Analysis: Windows 7 Beta Security Strong, But We Have Some Questions

Some questions will bear watching, though, as the beta process begins to unfold.

Windows 7 was able to fend off various types of remote assaults and exploits under testing using Core Security Technologies' best-in-breed Core Impact Professional version 8. Tests were conducted two times each, first with Windows firewall recommended settings in place and then with the firewall disabled for both private and public networks. Turning the firewall on and off did not cause any difference in the results under either scenario.

For example, with Core Impact, reviewers tested Windows 7 for one of the latest vulnerabilities that afflicted Vista and Server 2008, as outlined in Microsoft Security Bulletin MS08-063. This vulnerability involves Microsoft's Server Messaging Block protocol used for file and folder sharing and the ability to use it over NETBIOS or TCP to remotely execute code. Core Impact has a test for this vulnerability; Microsoft Windows SMB Buffer Overflow. The attack was unsuccessful against Windows 7 with Windows firewall enabled and disabled. Microsoft has published an update for Vista and Server 2008 for this issue, and it would seem that the fix was applied in Windows 7 beta, as well.

Windows 7, like Vista Ultimate, has the capability to run IIS. It is not installed by default but can be easily added as a Windows Component. IIS and Web applications are often targeted by hackers, so using Core Impact prepackaged attacks against IIS vulnerabilities reviewers took IIS for a security test drive. Exploits were launched that are known to restart a vulnerable IIS server, as well as other exploits used to execute code remotely using services like FTP, SMTP and WebDAV. Again, Windows 7 handled these attacks like a champ.

We also ran a Network Vulnerability request. Windows 7 responded to an ARP request and other requests to garner information about the operating system failed.

Two test results were open for debate, however. A test against a known vulnerability within Windows (MS08-001) yielded ambiguous results. This vulnerability was found to affect 32-bit and 64-bit Vista. It is caused by the way "the Windows kernel processes TCP/IP structures that contain multicast and ICMP requests" as per the Microsoft Security Bulletin about this vulnerability. This was a biggie when it was discovered because it had the potential to give an attacker full control of an affected system. The Core Impact test for this is called IGMPv3 DoS. The test attack sends specially crafted Internet Group Management Protocol (IGMP) network packets to trigger the vulnerability. Running this attack against Windows 7 gave the following results: "Attack complete. The module can't verify if the attack was successful." Running this same attack with Windows firewall on gave the same results.

Another attack from Core Impact involving IGMP was commenced. Again, the same results yielded. Could there be an issue with IGMP and Windows 7?

Although a bit unsettling, these result messages for a pretty dire vulnerability aren't enough proof to make the claim that this is a security weakness in Windows 7 beta.

Of course, operating system security is enmeshed with browser security. Malware has truly become malware 2.0, and the entryway for system compromising is often through the browser. A browser and the operating system it resides on must both be reinforcements for one another when it comes to security. Have a flaw in one and chances are the other will be exploited. Windows 7 comes bundled with Internet Explorer 8, and IE 8 seems to be no slouch in the security department.

Using ScanIT's online browser security test, IE 8 proved resistant to some of the more popular exploits targeting older versions of IE. Nine tests ranging from arbitrary code execution to buffer overflows with Apple's QuickTime player were ran in IE 8 and no vulnerabilities were found.

The bottom line: Microsoft seems to be, for now, walking the walk when it comes to reassurances about the security of Windows 7. That doesn't mean that there won't be forces out there looking for any vulnerable port, protocol or way to exploit, break or compromise Microsoft's latest desktop OS. We're hopeful that Windows 7 will meet that challenge.