Windows 8's New Security Features Explained
When Microsoft's new operating system, Windows 8, hits the market on Oct. 26, it will be chock-full of new and enhanced features aimed at giving users more security than ever before.
"There are quite a few security improvements," said Roel Schouwenberg, a senior researcher in the Boston-area office of Russian anti-virus firm Kaspersky Lab. "It all starts at the boot level, with Windows 8 offering the ability to do a secure boot."
In earlier versions of Windows, the computer first booted by starting the motherboard-based Basic Input-Output System (BIOS), which located the master boot records on available disks, then launched the operating system. But malware writers learned to infect the BIOS and the master boot record, neither of which can be touched by regular anti-virus software.
Windows 8 uses an entirely different startup procedure, the Unified Extensible Firmware Interface (UEFI). Microsoft's Secure Boot feature is built on top of UEFI and allows only "signed" software to launch, preventing unauthorized firmware, operating systems or UEFI drivers from running at boot time.
Microsoft says Secure Boot, combined with third-party anti-virus software, can better protect against malware and corrupted software on Windows 8.
"What Secure Boot means is that something is put in place to fight so-called rootkits — very complex malware that is able to get in under the operating system and is very hard to detect and remove," Schouwenberg said. "[Secure Boot] comes in and fights these sophisticated pieces of malware."
Rob Enderle, principal analyst for the San Jose, Calif.-based market-research firm Enderle Group, echoed Schouwenberg's observations.
"In theory, it will be difficult and much harder for an attacker to get underneath the boot process and install a rootkit," Enderle said. "It will require someone who works on the computer to penetrate it."
Built-in anti-virus software
In Windows 8, Microsoft has also enhanced its built-in Windows Defender software by adding anti-malware features.
"Windows 8 will have an improved version of Windows Defender," Schouwenberg said. "Windows Defender, up until Windows 7, was strictly an anti-spyware tool. Defender in Windows 8 includes [the previously optional anti-virus tool] Microsoft Security Essentials. So it goes from being an anti-spyware solution to something that can deal with more common malware."
Windows Defender in Windows 8 is full-fledged anti-virus software, offering daily virus-definition updates and real-time scans.
"This is one of the biggest problems of the past versions of Windows," Enderle said. "The majority of people didn't run anti-virus products, or they didn't keep the anti-virus products updated, because they didn't want to pay the subscription fee.
"Once [such users] become infected, they tend to spread the problem around," he said. "Windows 8 will have a strong baseline capability of eliminating malicious software, and instead of being a carrier of a virus, it is a much better way to stop viruses."
Microsoft has also improved the security of Internet Explorer for Windows 8, Schouwenberg said.
"With Windows 7, we started to see a lot more exploits against the vulnerability of Internet Explorer," Schouwenberg said. "That allowed the attacker to gain higher privileges on the system."
With the introduction of Windows Vista, Microsoft divided user accounts into two groups: administrators, who could install, delete and alter software, and limited users, who could modify only their own documents, not applications.
"Up until Windows XP, everybody was running as an administrator, so if malware would somehow launch on a machine, it would be able to do anything on the computer that it wants," Schouwenberg said.
But with that route closed off in Vista, malware writers had to discover other ways to infect the machine. They found vulnerabilities in Internet Explorer that allowed them to "escalate" limited-user privileges to administrator levels.
Vista never took off, but Windows 7 did, and as Windows 7 got more popular, Schouwenberg said, such attacks upon Internet Explorer increased.
So Microsoft put features in place for Windows 8 that make it much harder to exploit any type of vulnerability that would enhance or increase a limited user's privileges.
"It will be interesting to see how the cybercriminals respond to that," Schouwenberg said. "Generally speaking, Windows 8 has some improvements that deal with exploit mitigation. So even if there is a vulnerability in the code, Microsoft has improved the way it randomizes the location of data in memory to make exploits more difficult."
Malware writers have also been heavily targeting flaws in Adobe Flash Player and Java plug-ins for Internet Explorer and other browsers.
"In the last one to two years, we've seen a decline in the exploitation techniques that can be used to successfully exploit Windows 7. That was a bit of a challenge when Windows 7 was released," Schouwenberg said. "But that's why the attackers have been going after the Adobe products first and now are targeting Java so ferociously, because that code, especially the Java code, is easier to exploit than the Internet Explorer code."
Schouwenberg said some of the steps that Microsoft took with Windows 7 and Vista are really working. The attackers simply decided that rather than putting in all the extra effort to get through those defenses and attack IE directly, it's much easier to attack the plug-ins that everybody is already using.
In Windows 8, Microsoft is also introducing an updated, more secure application-sandbox environment dubbed AppContainer, which houses the new Windows 8 apps. This feature determines, on a detailed level, which actions certain apps can take. AppContainer is intended to stop the apps from disrupting the operating system.
"[Microsoft] has been running in a bit of a sandbox since Vista," Schouwenberg said. "In my point of view, the SmartScreen feature will be more interesting."
SmartScreen Filter is Microsoft's filtering technology, which prevents Internet users from downloading or installing malicious software.
"Up until Windows 7, the SmartScreen was mostly focused on downloads," Schouwenberg said. "In Windows 7, the SmartScreen is linked to Internet Explorer. In Windows 8, the SmartScreen works for any program you want to run on your machine."
According to Enderle, Microsoft has taken the IE 8 capability of notifying users of malicious websites and put it directly on the user interface.
"If you get to the Web some other way, there is a reasonable chance the operating system will be able to identify that you've hit a malicious site," Enderle said. "On top of that, they've improved the notification, changed the taxonomy of the notification. The user only gets an alert if you're going to do yourself harm."
It will be interesting to see how these developments affect the cybercrime ecosystem, Schouwenberg said.
"In theory, all these technologies definitely make it harder for a machine to get infected," he said. "But it will depend on Windows 8's popularity. If Windows 8 really takes off, then the bad guys will definitely look closely at these systems. If we see a repeat of Vista, and everybody sticks with XP or Windows 7, then there won't be a real incentive for the bad guys to take a look.
"Obviously, nothing is perfect," Schouwenberg added. "Over time, these mitigation strategies will be defeated. The question is: How much time are the bad guys going to need?"
This story was provided by SecurityNewsDaily, a sister site to TechNewsDaily.