Windows 8 As A Security Tool: Its Anticipated Effects And Risks6:58 PM EST Fri. Oct. 19, 2012
With Windows 8 poised to roll out, information security experts are scrutinizing the new OS in comparison to the level of security offered in its predecessor, Windows 7. The general consensus is that while Microsoft continues to get serious about security, users who attempt to rely on Windows 8 as a security tool will likely be disappointed.
"The threat landscape is like water running down a hill," said Gerry Egan, senior director of product management at Norton by Symantec. "It takes the easiest path. If you block off that path, it selects the next easiest path. If you block off that one, it chooses the next easiest. So, Microsoft has raised the bar. But, Windows 8 will not stop the flood."
Part of the challenge, according to Egan, involves backward compatibility. While few people would question the importance of being able to use legacy applications, this capability often applies to malware, as well. "When they insure backward compatibility for desktop applications, that does help their users, but it also provides backwards compatibility for malware too," he said. "There will be millions of malware variants that will continue to run on Windows 8."
Some of the attacks may be deflected by Windows Defender, which is believed to take an escalated role in Windows 8. But, Defender is not seen as an effective replacement for antivirus software, which has come under its own attack recently for being unable to scale to the constant onrush of malware signatures.
"Windows Defender provides a basic level of security," explained Peter Beardmore, senior director of product marketing at Kaspersky, a well-known AV vendor. "And while it is a positive development that Microsoft is becoming increasingly focused on security, this is not a situation where the full security need is met when the device comes out of the box. We believe that business customers will be aware of this, but it might be a different story at the consumer level. We're a little concerned about whether some individuals might think they no longer need full protection."
Others in the antivirus sector believe that industry dynamics will likely reinforce the need for effective antivirus.
"We believe that antivirus adoption will continue as before," said Tony Anscombe, senior security evangelist at AVG. "There’s a whole ecosystem around introductory AV on PCs at the time of purchase. No one is going to want to switch off that revenue stream."
NEXT: Protecting the Boot Sequence
Aside from Windows Defender, a number of other security features in Windows 8 are up for discussion.
"Compared to Windows 7, it is really clear that they've taken a long hard look at the telemetry that they have been gathering over the last few years and have applied that to improve the security of the operating system," said Aryeh Goretsky, distinguished researcher at ESET. "I especially like the concept of implementing the secure boot facility in conjunction with the UEFI [united extensible firmware interface] because if it is implemented properly, that blocks a whole class of malware. Of course, whether or not it works as planned has yet to be determined."
Goretsky went on to explain that design flaws, implementation errors or compatibility issues could call the tactic into question, particularly if it begins to interfere with important applications on client devices.
However, Goretsky applauds the new requirement that antivirus and other applications need to completely uninstall upon user command rather than leave remnants on the hard drive.
"Typically, after the software installer has run, the program may do other things to download updates and make further modifications to the registry and so forth," he explained. "Those types of actions are not typically cleaned up during the uninstall process because uninstallers are typically just a script that can only remove what they know about. Post-install actions typically get left behind. Microsoft is saying no more of that. That will make life easier for the customer because if they are not happy with their antivirus software, they can easily upgrade that, or maybe they want to get something less expensive when it comes time for renewal. But, that really ensures that when a customer switches from one product to another, they don't have any system problems from having orphaned drivers or services running."
Additionally, Microsoft has also taken action against attacks on the master boot record by preventing the boot code from running if it is not digitally signed.
"If your code is there first, then you can control what happens with all the other software that is loaded afterwards," he said. "The new spec institutes a trust mechanism so that if the code is not cryptographically signed, it is not allowed to run. At that point, the next point of entry would be to try to get their code to run as a device driver, as early in the boot process as possible. So, Microsoft has now launched a program called Early Launch Anti-Malware or ELAM. That will be the first thing to run following Microsoft code, so there won't be this kind of randomness about the order in which things load. And, that gives anti-malware vendors the opportunity to check all the other drivers on the system before they load. So, that's a big advantage, in terms of detecting threats."
NEXT: The Effectiveness Of SmartScreen
ESET's Goretsky hopes that ELAM is eventually upgraded to provide more flexible functionality that would overcome current limitations in memory and processing parameters.
Symantec's Egan agrees that ELAM is a step in the right direction.
"This gives us an opportunity to load our drivers much earlier in the boot cycle to help us fight off rootkits and bootkits," he said. "We won’t have IPS or reputation-based systems running yet. But it will help."
Egan also questions the effectiveness of the forthcoming use of SmartScreen, which checks software against a database of known threats before it is installed. "We are a bit skeptical about this because we have found that when you ask users to make choices around security, they typically make choices based on what they think will take them quickly to where they want to go, as opposed to thinking about security aspects, which they frequently don’t understand," he said.
In the end, it’s possible that the main effect of increased security in Windows 8 will push the attacks further up the stack towards applications, and particularly the browser.
Added Goretsky, "If this becomes a very secure operating system, we could see a shift towards all sorts of social engineering types of attacks, because no matter how secure you make the technology, as long as there's a human using it, the human is going to behave in a fallible way."
Microsoft declined to be interviewed for this report.
PUBLISHED OCT. 19, 2012