[SECURITY] Feature request for Windows clients

[mouse]

Hi,

A few assumptions I'd like to make:
1. most developers do not use windows, by default.
2. in the future, most new user will be using windows.
3. a large number of those users will have vulnerable machines (OS not patched with latest fixes).

Given this I'd like to propose a new feature that should be relatively easy to develop yet provide massive bang for buck in user security and positive Bitcoin press. However I'm no Win OS developer so for all I know it's impossible. Maybe via the WUApi.dll?

Whenever bitcoin is run on a windows machine that is not up to date the client shows a prominent warning icon that their wallet security is as stake.
This can link to a simple guide explaining how to turn on windows update.

If I had a lot of BTC, which I sadly don't, I would bounty this.

[error]

It's a nice idea.

The problem, of course, is in the implementation. It's actually quite difficult to determine - for real - if updates are available for a Windows box. Many viruses and trojans pull tricks to prevent the Windows update service from working properly, so one might determine that there are no updates when there really are. Of course some of them are none too subtle about it, so a lot of these situations would be detectable.

I'm not sure it's such a good idea to weigh down the official Bitcoin client with what would essentially be a large chunk of anti-malware code.

[zellfaze]

It's actually quite difficult to determine - for real - if updates are available for a Windows box. Many viruses and trojans pull tricks to prevent the Windows update service from working properly, so one might determine that there are no updates when there really are.

We can at least try to ask Windows Security Centre whether or not they have anti-virus, updates, etc.  Even if it doesn't provide the correct answer (i.e. it lies because they already have a virus) wouldn't that be better than nothing?

I think we can query Windows Security Centre for Updates, Firewall, and Anti-virus, although I could be wrong as I know very little on the subject.

I'm not sure it's such a good idea to weigh down the official Bitcoin client with what would essentially be a large chunk of anti-malware code.

Would make a good fork though.  Alt-client: "Secure bitcoin"

[error]

Nah, that would be "SuperBitcoinAntiMalware2013".

[JoelKatz]

The problem, of course, is in the implementation. It's actually quite difficult to determine - for real - if updates are available for a Windows box. Many viruses and trojans pull tricks to prevent the Windows update service from working properly, so one might determine that there are no updates when there really are. Of course some of them are none too subtle about it, so a lot of these situations would be detectable.

I think the goal is more to warn a person that their box is vulnerable, not that it's compromised already.

I'm not sure it's such a good idea to weigh down the official Bitcoin client with what would essentially be a large chunk of anti-malware code.

I wonder if somebody already has a library to do exactly this. If it was already build and maintained, that might make the decision easier. Trying to have the client maintainers also maintain a list of vulnerabilities to probe seems to be a bit crazy.