Risk

11/5/2012
04:48 PM
50%
50%

Windows 8 Security Improvements Carry Caveats

Many new Windows 8 security features were previously available standalone, or require businesses to buy in to Microsoft's server and cloud vision.

6 Reasons To Want Windows 8 Ultrabooks
6 Reasons To Want Windows 8 Ultrabooks
(click image for larger view and for slideshow)
Should businesses upgrade to Windows 8?

The benefits on offer include a raft of security improvements, such as Secure Boot, which uses the BIOS replacement known as Unified Extensible Firmware Interface (UEFI) to make it difficult for rootkits to gain a foothold. In addition, anti-malware software comes built in and loads early, and improvements to ASLR and DEP mitigation technologies help block more types of exploits.

But the Windows 8 security improvements carry caveats. For starters, some remain relatively untested. Others, such as improved access controls, require using Windows Server 2012 as well, or else Microsoft's own cloud-based storage system. As that suggests, realizing all of the advertised security benefits might require additional investments.

[ Read Windows 8: Why I Won't Upgrade. ]

Here are five related facts to help businesses weigh a move to Windows 8:

1. DirectAccess VPN Now IPv4-Compatible.

Hands down, one of the biggest security improvements is DirectAccess VPN, which can be configured to force a Windows 8 system to use a VPN whenever it's not connected to a corporate network; for example, when a user is logging on via a cafe, airport lounge, or hotel, said Chester Wisniewski, a senior security advisor at Sophos Canada, speaking by phone.

When initially launched with Windows 7, DirectAccess only worked with IPv6. Now, however, it's been made to work with IPv4 too. "The idea of DirectAccess being automatic no matter what you're doing -- if you're not connecting to the corporate network -- is brilliant, it's what every VPN for the last 20 years should have been doing, but nobody ... has done that," he said.

2. Bevy Of Minor Improvements.

Overall, however, few of the security improvements in Windows 8 are game changing. "Secure Boot is the biggest change, that took a big move, and is the standout thing they've done," said Wisniewski. Still, it only works with latest-generation PC hardware that has UEFI built in, meaning that any business that upgrades its operating system, but not its hardware, won't yet benefit.

Beyond Secure Boot, "the rest of it is pretty iterative," Wisniewski said, pointing in particular to the built-in anti-malware and better BitLocker.

3. Modern UI Loses Important Security Cues.

Windows 8 also sports a new, tablet-focused user interface. "With the radical user interface changes, you may lose, or you may gain," said Wisniewski. Notably, the interface can omit key details that help keep users secure, for example in Internet Explorer. "With IE10, in the Modern user interface--or Metro UI, as it was called--you don't see the location bar or padlock when you're surfing. By default, your browsing is in full-screen mode," he said. "So you lose that context; you no longer have an idea that you're being phished, because you can no longer see that the URL is badguy.ru."

This issue isn't limited to Windows 8. "If you're on an iPad, you can't see the link you're going to until you click on it," he said. "To me, with phones and tablets, you lose some of the context that's important, and unfortunately Windows 8 has undone that as well."

4. Windows To Go, With Cloud Support.

Windows 8 -- enterprise edition only -- adds the ability to store a whole, bootable version of a user's Windows 8 environment on a USB key. "The cool part of it is that it blocks access to all the local media. So if you had an infected machine at a library, airport, or hotel, and plugged in your Windows 8 media stick and turned it on, even if you're infected to tarnation [on the machine], you're good to go," said Wisniewski.

But there's a caveat: Users either need to have updated their USB stick immediately before using it, or else store any documents they want to retrieve on Microsoft SkyDrive. "To make Windows To Go useful, you have to embrace the whole Microsoft cloud model," said Wisniewski.

5. SmartScreen Borrows Apple Business Plan.

Microsoft has extended the SmartScreen technology it introduced with IE9 -- to check online file downloads against a known-bad list of malicious files, and offer related warnings -- to the operating system. Now, Windows 8 checks any application a user wants to install to see if it's been digitally signed and can be trusted.

Although this can have security upsides, it's also a business play: Like Apple, Microsoft would prefer that users purchase approved -- and theoretically, trustworthy -- applications via its Windows Store, or else from the employee's corporate app store.

"What Microsoft wants is [for] you to buy everything from the Microsoft Store," said Wisniewski. "The only prompt is, do you want to pay $3.99?" The question, accordingly, is whether Microsoft can offer an app store that's as secure as the one Apple provides, while simultaneously blocking malware from pretending to be the app store. "I think [Microsoft] will probably do a pretty darn good job of it, but it's going to be six months before we can really judge that," he said.

Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new Here Comes Windows 8 issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
11/10/2012 | 2:35:14 PM
re: Windows 8 Security Improvements Carry Caveats
Requiring Server 2012 deployment is hardly 'minor'.
RobMark
50%
50%
RobMark,
User Rank: Apprentice
11/6/2012 | 7:14:27 PM
re: Windows 8 Security Improvements Carry Caveats
Most of the "caveats" are minor.
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1060
PUBLISHED: 2018-06-18
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.
CVE-2018-1090
PUBLISHED: 2018-06-18
In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
CVE-2018-1152
PUBLISHED: 2018-06-18
libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.
CVE-2018-1153
PUBLISHED: 2018-06-18
Burp Suite Community Edition 1.7.32 and 1.7.33 fail to validate the server certificate in a couple of HTTPS requests which allows a man in the middle to modify or view traffic.
CVE-2018-12530
PUBLISHED: 2018-06-18
An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF.