Feeds

Windows 8

Apple iOS 7 makes some users literally SICK. As in puking, not upset

Excessive zoom and 3D-effect graphics in Apple's latest iOS is leaving some users reaching for the sick bucket

You know who else hates Windows 8? Hackers

Antivirus makers heap praise and scorn on new security features

Intelligent flash storage arrays

So the OS is defended - but what happens when hackers target ordinary folk?

Despite building these defences around the operating system, Microsoft has some security headaches it can't easily shake off: the ESET whitepaper concludes that social engineering - basically, tricking users into doing dumb things including unwittingly handing control over to hackers - will continue to be a problem. Attacks could also target on-board sensors to tamper with readings.

"While location telemetry might be the likeliest data to be abused, it is not the only one," Goretsky noted. "Data from barometers and thermometers might be spoofed to force a computer to turn itself off, or an unscrupulous manufacturer might falsify data in order to deny warranty service. The same scenarios are also possible with accelerometer, gyroscope and magnetometer sensors and their data."

In addition, Microsoft's insistence on developers digitally signing code could make programmers and their build systems a target for attack; hackers would love to get their hands on the private keys so malicious software can masquerade as legitimate third-party products and trick victims into installing them - and there have been a few cases of miscreants getting hold of sensitive security certificates.

Goretsky argues attacks of this kind are only likely to increase, and said the best way to tackle the threat is to improve organisations' IT security policies rather than specifically change the operating system.

Microsoft has made hundreds of security improvements with Windows 8, according to Goretsky, who adds "upgrading to Windows 8 is a no-brainer from a security perspective: doing so greatly increases your security".

However the veteran researcher notes that security will have little bearing on the success of Windows 8 in the marketplace, which is far more tied to its ability to establish a credible alternative to Apple's iPad. We're now in an era where conventional desktop and laptop sales are stagnant while smartphone and tablet shipments are going like gangbusters.

It's the hardware, stupid

Brian Berger, executive vice president at Wave Systems and a board member of the Trusted Computing Group, is even more upbeat about Windows 8's security improvements, particularly the greater reliance on "hardware-embedded security".

"Microsoft’s decision to focus on active embedded hardware security in the Windows 8 OS comes in response to a rapidly changing cyber landscape, marked by the threat of sophisticated boot sector viruses, compliance with data protection laws, an increasingly mobile workforce and porous network perimeters," Berger said. "It brings the Trusted Platform Module (TPM) and optional use of Self-Encrypting Drives into the mainstream for enterprises. In doing so it means that hardware-based security becomes even more pervasive in broader platform types and a very real (and cost-effective) option for securing business continuity and data."

Windows 8 will modernise access control and data management, he added.

"The launch of the new OS also brings fresh capability for the management of virtual smart cards and DirectAccess, allowing enterprise users to establish their identity using the machine as a token-for-network logon, negating the need for tens of passwords which fail to live up to the current threats we face. It also simplifies the user experience and provides higher assurance, reducing help desk costs," Berger concluded.

The positive outpourings for Windows 8's security follows a thumbs-up during an earlier analysis of the operating system by Chris Valasek, a senior security research scientist at software testing firm Coverity. Valasek praised the exploit-mitigation technologies built into Windows 8 - specifically in the heap memory manager and kernel pool llocator - arguing that these features will serve to make life far more difficult for malware slingers.

Rik Ferguson of security software maker Trend Micro is also broadly upbeat about the security improvements in Windows 8, and highlighted the fact that web filtering features commonly found in browsers have been extended across the OS.

"The SmartScreen technology that you are used to seeing in Internet Explorer has now been extended across the entire operating system so now even if you are using something other than a browser to access internet resources and downloads, you will still be offered some level of filtering for potentially malicious downloads. Let’s hope this one isn’t as 'noisy' as User Access Control (UAC) has been," Ferguson wrote in a blog post on Windows 8 security.

The only note of criticism was a weakness in the way Windows 8 stores passwords for people who use pictures or PINs to login.

"Microsoft has added some functionality obviously designed for those touchscreen devices they are anticipating," Ferguson said. "Picture or PIN based logins credentials can be used once a user password has been set as a shortcut to logging in. While this feature may be convenient, research during beta testing demonstrated that an attacker with local administrator privileges could access and decrypt the passwords of accounts using this feature."

Ferguson also damns the built-in Windows Defender malware protection with faint praise: "Microsoft Windows 8 is more secure out-of-the-box than it has ever been, but remember the integrated anti-malware provides only baseline security, not the fully featured security of a dedicated specialist." ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.