Original URL: http://www.theregister.co.uk/2012/11/03/win8_security_analysis/

You know who else hates Windows 8? Hackers

Antivirus makers heap praise and scorn on new security features

By John Leyden

Posted in Windows 8, 3rd November 2012 13:02 GMT

Microsoft's emphasis on the mobile nature of Windows 8 and its bold touch-friendly user interface may lead some to fear the software giant has taken its foot off the pedal in terms of security.

However there are plenty of changes under the bonnet to merit an examination of the new operating system's defences. Judging by the buzz among security researchers and IT dept bods, the most interesting changes are: the built-in tool Windows Defender now tackles all kinds malware rather than just spyware; the use of digital certificates to ensure the machine doesn't boot up a compromised or tampered Windows installation; and the new Early Launch Anti Malware (ELAM) system that scans the operating system for malware and ensures antivirus software is the first thing to run on a freshly booted computer.

That's according to Aryeh Goretsky, a top brain at security software biz ESET, who wrote up his thoughts in a whitepaper [PDF] titled Windows 8: FUD for thought. He is broadly positive about Windows 8's security improvements.

Most Windows 8 machines will ship with Windows Defender, a rebadged version of Microsoft Security Essentials, included. Goretsky describes it as a good product that offers a "decent level of protection", especially when compared against other free anti-malware programs, if not paid-for products from the likes of, er, ESET. His verdict:

Windows Defender provides a good level of protection, but is mainly targeted at those who are unwilling - or unable - to purchase a commercial anti-malware solution. While any protection is better than none, and Microsoft is to be applauded for including a product of this caliber in Windows 8, Windows Defender should be thought of as the minimum bar for levels of protection and support that computer users should expect from their anti-malware software.

An advantage that Windows Defender has over other free anti-malware programs is that it does not attempt to up-sell the user to a paid-for product and toolbars or banner advertisements, nor does it modify existing search settings.

A big change in lower levels of Windows 8 is the requirement for computer makers to switch from using PC BIOS firmware in their machines and use UEFI firmware instead. UEFI, which powers up the computer and helps the operating system access some of the hardware, isn't particularly contentious, but it does have a feature called Secure Boot that Microsoft has wielded with gusto. Secure Boot prevents a computer from running an operating system unless its boot loader code is digitally signed with a key stored in the UEFI firmware.

Blocking unsigned startup code can effectively prevents malicious software, such as rootkits that spy on users, from hijacking the boot process to ensure it remains hidden from detection. But the technology also makes it difficult for free software enthusiasts to run GNU/Linux and other alternative operating systems on machines certified to run Windows 8.

Red Hat and Ubuntu-maker Canonical Ubuntu have come up with ways to support UEFI's Secure Boot. While Microsoft has said that although the ability turn off Secure Boot must be present in order to pass Windows 8 certification tests, the technology must be enabled by default. Goretsky argues that open-source loyalists critical of Secure Boot should lay off and recognise that the technology is the best available to combat an all-too-real threat. Goretsky, a Microsoft "Most Valuable Professional", wrote:

While it’s too soon to know the long-term effects on security of Microsoft’s Secure Boot requirement, in the short term it greatly reduces the attack surface currently exploited by bootkit forms of rootkit malware on systems using BIOS-based firmware.

It is disappointing that Microsoft’s efforts to repair the hole in the chain of trust of the PC boot process, which has been in existence for two decades, is being met with skepticism and outright hostility at a time when sophisticated attacks are on the increase. We hope that Microsoft and the critics of its stance on UEFI can work out their disagreements so that the security of all operating systems, not just Microsoft Windows, can be enhanced.

Microsoft's stance on Secure Boot has been much debated, but one security feature in Windows 8 that has so far drawn little comment is the Early Launch Anti Malware (ELAM) system. This sits in a software layer just above the secured boot process, and ensures a configured anti-malware product is the first third-party code to run while the operating system is still loading - heading off viruses and other nasties before they can compromise a system.

Goretsky describes it as a potential useful tool against sneaky forms of malware, such as bootkits, that try to hide on infected machines:

While the effectiveness of ELAM is as yet unproven, the concept behind it is fundamentally sound and it should prove to be a major deterrence to boot-time malware. The technology, however, may need to be periodically updated to overcome existing limitations and provide additional functionality. Advanced functionality for memory and disk manipulation would be useful for enhancing the detection and removal capabilities of anti-malware programs.

