One last thing…
The news that malware sneaked into CCleaner’s installer certainly isn’t what you want to read over your breakfast ( see p10). Even worse, it was digitally signed using the publisher’s own digital certificate, so any right-thinking user who follows the obvious recommendation of “never install anything that isn’t digitally signed” got screwed too.
Some vendors ship code that isn’t digitally signed. In the past, you could almost excuse this because the process was laborious, and just a hassle for the software author. Nowadays, there is no excuse, and modern operating systems throw up hard warnings if you try to install something unsigned.
But all of that learning and caution has been swept away by CCleaner allowing malware vendors access to its build servers, and thus letting them inject malware into the build process. And out drops digitally signed malware.
The obvious question is what to do now. If we can’t trust digitally signed installer code downloaded from a vendor’s website, we need to put some sort of validation process in place between the vendor and ourselves. It isn’t enough to just take its latest build at face value: we need to have a third party test and check the code before it comes to us.
In one sense, we have this already. Apps that go through the Apple App Store, the Microsoft Store or Google Play Store are checked and validated before being released to the public. The level of this checking varies by platform, but it’s beyond question that the amount of “bad software” that has come out on the iOS platform has been remarkably small over the past decade.
Microsoft’s efforts to push users to its own Store has its advantages, but it’s demonstrably hard to move customers from the current free-for-all into a curated store environment. For anecdotal evidence, consider the take-up of Windows 10 S: almost everyone I know who has bought a computer with 10 S has taken advantage of the free upgrade to Windows 10 Professional, thus allowing any code to be installed from anywhere.
Maybe we need a harder push to HTML5based web applications. But it’s notable that the app that fell foul here is one that’s designed to clean up the detritus that has accumulated in your Windows installation. Whether Windows 10 actually needs such a tool is open to debate. Many will claim that their installations are more sprightly and stable after such a deep cleaning. Others, myself included, find they make very little real-world difference. But is it not fair to say that perception is reality? If customers think that this tool works for them then there is an underlying issue that needs fixing, even if it’s only Microsoft’s own inability to ensure that systems appear to stay clean and stable.
Cleaning your Registry might not be the answer, but uninstalling old crud most certainly can be, and Microsoft – and Apple with macOS – has done relatively little to help users keep on top of the problem of this accretion of layers of old rubbish. It’s much too hard to wipe a machine clean and to then throw everything back on in a controlled fashion. If you use the Microsoft Store, licences and installations can come along in a managed process, but dealing with unmanaged code is like wading through a septic tank filled with 25 years of effluent.
It boils down to this: we don’t have a proper solution to retiring or sun setting old code and applications. All too often, I install an app only to discover a whole raft of old DLLs and run times hauled in with it. Or yet another attempt to inveigle Java onto my machine. Does a vendor of high-end interface cards such as Atto really need to have such trivially simple management tools that it must haul in all of Java as well?
We should be more demanding and highlight only those apps that can be considered “clean and safe” and don’t bring in flotillas of crud. Although this could be done by a third party, it really comes down to the platform vendor. Windows used to have a “Made for Windows” accreditation process that, while lax, at least made an attempt. It’s time for Microsoft to up its game, and launch a new accreditation service that has teeth. It’s not enough to simply warn that an installer isn’t digitally signed. CCleaner shows us that this route is no longer trustworthy. We now need a robust framework by which a platform can protect itself, and thus its user. Anything less could be described as treating your customer with contempt. I know this would be extremely hard to set up and to police, but someone has to do it. It’s time to demand more.
Dealing with unmanaged code is like wading through a septic tank filled with 25 years of effluent