Restricting insecure applications
A look at two lists of the most insecure applications and using them to chose applications that DropMyRights should run in restricted mode.
Back in August I wrote about a free security program for Windows XP called DropMyRights. It comes from a trusted source, requires no maintenance, and incurs no overhead.
DropMyRights works by front-ending an application. To use it with Internet Explorer for example, you make a shortcut to DropMyRights and modify the shortcut to include the full path to the IE executable. When DropMyRights runs, it, in turn, invokes Internet Explorer. But, as the name implies, it first lowers the "rights" for IE. Thus, even if you are logged onto Windows XP as an Administrator, IE will run with the restricted rights of a limited user. Windows prevents restricted applications from doing a whole host of dangerous things, the most important of which being modifying the system itself and installing software.
For the ultimate in safety, you would, of course, log on to Windows as a restricted user in the first place. But, that brings along its own set of problems and has proven unworkable for many people. With DropMyRights, we try to hit a happy medium. Although logged onto Windows as an Administrator, we can run the most dangerous programs in restricted mode. But which applications should be run in restricted mode?
As a given, I suggested Web browsers (each one, if you have more than one installed), e-mail programs, and Microsoft Office. It turns out that two organizations publish lists of the most insecure applications. Let's go see.
Bit9
Over at ZDNet, Ryan Naraine recently mentioned a list, compiled by Bit9, of the most vulnerable (think buggy) Windows-based applications. Topping the list was Yahoo Messenger. Microsoft's own IM program, with the clumsy name Windows Live (MSN) Messenger, was fourth. If you use instant messaging, run your IM program with restricted rights.
I previously suggested QuickTime as an application that should be run in restricted mode. According to Bit9, it was the second most vulnerable application. As if to confirm this, Apple just released a new version of QuickTime with fixes to at least seven security related bugs.
iTunes should be included in the list of restricted mode applications. Not only was it sixth on the Bit9 list, but it also invokes QuickTime.
Secunia
Secunia has its own list of the most insecure applications based on data accumulated by its very useful Online Software Inspector. It even provides JavaScript so that you can display a dynamic version of the list on your own Web page. Rather than risk breaking a CNET publishing system I don't understand, I've posted a couple Secunia lists on my personal site.
As of this writing, Secunia ranks the Adobe Acrobat Reader version 8 as the most insecure application on a percentage basis, looking at the last month. Adobe recently released a fix for a critical security problem; if you are not running version 8.1.1 of Acrobat you are at risk. Add the Acrobat Reader to the list of applications that should be run in restricted mode.
The Secunia list includes many instances of Flash, but Flash runs in the context of a Web browser, so if the browser is in restricted mode, so too is Flash. The same applies to Java, which as of this writing was the second on the list.
Secunia also has a list of the most insecure applications based on the number of installations, rather than percentages. This list, however doesn't turn up any new applications that need to run in restricted mode.
At this point, you have to wonder if the pain threshold of keeping Windows defended isn't higher than that of switching to another operating system. I haven't done much switching, so I don't have an opinion as yet, but it's always in the back of my mind.