Microsoft's OneCare offers malware loophole

Experts have raised doubts about the integrity of Microsoft's OneCare security suite

The firewall in Microsoft's forthcoming OneCare security suite fails to stop two potentially harmful data streams, security expert Roger Grimes has alleged.

Grimes claims that the firewall will allow any Java application or Java script to contact the internet, and is also set up to trust any application that uses a digital certificate.

While Microsoft has its reasons for assuming that traffic from these sources can be trusted, the facility goes against best practice by allowing it through by default, argued Grimes, who referred to it as a "misconfiguration error".

"In any managed firewall service you would rather not have any blanket statements. You want to deny traffic by default, not by exception," he told vnunet.com. "My hope is that Microsoft will reconsider the policy." 

Microsoft's OneCare suite, announced in May last year, bundles antivirus, anti-spyware, back-up software and a two-way firewall that filters incoming and outgoing traffic. The firewall currently built into Windows XP SP2 only filters incoming traffic.

The suite is currently in beta and is scheduled for release as a subscription service.

But Grimes argued that Microsoft is undermining the suite's security by letting through code signed by a digital certificate. A digitally signed application should not be trusted just because it offers a certificate, as it creates a loophole for spyware and other malware.

Most consumers are aware of digital certificates from e-commerce and online banking websites. The certificate verifies the identity of the site's publisher and aims to boost confidence in the site's trustworthiness.

But while there are rigid qualification requirements for so-called high insurance certificates used by e-commerce websites, basic certificates are easy to obtain and in some cases require the applicant to produce very few if any credentials.

"A lot of spyware uses signed code these days," Grimes contended. "It used to be that you could trust signed code, but spyware vendors are beginning to sign their code to make it look more official to end users."

Yoav Schwartz, lead programme manager for OneCare, denied that this is the case. "It is highly unusual for malware to be signed," he wrote in response to Grimes's claims. 

Schwartz added that the suite's antivirus and anti-spyware technology adds a defence layer designed to stop malware from infecting computer systems in the first place.