A planned component for Microsoft's next version of Windows is causing consternation among anti-virus experts, who say that the new module, a scripting platform called Microsoft Shell, could give birth to a whole new generation of viruses and remotely exploitable attacks.
Microsoft Shell, codenamed Monad, is still in development and is planned for release with the next version of Windows, Longhorn. Monad will allow developers or administrators to configure Windows systems using text commands or scripts containing multiple commands. But the flexibility of the new platform and its support for remote execution of commands could spawn a whole new generation of "script viruses", like Melissa in 1999, plus e-mail worms and remote attacks, said Eric Chien, a Symantec researcher.
Chien was speaking at the Virus Bulletin 2004 International Conference and issued a warning about the new component to anti-virus workers. He said that the new Windows component is similar to existing Windows components for interpreting text commands, such as cmd.exe, but much more powerful.
Microsoft contends that the new component is in an early stage of development and that its features have not been finalised. When released, Monad will not allow malicious users to circumvent Windows security features, and will have features that prevent hackers from exploiting its powerful administrative capabilities, said Greg Sullivan, lead product manager in the Windows client division at Microsoft.
Early copies of Monad were distributed at Microsoft's Professional Developers Conference to independent software vendors and corporate developers in October 2003. The company released an updated version of the code at its Windows Hardware Engineering Conference (WinHEC) in May, Sullivan said.
As currently designed, Monad allows administrators to use commands to list and shut down any process running on a Windows system, send e-mail messages or list shared network drives. None of those features are available using cmd.exe. Beyond that, Monad supports its own scripting syntax, which allows administrators to combine commands into powerful statements that can search hard drives for specific information or manipulate data and files stored on a Windows hard drive, Chien said.
As with Visual Basic script, which spawned scripting viruses such as Melissa, Monad will be attractive to those who write malicious code, because it allows them to consolidate many commands into a few lines of code, creating small, efficient programs that are very powerful, he said.
Scripting viruses such as Melissa are also easy to read and modify once they are released, spawning countless variants and copycat creations. "It's like open source for malicious code writers," Chien said.
In his presentation, Chien discussed ways that Microsoft Shell and the new scripting language that goes along with it could be used to shut down anti-virus software running on Windows systems by killing system processes associated with those programs. Malicious hackers could also use Monad to navigate and modify the Windows registry, where program-specific configuration settings are stored, send e-mail messages with attachments and even download content files from the Internet.
Microsoft documentation and presentations on Monad claim that Microsoft will support remote execution of Microsoft shell scripts, for authorised users, via telnet, secure HTTP or other Internet-based protocols, Chien said.
But execution of scripts will be carefully controlled by security features in the finished version of Monad, which will be released in beta in the middle of 2005 and may or may not be included with Longhorn in 2006, Sullivan said.
For example, Microsoft will disable remote script execution by default and require administrators to digitally sign scripts so that they can be authenticated before being executed. The company will also run Monad scripts so as to insure that any input from the script is not automatically trusted and sent to a command without first being validated, Sullivan said.
Anti-virus experts at the show expressed concern about the possibilities of the new component, but acknowledged that they had been unaware of its existence. "I didn't know anything about it, but it seems very powerful. It's just like the Unix shell," said Mikko Hypp"nen, of F-Secure Corp., referring to a similar scripting platform used by Unix operating systems.
The new scripting platform was created in response to requests from network administrators, who wanted a fast and efficient way to control multiple machines across a Windows network. However, making Windows networks easier to manage for network administrators doesn't necessarily mean making the operating system less secure, Sullivan said.
Microsoft "appreciates" Symantec raising security concerns about Monad, Sullivan said. "The concerns that Symantec raises are the kinds of things we look at in making sure we do things in a secure way," he said.