The security software, available in a public beta version, by default allows applications that use the Java Virtual Machine or have a digital signature to connect to the Internet.
Like any blanket security-bypass rule, these default settings are a bad idea, said Mark Curphey, vice president at vulnerability management specialist Foundstone, a part of McAfee.
"Any firewall, any security device should have a default deny," Curphey said in an interview Tuesday. "Any door should always be closed."
Curphey discovered the issue when running software on his wife's computer, on which he had installed OneCare. He informed Foundstone security consultant Roger Grimes, who subsequently blogged about it on the InfoWorld Web site. Grimes also blasted the default bypass settings.
"It just invites malicious hackers and other malware goons to exploit it," Grimes wrote.
OneCare team on Tuesday responded to the Foundstone experts in its own blog, and a Microsoft representative confirmed the blog's content. Yes, the OneCare firewall does allow any signed application and the Java Virtual Machine to pass through without alerting the user, but this should not be a security risk, according to the posting. The team invites readers to discuss the topic.
"It is highly unusual for malware to be signed," according to the Microsoft blog posting. Furthermore, if an application is signed, it can be traced to its author, it said.
Blocking Java would result in many applications being disabled, Microsoft, the posting added. And asking users to allow applications to pass through each time they are invoked would be too confusing. If a malicious program that uses the Java Virtual Machine does land on a user's PC, the antivirus component of OneCare should catch it, the OneCare team wrote.
According to Grimes's blog, however, that adware and spyware makers often sign their applications. Such a signature is meant to make their software look more reliable. "They already routinely use signed controls to install themselves onto users PCs, and certainly they will continue to use them to bypass this (OneCare) service," Grimes wrote.
Spyware expert Ben Edelman agreed. "Most malware is signed," he said. "Getting these signatures is remarkably easy. And the resulting user experience is far better: reassuring-looking dialog boxes that make users think software is safe."
A public test version of OneCare has been available since November. OneCare is meant for consumers and will combine anti-spyware software with antivirus software, firewall software and several tune-up tools for Windows PCs. The final package is expected sometime this year and will be offered as a subscription service.
