Thursday, 06 September 2012 12:59

Windows 8 and RT Security; The Good the Bad and What It All Means

Written by

Reading time is around minutes.

As we have been working with Windows 8 and Windows 2012 server we have become increasingly concerned about security. Although Microsoft has claimed that they have improved security through items like the locked UEFI boot process there are still glaring omissions in security that keep popping up very recently it was noted that despite the claims from Microsoft of a more secure login process the password hint is exposed in the SID database and easily recovered remotely. We also found that users’ contact lists are also left in the open (and in plain text) and available to anyone that can gain remote elevated privileges; which is what almost all Viruses and Malware try to do.

Many security companies are concerned about Windows 8 and Windows RT simply because Microsoft is limiting what can be done to the OS as a whole. Symantec has stated that while they will have a version of their security products for Windows 8 they are not likely to be able to cover apps that run in the “modern UI” as Microsoft has rules about the way apps interact with each other. Microsoft’s policies would seem to leave the new OS very open to attack. Kaspersky, McAfee and PandaLabs have also chimed in saying that they will be able to protect the traditional desktop in Windows 8, but will not be able to protect Windows RT (where modern is king) and potentially Windows 8’s Modern UI. So let’s take a look at as many sides of this issue as we can to see where things really fall.

The Good -
Microsoft has implemented a few measures to keep Windows 8 and Windows RT secure. Some of these have been very detailed like the sandbox for the Modern UI as well as the secure UEFI Boot process and even the ELAM (Early Load Anti Malware Driver). On top of that Microsoft has taken Apple’s route of locking down the App store for any apps developed for the modern UI. Microsoft claims that they will scan all new Apps for malware, incorrect or unneeded privileges as well as verify a few other things in the code. From there all Apps will run in a sandboxed environment which separates each app from the others except for approved interaction with core OS functions (an app could open email or IE 10 etc.). Microsoft is also including their own basic malware protection that combines the older Windows Defender and MS Security Essentials.  Microsoft is also changing how the OS accepts security certificates. We have found that even if you install a self-issued certificate from a Microsoft Domain Controller or other server running as a Root CA into Windows 8 most Modern Apps will still reject the certificate meaning that Modern UI apps will be more selective about being fooled by invalid certificates. Comparing these security features to Windows XP, Vista or Even Windows 7 puts Windows 8 clearly out in front.

Microsoft wants to create a secure and structured eco system that relies on checking what loads at boot, monitoring and protecting the startup process and then limiting what can be installed on their devices. It is a smart move and one that is a marked improvement over what they have tried to do in the past with their products. Although I am not a fan of the level of control that Microsoft is building in here I can still say that the theory and concepts behind their security systems and layers are well thought out.

The Bad -
As we have shown you there are some new and improve things about security that make Microsoft’s claims of a more secure OS accurate, however when you look at each of these there are also downsides to them. Microsoft’s secure UEFI Boot and ELAM services can prevent many traditional malware removal products from working properly. If you look at items like ComboFix and Spybot Search & Destroy both of these require the ability to load during the startup process to remove malware that has embedded itself in the boot process. The counter to this is that the Secure UEFI Boot and ELAM are supposed to prevent that from happening. How many of you actually believe that this will be the case forever? We know that the people that write malware are very creative and have even used Microsoft’s own tools against them. How long before someone manages to replicate the signing process for the secure UEFI Boot and to bypass ELAM? From what we are hearing this might already have happened although we have been unable to confirm it as of this writing. Microsoft is limiting what security companies can do, but there are no such restrictions on malware developers. They will go after the core pieces of Windows 8 Security in the same way they have done before, the difference is that now the tools you use to remove these will not work.

As for sandboxing, well Safari, Java, Firefox, Google’s chrome and other applications use sandboxing as well. All of them have been breached. There is not a single sandbox environment that has not been broken out of and with elevated privileges to boot. These items make Windows 8 just as vulnerable as Windows 7. For Windows RT you have a little better security as Microsoft is not allowing the side loading of applications. You are supposed to only get them from the official Microsoft Store. The problem is, how long before malware developers get around that? We are betting about 60-90 days and here is why. Two days ago I received a call from someone who said their computer had a virus and asked me if I would look at it for them. When I received the system I started a quick scan of the drive outside of the system so that I was able to see everything that was there. I found quite a bit, but one in particular stood out; Facebook Messenger. Although there have been a few attempts as a Facebook Messenger app for the PC most are frauds and there are none that are officially sanctioned by Facebook.

When I asked the user about it they stated that it showed up in an advertisement on their fun web products toolbar so they downloaded it. They were looking for a simple app that allowed them to keep track of Facebook without needing to “be online”. It is social engineering at its best. This is exactly how malware developers will get through the Windows RT defenses. Although Microsoft will not allow side loading of apps, there is always a way to do this and it will happen again with Windows RT it is just a matter of time. Again the problem here is that there is no way to side load applications that would be able to remove this malware and if the security companies are correct Microsoft will not allow you to install any third party apps to protect your new tablet due to their own limitations.

What this means for the end user -
Overall the new security model should offer fairly decent protection from many existing threats. There are some that will still get around these systems because they exploit weaknesses in the classic desktop or break out of the sandboxed Modern UI when running the x86 version of Windows 8. The good news is that we should not see too many of these for at least 2-3 months and then widespread exploits will probably not hit for another 3-4 moths (depending on the level or adoption by the market). The timeline is an estimate based on how long it has taken security researchers to break through other new protections in the past. The down side here is that some of the core code is already in the hands of malware developers in the form of different versions of Windows 8 that have been released for public preview. There are some differences between these and the final RTM including the way the OS images are signed and the certificate that is used for each installation. However, the public availability of the OS and the leak of the actual RTM image gives many malware developers a head start.  People that buy Windows 8 may actually be more vulnerable to socially engineered malware as they could assume they are protected from them by default which is the same thing that we see happening in the mobile market. People feel safe with their phones and could feel safe with Windows 8 making them less careful about clicking on unknown links.

All is not lost though, it is important to remember that Microsoft tried this before with Windows Vista and eventually allowed the security companies to piggy back on the boot process to allow their anti-malware applications to work properly. We imagine that this will be the direction that Microsoft moves, with Windows 8 and also possible Windows RT. The question is; will this happen because it is a logical move, or in response to a large spread worm or virus that infects either platform? One will be a good thing for Microsoft and the other will hurt them… We are hoping for the former, but betting on the latter.

Discuss this in our Forum

Read 9011 times Last modified on Thursday, 06 September 2012 13:04

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.