Risk
10/10/2012
01:06 PM
50%
50%

Windows 8: 4 Smart Security Improvements

Will Windows 8 be the most secure Microsoft operating system to date? One security expert sees promising signs.

8 Key Differences Between Windows 8 And Windows RT
8 Key Differences Between Windows 8 And Windows RT
(click image for larger view and for slideshow)
Will Windows 8 be more secure and harder to exploit than previous Microsoft operating systems?

Microsoft is now making several last-minute touch ups to the operating system, which is set to launch Oct. 26, and which has been previewed as the most substantial overhaul of Windows since the debut of Windows 95.

But does the Windows overhaul extend to the operating system's information security performance, and will Windows 8 be harder for attackers to exploit?

[ Get expert guidance on Microsoft Windows 8. InformationWeek's Windows 8 Super Guide rounds up the key news, analysis, and reviews that you need. ]

According to Aryeh Goretsky, a researcher at security firm ESET, "after reviewing the layers of technologies used by Microsoft to protect Windows 8, it is our opinion that it is the most secure version of Microsoft Windows to date." That analysis comes by way of a new Windows 8 security white paper from ESET, authored by Goretsky. While his analysis doesn't review every new Windows 8 security feature--such as AppContainer, for application sandboxing--it highlights what he sees as the operating system's four biggest security improvements:

1. Antivirus Now Active by Default

In clean installs of Windows 8, the free Microsoft antivirus and anti-malware product Windows Defender will be active by default. The "clean installs" caveat, however, refers to PC manufacturers and distributors being allowed to instead install trial versions of their own antivirus and anti-malware software.

"Windows Defender provides a good level of protection, but is mainly targeted at those who are unwilling--or unable--to purchase a commercial anti-malware solution," said Goretsky. While he categorized the software as being effective (though a "minimum bar for levels of protection") he also lauded it for not being nagware. That means it does not "attempt to upsell the user to a paid-for product and toolbars or banner advertisements, nor does it modify existing search settings." That makes it less likely that users might seek to disable the software.

2. Windows Rewrites Target Bootkit Malware

Windows 8 will include new tools for blocking not only rootkits, but also bootkits, which are able to replace boot loaders, thus making the malware active almost once a PC starts up, and very difficult to detect or eradicate.

But Goretsky warned that some legacy Microsoft code won't enjoy the better rootkit protection. "Some of these changes made to operating systems to combat rootkits ... are only available in the 64-bit editions of Microsoft Windows due to support issues: there remains a large base of 32-bit programs which rely, for compatibility reasons, on some insecure functions inherited from earlier Windows versions," he said.

3. BIOS Firmware Gets UEFI Replacement

The BIOS firmware code that becomes active as soon as a PC powers on has also been replaced in Windows 8 by the Unified Extensible Firmware Interface (UEFI). The move has drawn fire from Linux advocates, who fear that Windows 8-compatible machines might be blocked from starting up to Linux, since one feature of UEFI is Secure Boot, which requires that an operating system be digitally signed before the PC will allow it to load.

"What Microsoft has done is place a requirement in the Windows 8 logo tests that computers shipping with a 64-bit version of Windows 8 (which will be most desktop and notebook computers) ship with Secure Boot enabled in their UEFI firmware by the manufacturer," said Goretsky. However, he continued, "The same requirements state that the user must be able to disable this feature." While that will add an extra step for anyone who wants to replace Windows 8, on Windows 8-certified hardware, with another operating system, it means that the Secure Boot will be active by default for everyone else.

As a result, the feature should "greatly [reduce] the attack surface currently exploited by bootkit forms of rootkit malware on systems using BIOS-based firmware," said Goretsky, who also noted that after two decades, BIOS is overdue for a replacement.

4. Anti-Malware Launches Early

Another security improvement in Windows 8 is the Early Launch Anti Malware (ELAM) feature, which allows security software--not just from Microsoft--to be first in line once a PC starts up and begins loading applications. "ELAM is important because, like UEFI's Secure Boot, it vastly improves the security of the computer at an early stage," said Goretsky. "While the effectiveness of ELAM is as yet unproven, the concept behind it is fundamentally sound, and it should prove to be a major deterrence to boot-time malware."

But don't be surprised, he warned, if Microsoft tweaks ELAM--or any of the other new features--after Windows 8 debuts and developers see if the previewed security improvements actually perform as intended.

Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new Here Comes Windows 8 issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
10/12/2012 | 2:56:29 PM
re: Windows 8: 4 Smart Security Improvements
I think you mean the "third bullet point" don't you?

Not sure that your (and Andrew's) criticisms are warranted. UEFI provides many advancements over BIOS including the ability to manage the hardware remotely prior to an OS even being loaded, booting from >2Tb partitions, support for GUID partitions, and the contentious secure boot which requires that an OS be digitally signed. Even the grumps in the Linux community have had their complaints resolved (regarding secure boot) this month.

There is way more upside to using UEFI over BIOS. Especially when you consider the advanced state of malware these days and the largess of botnets and infected systems that have been created around the world.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
10/12/2012 | 11:46:54 AM
re: Windows 8: 4 Smart Security Improvements
Agree, whoever cooked up the second bullet point has little to no clue what BIOS and UEfi are nor what Windows 8 or an OS in general does. That makes me wonder if IW has fired all senior editors and everyone can just post whatever they want. I could see this happening in a lower class blog, but it is a total embarrassment for something that gets passed as editorial content.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
10/12/2012 | 4:33:56 AM
re: Windows 8: 4 Smart Security Improvements
A couple of these items - the Antivirus and Anti-malware - it really took THIS long for Microsoft to bake that into their product?

I'm also not quite sure how the UEFI requirement could be considered a Windows 8 feature - it's pre-boot code executed by the hardware. Windows 8's certification logo program may require it, and certainly the venerable Phoenix BIOS has been around the block plenty of times - but what about something based off of another standard like the old AlphaARC/BIOS? Or is that another remnant of history that we've forgotten about?

At any rate, it's good to hear that Windows 8 is the most secure Microsoft OS to date - if it wasn't, we may have another Vista on our hands.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5075
Published: 2014-12-27
Integer overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5.0 Korean Trial allows local users to cause a denial of service (memory corruption and panic) via a crafted IOCTL_ASWFW_COMM_PIDINFO_RESULTS DeviceIoControl request to \\.\aswFW.

CVE-2011-4720
Published: 2014-12-27
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVE-2011-4722
Published: 2014-12-27
Directory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswitch WhatsUp Gold allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename field of an RRQ operation.

CVE-2012-1203
Published: 2014-12-27
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.

CVE-2012-1302
Published: 2014-12-27
Multiple cross-site scripting (XSS) vulnerabilities in amMap 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data_file or (2) settings_file parameter to ammap.swf, or (3) the data_file parameter to amtimeline.swf.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.