Lenovo’s Superfish scandal of early 2015 was one of the mostsignificant computer security issues of the last decade. For those of you who don’t recall, the Chinese manufacturer shipped a number of IdeaPad models with a root certificate installed that fundamentally broke SSL encryption, and allowed a third party to inject content virtually at will, as well as to spy on any user’s web browsing if desired. Microsoft has now announced that it intends to put new security standards in place for Windows 10 that would block this kind of behavior and prevent certain types of man-in-the-middle (MITM) attacks.

Microsoft initially revised its guidelines last April, but adware authors have evolved their products to bypass the company’s requirements. According to Redmond, it’s now common to see software use injection by proxy, change DNS settings, and manipulate the network layer.

To be clear: Microsoft isn’t going to declare all ad injection to be bad, and companies will still be allowed to create this type of software. What they’re cracking down on are programs that attempt to obfuscate their own behaviors behind advanced network settings and functions that are buried deep within the operating system or submenus that only advanced users know how to access.


From Microsoft’s “acceptable” adware policies.

Redmond has previously published its list of objective criteria for acceptable vs. unacceptable ad software. It states that all advertisements must have an “X” or other visible and obvious method for closing an ad, that the name of the program creating the advertisement must be clearly stated, and there must be a method of uninstalling software. Now, it’s adding a new requirement:

[P]rograms that create advertisements in browsers must only use the browsers’ supported extensibility model for installation, execution, disabling, and removal.”(Emphasis original)

Currently, Microsoft Edge doesn’t support browser extensions, which is probably why MS will wait until March 31, 2016 to put this new rule into effect. The company has previously stated Edge extensions would arrive in Q1 2016. By limiting adware platforms to the extensibility platform(s) approved by various browsers, MS is also giving itself another method of controlling software, should vendors prove unwilling to adjust their applications to conform to Redmond’s requirements. Windows Defender can also be updated with the signatures of applications that refuse to play by the rules.

Whether this will actually accomplish its intended goal is an altogether different question. In nearly 20 years online, I’ve yet to see a single browser adware platform that delivered any kind of meaningful value. Instead, such applications shovel advertising at a frantic pace, often in ways that undercut the ads the actual site owner has chosen to display. These applications tend to be riddled with their own security flaws and instabilities, and often harass users with flashing lights and fake antivirus sales pitches. The best of them are parasites; the worst are criminals.

Microsoft may have good reason to allow these kinds of applications to exist, since it could face lawsuits and claims of abusive behavior if it acted to ban them altogether, but it’s not at all clear that there’s a happy medium to be found on this issue.


[Source:- extremetech]

By Adam