Consider a non-Windows OS for email security

Topic

New Reply

In closing a recent ComputerWorld.com post, Michael Horowitz concluded: “If you read email on a Windows computer, do yourself a favor and use a differ
[See the full post at: Consider a non-Windows OS for email security]

Reply | Quote

Replies

Disabling features abused by attackers can certainly be effective.

But where is the description of the useful functionality you’ll lose if you disable Windows Scripting Host? That isn’t covered in Mr. Horowitz’s Computerworld article.

The Windows Script Host actually can do useful things, and was invented for a reason.

To be honest I don’t know how much of my daily use of Windows depends on it. Maybe none! But disabling it then seeing what falls apart afterward seems very much like hitting your system with a big hammer – the author uses an appropriate metaphor.

If disabled, will we know if something then tries to use it? Or will something subtle just stop working right? The error pop-up when trying to start it interactively seems handy, but will that be seen if malware tries to use it?

Some interesting articles:

https://en.wikipedia.org/wiki/Windows_Script_Host

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/wsh_overview.mspx

https://technet.microsoft.com/en-us/library/ee198684.aspx

This system change is, of course reversible (just remove the Enabled DWORD or set it to 1 to re-enable the Windows Script Host).

-Noel

3 users thanked author for this post.

Kirsty, ryegrass, SueW

Reply | Quote

I don’t disable the .WSH, I have the calls intercepted (along with .VBS, .VBE, .JS, .JSE, .HTA, .WSF, .SHS and .SHB): AnalogX Script Defender

http://www.analogx.com/contents/download/System/sdefend/Freeware.htm

1 user thanked author for this post.

AlexEiffel

Reply | Quote

That looks like a cool tool. Thanks for the link. I’m not a big fan of software that actively scans and second guesses what you choose to do with your computer, preferring instead passive solutions.

Noting its age, and the “Install Intercepts” functionality shown in the screenshots… I like the implication that Script Defender just inserts itself in the COM / file association chain. Does it in fact just take over linkages to the Windows Script Host? Or does some component of it run as a service or process all the time?

I posted above because in general, whenever there is advice to disable a major system feature people should NOT just think “more security is better” but realize that there are always tradeoffs! Remember, an unplugged computer is almost perfectly secure. It’s also essentially useless.

-Noel

Reply | Quote

Purely passive, Noel, set and forget.

For me, it’s only triggered when I install/update one very specific set of tools for debugging.

Reply | Quote

Kirsty wrote:

In closing a recent ComputerWorld.com post, Michael Horowitz concluded:

Is nine months ago really “recent”?

Reply | Quote

I checked my AV real-time scanner config.  All of those file extensions are covered in the extension list used by it.

I am curious to know what scripts could run without me clicking on something, considering that I am using Thunderbird for reading my email.

Windows 10 Pro 22H2

1 user thanked author for this post.

HiFlyer

Reply | Quote

Thunderbird > (Alt) Tools > Options > Applications – Ask: safe, Use/Preview: maybe not, keep any software listed there fully updated.

Reply | Quote

I’m using the latest release of Thunderbird, but see no option for applications here.

I have the defaults locked down as much as I am aware of, such as no previews from the inbox, no images displayed, and hyperlinks open in my default browser, rather than Thunderbird.

Would I have had to install something else to link an application to my email app?

Windows 10 Pro 22H2

Reply | Quote

Sorry John, I was completely wrong. I failed to check first, assuming that those options would be baked in as it’s based on Firefox 🙁

1 user thanked author for this post.

JohnW

Reply | Quote

Any antivirus I use inherently scans all file types or is configured by me to do so. I can execute
–spacer-ignore-this-line–See-Note–
(run as a program):
c:\Users\someusername\desktop\thisisatextfileright.txt
from the command line.
I assume an exploit would be similarly unhampered by the file extension.

An antivirus skipping scanning files due to file extension is about the same as not inspecting a package because it has a sticker that says “this is not a bomb” on the outside.

(got a 403 error last time I tried to post this, weird)
Note:
I get a 403 error when I post these words on the same line without the spacer:

can execute
–spacer-ignore–
(run

Reply | Quote

If only life were as simple as changing your computer’s operating system in order to read emails…

2 users thanked author for this post.

Cybertooth, JohnW

Reply | Quote

Windows already considers all of these files unsafe right? I know in outlook and windows live mail it won’t let to open unsafe attachments (or warns you), but do these count in all circumstances?

Reply | Quote

Changing the OS seems to be overkill unless I am missing something. The problem with changing an OS is to what on a PC? Apple requires new hardware, a Chromebook requires new hardware, and Linux could be installed as dual boot with Windows. The first two presume you have money to spend on a new computer. Also, there issues with accessing files between computers (solvable I know but the pain is still there). The last requires someone with the right skills to do it, not something that I would want your average user to try alone. Though it allows for Linux to have direct access to the Windows partition, alleviating some of the file access problems.

The only other option is to use a phone or tablet which has other problems

Reply | Quote

I suppose that the original point made was that Windows is not secure.

That is probably true, with an out-of-the-box install.  Especially for an average user without tech skills.

There are steps you can take to minimize the risk, but it requires an education on tech issues regarding information security.

The problem is that all computers have security risks and software vulnerabilities.  The closest thing I have seen so far to built-in bulletproof security is the Chrome OS.  It is almost an appliance.

For the ultimate bulletproof alternative OS, just boot your PC with a Linux Live CD/DVD.  Once you have burned a distro onto the optical disk, it is read only and cannot be altered by malware.  You could use a USB flash drive, but since they are writable, not as secure.

A Linux Live OS runs entirely in RAM and does not need to write anything onto the local drives.  Check your mail, whatever, then boot back into Windows.  Done.  Simple.  No traces left of your Linux session.  You just need to set your PC to start from a CD/DVD.  Take your pick here.  Many have a portable bootable iso live session, with no need to install.  http://distrowatch.com/

Windows 10 Pro 22H2

Reply | Quote

Interestingly,

from #126257(lurks about): (referencing a Linux install) “The last requires someone with the right skills to do it, not something that I would want your average user to try alone.”

from #126264(JohnW): “I suppose that the original point made was that Windows is not secure. That is probably true, with an out-of-the-box install. Especially for an average user without tech skills.”

Would the last one to leave Windows please turn out the lights……

Reply | Quote

A great, secure OS is Qubes ( https://www.qubes-os.org/intro/) with the only downside of hardware support. I’ve been testing it on my laptop but I have to stick to Windows for my PC. So it’s always nice to catch these tips on AW to minimize risks on Windows. Thanks.

Reply | Quote

I tried Qubes. It seemed very secure to me. But I never could figure out how to get it all set up. Perhaps there is a tutorial somewhere?

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Since Woody linked the strategy, I went ahead and implemented it…setting notepad as default for all scripts. If I have problems, I’ll report them here. Having read the comments, I’m having second thoughts. Any suggestions on reversing the process if there are problems?

Installing Linux to read email is a total non-starter for me. Way too much hassle.

Reply | Quote

The five file types mentioned in the article (.js, .jse, .vb, .vbe, .wsf) are blocked by default in all versions of Outlook and on Outlook.com:
Blocked attachments in Outlook
How to unblock an attachment in the new outlook?

So there’s no reason to use a different operating system for email.

Reply | Quote

What about windows live mail?

Reply | Quote