is one way in which outbound firewalls provide some level of value, and that's as a defense-in-depth measure (like ASLR or heap randomization). For instance, in Vista, every built-in service (and 3rd party services if they want to take the time to opt-in) defines a set of rules which describes the networking behaviors of the service (I accept inbound connections on UDP from port <foo>, and make outbound connections to port <bar>). The firewall is pre-configured with those rules and will prevent any access to the network from those services. The outbound firewall rules make it much harder for a piece of malware to make outbound connections (especially if the service is running in a restricted account like NetworkService or LocalService). It is important to realize this is JUST Defense-in-Depth measure and CAN be worked around (like all other defense-in-depth measures). 

[2] Others disagree with me on this point - for example, Thomas Ptacek over at Matasano wrote just yesterday: "Outbound filtering is more valuable than inbound filtering; it catches “phone-home” malware. It’s not that hard to implement, and I’m surprised Leopard doesn’t do it."  And he's right, until the "phone-home" malware decides to turn off the firewall. Not surprisingly, I also disagree with him on the value of inbound filtering.

[3] I'm not sure how you do that while still allowing the user to open up ports - functionality being undocumented has never stopped malware authors.

  • The Windows Firewall prompt, in this case, IS ambiguous though--to an average end-user.

    "Windows Firewall has blocked this program from accepting incoming network connections."  Clearly, to them, Firefox has been accepting incoming network connections.  They don't know the distinction between incoming connections and incoming data.  Without knowing anything about sockets, "incoming network connections" is ambiguous and is read as "incoming network data".

    Windows Firewall is working as expected and Chris is being a little harsh; but he does make a point that even above-average users can misinterpret this dialog.

  • Did you see the post at blogs.msdn.com

  • Great post.  I find that in general Chris is annoyed by everything.  At one point he gave up on Vista because it didn't run his fax software which he used everyday.  What I had to wonder is why someone so allegedly high tech would be doing using something as ancient as faxes.  

  • Am I the only one here who thinks that allowing malware to turn off the firewall is a very bad idea? Even a prompt saying "Malware.exe wants to disable your firewall. [Allow] [Deny]" would be better than the current behavior, IMO.

  • Triangle, how do you tell the difference between malware and the user?

    If you can answer that question, then there are a number of game companies that would just LOVE to talk to you.

    Raymond gave a hint as to why this is so hard several years ago: http://blogs.msdn.com/oldnewthing/archive/2004/01/01/47042.aspx

  • Do the firewall APIs that open ports not need some sort of privileged token to be called?  I.e. should something that is opening a port on the firewall only work when run with admin privileges?

  • Peter: That's a good question.  I'd assume that you need admin rights.

  • > Triangle, how do you tell the difference between malware and the user?

    You assume that everything is malware except for a few special programs, and make it so that only those programs are allowed to do "sensitive" things, such as turn off the firewall or overwrite system files. When the user wants to change something, they go through one of these programs. "But then I can just create an instance of one of those programs, and send window messages to it" - no you wouldn't be allowed to send window messages to a program that has more privileges than you do. Only the user is allowed to interact with those programs.

  • Triangle: So the malware injects it's code into those special programs and does it's thing.

    Even if you CAN block malware from opening up its own ports, how do you block IE or Firefox from accessing port 80?  Malware can attach itself to IE or Firefox (both of which have extension mechanisms that allow code to run with the privileges of the user) and can access port 80 just fine. If you can make outbound connections to port 80 on another computer, you can do anything.

    All you gain by adding an outbound firewall is make the life of the malware author slightly harder.

  • > Triangle: So the malware injects it's code into those special programs and does it's thing.

    Well, of course it isn't allowed to do that. Jeez. When I said "send a window message", I meant "Send window messages, inject code into it, read/write into its address space, or in general do anything that would mess it up"

    > Even if you CAN block malware from opening up its own ports, how do you block IE or Firefox from accessing port 80?

    Well, malware would be allowed to open up ports. But allowing something to communicate with something else over the internet isn't a security risk unless:

    A) it's doing so over a raw socket, and can spoof or DOS people

    B) it sends the users private data over the wire

    Both of which could be considered 'sensitive' operations.

  • Good post, but I still like outbound firewall protection.  Not so much from malware, per se, but from all the tracking stuff the "legitimate, commerical" software does.

    I want to know if the app I purchased and installed is reporting home.  If the EULA doesn't disclose what and why is sent home, or if I simply don't want to share that information, I block the outbound connection.

    Sure, the app could have disabled the feature at install time, but I haven't come across one yet that turns off the free version of Zone Alarm.  Lots of major apps report home, but not from my machine.

  • Adrian: That's fine.  And I agree with you that sometimes it's interesting to see who's phoning home.

    Triangle: I asked this before: How do you identify malware?  Don't forget: As far as the operating system is concerned, "malware" is indistinguishable from "Firefox".

  • > Don't forget: As far as the operating system is concerned, "malware" is indistinguishable from "Firefox".

    That is absolutely 100% fine. As long as firefox doesn't try to open a raw socket, mess around with the firewall settings, overwrite system files, or any other sensitive operations, that is no problem.

  • Triangle: It's ok if it runs a botnet client, sends spam for the botnet herder, pops up advertisements and sends all your financial data to eastern europe?  Malware can do all of that without requiring any elevation at all.  

    You have a strange definition of "ok".

  • > It's ok if it runs a botnet client, sends spam for the botnet herder, pops up advertisements and sends all your financial data to eastern europe?

    First of all, it wouldn't be able to read any of your financial information. Remember, that's sensitive data. But the rest of the things you mentioned go beyond the scope of /operating system level/ security. Those would be best implemented by the popup blocker and the firewall.

Page 1 of 5 (63 items) 12345