03/12/2012

Windows 8: Malware-free?

Windows 8: Malware-free? Vulnerabilities

Windows 8 offers the same interface on many devices: Xbox, via desktop to tablet PCs and smart phones. Microsoft tries to make a user experience that is almost universal. Nevertheless, it appears that the app functionalities under Windows RT (the one for ARM tablets) and the program of the desktop version are not always the same.

You might think that having a very similar interface on the different devices enables you to do the same things on different hardware, but that doesn’t seem to be true in all the cases. Sometimes, the decision to change the user experience and the usability is a matter of security, and that is to be welcomed, but all in all, it creates confusion for the user.
A good example is Skype, from Microsoft. You can use it on any Windows device, but it is impossible to send over files under Windows RT - most possibly because of the security restrictions, due to the sandboxing approach. That is an ambiguous feature, from a user’s point of view. And that’s not the only critical view we have.

You have possibly already heard of all the new features built inside Windows 8. And from a security point of view a lot has been done to make this the most secure Windows ever. But we rather pose a question: Is this enough? Are users secure enough to use Windows 8 without the installation of another security package?

It needs to be said that Microsoft did a tremendous job by integrating several new features. The Secure Boot Infrastructure is one of these new features and consists of 3 parts: the UEFI, the ELAM driver (Early launch Anti-malware) and a TPM (Trusted Platform Module).

  • The UEFI (Unified Extensible Firmware Interface) is intended to replace the traditional BIOS (Basic Input Output System) as the next-generation firmware interface for PCs. The UEFI will prevent an unknown OS loader.
  • After the UEFI the ELAM driver starts before other boot-start drivers, as a result of which it can evaluate other boot-start drivers and help the kernel decide whether they should be loaded.
  • After that, the TPM will record the loading of the modules and put everything together in a log file. This log file can be retrieved later and verified if there was some tampering with the whole process or not.

You can find more detailed information about these features in the official Microsoft Windows 8 documentations, such as the Windows 8 and Windows Server 2012 compatibility cookbook and others.

When Secure Boot is enabled, it can make Windows 8 resistant to malware such as rootkits. Whether this feature will be successful or not, has to be found out in the future, but we suppose that it will at least make it much more difficult for attackers to come up with new rootkit-related malware.

And there are other improvements, like the new Internet Explorer 10 sandbox and the sandbox design for the Modern Windows Apps, which will be improving the security as well.
The SmartScreen Filter inside of the Internet Explorer, which has now download checking capabilities outside of the Explorer, has been updated as well.

And we definitely may not forget Windows Defender, which actually is Microsoft Security Essentials integrated into Windows 8. This Windows Defender is not providing you the highest level of protection; this became evident during recent tests. However, with this updated Defender, Microsoft ensures that users who would not install security software at all, will now at least have some basic protection on the their PCs.
But we have to be very careful. The fact that this optimized Windows Defender is included in Windows 8 means that getting around it will be the first priority of the malware writers. Attackers will make it a priority to circumvent Windows Defender in one way or the other.
 So, once the defense is cracked, the attackers will have millions of machines they can then target with confidence of success until Microsoft can fix the security issue. Windows Defender could maybe become the Achilles heel of Windows 8.
And there are more issues we have to talk about: problems already started to appear very soon after the release. Windows 8 was  already vulnerable: On Friday after the initial release, Vupen Chief Executive Chaouki Bekrar said that the Vupen team had found multiple vulnerabilities in Windows 8 and IE 10 which they have combined together to achieve a full remote code execution via a web page that bypasses some new W8 security technologies. The fact that Vupen had to combine several vulnerabilities to achieve this is an indication of how well Microsoft’s security system is working inside Windows 8. However, the fact that this bypassing was done so soon after the release, reminds us of the fact that Windows is unlikely to be malware-free ever. 

Users who want to experience complete high-level protection with many additional pro-active defense technologies will of course continue to turn to fully-fledged AV products like G Data TotalProtection on the consumer side or G Data EndpointProtection on the enterprise side to secure their machines and to stay safe in the future