Monthly Archives: April 2004

Windows JPEG Vunerability

Posted on by

Vunerabilities on the Microsoft Windows platform have reached a significant plateau.

There are now viruses that can embed themselves in benign content like HTML or JPEG images. This is an unprecedented level of insecurity, a user may be infected with a virus by simply viewing a document. Whereas before it required a proprietary Word or Excel file with an embedded macro virus, today it is possible to extend ostensibly open file formats to include an exploit.

How did Microsoft nuture the development of these kinds of virus? It would seem that a secure platform like Windows NT would be impervious to any kind of virus attack.

The truth is, Windows NT/2000/XP is extremely well protected. There are file restrictions that allow only a privileged user to modify operating system files. Unfortunately, the pervasiveness of Windows 95/98/ME has enabled the escalation of trojan viruses. More significantly, the fact that many NT/2000/XP users logon with the Administrator account provides further possibilities for trojan applications to take advantage of your workstation. Fortunately, this can be easily fixed by logging in with an unprivileged account.

At this point in development, the real virus danger on Windows NT/2000/XP comes from trojan applications that capitalize on social engineering to inject themselves. There is very little that can be done to prevent this from happening, anyone can write a program to masquerade as a trusted source. For example, by using the Microsoft logo in an application startup screen it would be possible for my program to appear as though it was from Microsoft.

To combat this, software should be installed only from trusted sources on trusted media or verified electronic distribution. Users who understand this and who employ the controls of a privileged account for installs will be protected. Everyone else will be seeking refuge in the burgeoning computer support market to recover their computer operating systems from any number of trojan applications.

User Interface Standards

Posted on by

There is a longstanding belief in the open source development community that command line interfaces (CLI) should be a primary product of development. Once a cryptic CLI has been implemented, the graphical user interface (GUI) is merely a correllary. Clearly it is not so simple. While the command line applications are widely available on open source platforms like Linux, there is a derth of usable GUI platforms.

Unlike the Windows or Macintosh counterparts, the X Server has been a piecemeal effort from the beginning. The underpinnings of X were sufficiently obfuscated from end users when it was possible to run twm without manual modification to your monitor timings. This was a significant development, and while the quality of the actual GUI was still crude it was at least possible for average technical users to run a graphical display.

The next hurdle is the dispariety between window look and feel. Each application uses a different toolkit for rendering itself. There is a default Xt look, which is quite primitive but is still prevalent on most ad-hoc X apps. Commercial development has focused around OpenLook and Motif, with Motif seeming to emerge as the dominant windowing toolkit. Meanwhile, a variety of rich widget toolkits have emerged in recent years including Qt and GTK+.

Open source projects are emerging to unify the look and feel. Essentially, this provides a translation between common toolkits. For example, a GTK+ application could run on a QT platform and will look like any other QT program. While this will be sufficient to keep a consistent user experience, it won’t provide the same level of interface ubiquity that can be found on other platforms.


Fortunately, many vendors have been cannibalizing their graphical interfaces to provide inconsistent looks. This is a trend that was popularized by skinnable applications like WinAmp and Mozilla, and has been working to the benefit of the inconsistent user interfaces found on X. It is no longer an absolute requirement that every application looks the same, users are able to navigate programs that are sufficiently similiar or that provide unique functions in an unambiguous fashion.