August 11, 2006

[Security] Visual Studio bundled with Windows?

I'm still trying to finish up my post regarding region locks, but I saw an interesting article over at Ars Technica today...

Will Visual Studio ever ship with Windows?

...and even just reading the headline, my initial response was, "I hope not." Let me explain.

Over the last several years, Microsoft has been bundling more and more features with Windows. Unfortunately, a lot of what was added increased what was called the "attack surface," or the parts of Windows that were exposed so that hackers could work their way into your system.

Right now, Microsoft is making a conscious effort to reduce the attack surface for Windows. Microsoft is removing some commonly used controls because of the security holes that they present. While this is going to lead to some short term pain for developers, it is a win in the long run for security.

Visual Studio is perhaps the most attractive point of attack that a hacker could use, specifically because of the rights associated with debugging.

Let's say that I'm a hacker, and that I'm going after a user that doesn't have admin rights on his box. I'm going to be very limited in what I can do on that box by default, but let's say that this user is automatically added to the "Debugger Users" group. Suddenly, while I may not be able to do much to this box, the amount of information I can get from this box dramatically increases. Essentially, any process that I'm allowed to attach to for debugging purposes is now open to give me information.

I can see the wonderful attacks using MSBUILD and the ITask interface now...

No, leave Visual Studio as an optional install. The .1% of people who care about Visual Studio are generally the people who are better able to determine whether they want to accept the inherent risks.

1 comment:

Sarkie said...

Well guess what, they aren't now :P


http://www.microsoft-watch.com/article2/0,1995,2002354,00.asp?kc=MWRSS02129TX1K0000535