So the OS is defended - but what happens when hackers target ordinary folk?

Despite building these defences around the operating system, Microsoft has some security headaches it can't easily shake off: the ESET whitepaper concludes that social engineering - basically, tricking users into doing dumb things including unwittingly handing control over to hackers - will continue to be a problem. Attacks could also target on-board sensors to tamper with readings.

"While location telemetry might be the likeliest data to be abused, it is not the only one," Goretsky noted. "Data from barometers and thermometers might be spoofed to force a computer to turn itself off, or an unscrupulous manufacturer might falsify data in order to deny warranty service. The same scenarios are also possible with accelerometer, gyroscope and magnetometer sensors and their data."

In addition, Microsoft's insistence on developers digitally signing code could make programmers and their build systems a target for attack; hackers would love to get their hands on the private keys so malicious software can masquerade as legitimate third-party products and trick victims into installing them - and there have been a few cases of miscreants getting hold of sensitive security certificates.

Goretsky argues attacks of this kind are only likely to increase, and said the best way to tackle the threat is to improve organisations' IT security policies rather than specifically change the operating system.

Microsoft has made hundreds of security improvements with Windows 8, according to Goretsky, who adds "upgrading to Windows 8 is a no-brainer from a security perspective: doing so greatly increases your security".

However the veteran researcher notes that security will have little bearing on the success of Windows 8 in the marketplace, which is far more tied to its ability to establish a credible alternative to Apple's iPad. We're now in an era where conventional desktop and laptop sales are stagnant while smartphone and tablet shipments are going like gangbusters.

It's the hardware, stupid

Brian Berger, executive vice president at Wave Systems and a board member of the Trusted Computing Group, is even more upbeat about Windows 8's security improvements, particularly the greater reliance on "hardware-embedded security".

"Microsoft’s decision to focus on active embedded hardware security in the Windows 8 OS comes in response to a rapidly changing cyber landscape, marked by the threat of sophisticated boot sector viruses, compliance with data protection laws, an increasingly mobile workforce and porous network perimeters," Berger said. "It brings the Trusted Platform Module (TPM) and optional use of Self-Encrypting Drives into the mainstream for enterprises. In doing so it means that hardware-based security becomes even more pervasive in broader platform types and a very real (and cost-effective) option for securing business continuity and data."

Windows 8 will modernise access control and data management, he added.

"The launch of the new OS also brings fresh capability for the management of virtual smart cards and DirectAccess, allowing enterprise users to establish their identity using the machine as a token-for-network logon, negating the need for tens of passwords which fail to live up to the current threats we face. It also simplifies the user experience and provides higher assurance, reducing help desk costs," Berger concluded.

The positive outpourings for Windows 8's security follows a thumbs-up during an earlier analysis of the operating system by Chris Valasek, a senior security research scientist at software testing firm Coverity. Valasek praised the exploit-mitigation technologies built into Windows 8 - specifically in the heap memory manager and kernel pool llocator - arguing that these features will serve to make life far more difficult for malware slingers.

Rik Ferguson of security software maker Trend Micro is also broadly upbeat about the security improvements in Windows 8, and highlighted the fact that web filtering features commonly found in browsers have been extended across the OS.

"The SmartScreen technology that you are used to seeing in Internet Explorer has now been extended across the entire operating system so now even if you are using something other than a browser to access internet resources and downloads, you will still be offered some level of filtering for potentially malicious downloads. Let’s hope this one isn’t as 'noisy' as User Access Control (UAC) has been," Ferguson wrote in a blog post on Windows 8 security.

The only note of criticism was a weakness in the way Windows 8 stores passwords for people who use pictures or PINs to login.

"Microsoft has added some functionality obviously designed for those touchscreen devices they are anticipating," Ferguson said. "Picture or PIN based logins credentials can be used once a user password has been set as a shortcut to logging in. While this feature may be convenient, research during beta testing demonstrated that an attacker with local administrator privileges could access and decrypt the passwords of accounts using this feature."

Ferguson also damns the built-in Windows Defender malware protection with faint praise: "Microsoft Windows 8 is more secure out-of-the-box than it has ever been, but remember the integrated anti-malware provides only baseline security, not the fully featured security of a dedicated specialist." ®