A planned component for Microsoft's next version of Windows is causing consternation among antivirus experts, who say that the new module, a scripting platform called Microsoft Shell, could give birth to a whole new generation of viruses and remotely exploitable attacks.
Microsoft Shell, code-named "Monad," is still in development and is planned for release with the next version of Windows, known as "Longhorn." Monad will allow developers or administrators to configure Windows systems using text commands or scripts containing multiple commands. But the flexibility of the new platform and its support for remote execution of commands could spawn a whole new generation of "script viruses," like the "Melissa" script virus of 1999; e-mail worms; and remote attacks, said Eric Chien, a Symantec Corporation researcher.
Chien was speaking at the Virus Bulletin 2004 International Conference and issued a warning about the new component to antivirus researchers and corporate antivirus experts. He said that the new Windows component is similar to existing Windows components for interpreting text commands, such as cmd.exe, but much more powerful.
Microsoft contends that the new component is in an early stage of development and that its features have not been finalized. When released, Monad will not allow malicious users to circumvent Windows security features, and it will have features that prevent hackers from exploiting its powerful administrative capabilities, said Greg Sullivan, lead product manager in the Windows client division at Microsoft.
Early copies of Monad were distributed at Microsoft's Professional Developers Conference to independent software vendors and corporate developers in October 2003. The company released an updated version of the code at its Windows Hardware Engineering Conference in May, Sullivan said.
As currently designed, Monad allows administrators to use commands to list and shut down any process running on a Windows system, send e-mail messages, or list shared network drives. None of those features are available using cmd.exe. Beyond that, Monad supports its own scripting syntax, which allows administrators to combine commands into powerful statements that can search hard drives for specific information or manipulate data and files stored on a Windows hard drive, Chien said.
As with Visual Basic script, which spawned scripting viruses such as Melissa, Monad will be attractive to those who write malicious code, because it allows them to consolidate many commands into a few lines of code, creating small, efficient programs that are very powerful, he said.
Scripting viruses such as Melissa are also easy to read and modify once they are released, spawning countless variants and copycat creations. "It's like open source for malicious code writers," Chien said.
In his presentation, Chien discussed ways that Microsoft Shell and the new scripting language that goes along with it could be used to shut down antivirus software running on a Windows systems by killing system processes associated with those programs. Malicious hackers could also use Monad to navigate and modify the Windows Registry, where program-specific configuration settings are stored, send e-mail messages with attachments, and even download content files from the Internet.
Microsoft documentation and presentations on Monad claim that Microsoft will support remote execution of Microsoft shell scripts, for authorized users, via telnet, secure HTTP (HTTPS), or other Internet-based protocols, Chien said.
But execution of scripts will be carefully controlled by security features in the finished version of Monad, which will be released in beta in the middle of 2005 and may or may not be included with Longhorn in 2006, Sullivan said.
For example, Microsoft will disable remote script execution by default and will require administrators to digitally sign scripts so that they can be authenticated before being executed. The company will also run Monad scripts so as to ensure that any input from the script is not automatically trusted and sent to a command without first being validated, Sullivan said.
Antivirus experts at the show expressed concern about the possibilities of the new component, but acknowledged that they had been unaware of its existence.
"I didn't know anything about it, but it seems very powerful. It's just like the Unix shell," said Mikko Hypp
The new scripting platform was created in response to requests from network administrators, who wanted a fast and efficient way to control multiple machines across a Windows network. However, making Windows networks easier to manage for network administrators doesn't necessarily mean making the operating system less secure, Sullivan said.
In addition, even without additional security features, the ability of malicious hackers to use Monad would depend on their getting administrative access to Windows machines, and will be tempered by security features already in Windows XP SP2, and others planned for Longhorn, that are designed to prevent remote access and code execution, Chien acknowledged.
"(Microsoft Shell) doesn't skirt or bypass any SP2 security features. That security model will still be in place," he said.
Corporations with well-managed security policies may also be able to lock down Monad on Windows machines so that it can be used only by approved network administrators. However, the presence of Monad on millions of loosely managed home computers, whose owners would have little use for the advanced scripting and remote-management capabilities of the new shell platform, could make it a powerful platform for launching future worms and viruses, Chien said.
Microsoft "appreciates" Symantec raising security concerns about Monad, Sullivan said.
"The concerns that Symantec raises are the kinds of things we look at in making sure we do things in a secure way," he said.
Still, he believes it is "not meaningful to go into the technology feature by feature at this stage of development," given the likelihood that it will change significantly before it is released, he said.
"We're going to work with all our partners to deliver a secure platform. Whatever we do deliver will take (security concerns) into account."