Corporate IT departments should be pleased with new security measures in Windows 7, but consumers are still at risk of getting hit by malware despite changes in the User Account Control (UAC) feature designed to help people be smarter when using applications, security experts say.
Probably the most talked about security change in Windows 7, scheduled for public release on Thursday, are modifications to the UAC, which was introduced in Vista. The UAC was designed to prevent unauthorized execution of code by displaying a pop-up warning every time a change was being made to the system, whether by the operating system or a third-party application.
Vista users complained that they were bombarded with the warnings and security experts speculated that as a result, many people were just ignoring them or turning them off.
With Windows 7, users can choose how often they want to be notified and the default is set to notify only when a third-party application is making a change, as well as when a change is being made to the UAC itself.
However, an attacker could use code injection and exploit several components in Windows 7 that auto-elevate to bypass UAC and get full access to the machine, experts have warned.
A Sophos white paper from September says: "Another issue with these default (UAC) settings is that malware could bypass the system by injecting itself into a trusted application and running from there. Indeed, some malware has been observed spoofing UAC-style prompts to obtain user permission to operate unimpeded."
Chester Wisniewski, a senior security adviser at Sophos, reiterated points made in the white paper and said Microsoft should also drop its practice of hiding file extensions by default, which makes it easy for users to be duped by malware.
"The changes to Windows 7 UAC have made it easy for malware writers to turn UAC off entirely without the user's knowledge. Microsoft recommends keeping UAC turned on and yet allows malware to turn it off without the user's knowledge," writes Ray Dickenson, chief technology officer at Authentium, in a recent blog post.
"If malware is on the computer, hasn't the game already been lost? Why worry about UAC if a password-stealing Trojan is on your computer?" Dickenson writes. "The answer lies in the difficulties inherent in identifying a program as goodware or malware."
Jon DeVaan, senior vice president of the Windows Core Operating System Division, attempted to address the concerns in a blog post from February: "We know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system. We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines... and we know that UAC is not 100 percent effective at stopping malware once it is running."
In a study of two groups of "regular people" testers, one group using the default setting and the other using the "Always Notify" setting, there was "no meaningful difference in malware infestation rates between the two groups," DeVaan wrote.
However, that was a limited test and it doesn't rule out the possibility that malware will find its way onto systems and try to elevate privileges.
David Sancho, a senior antivirus researcher at Trend Micro, noted that while the UAC changes in Windows 7 will improve the user experience by cutting back on the number of alerts, the operating system will be responsible for making more decisions about system changes, which won't always be good for the user.
Going forward, the real test of security in the near future is the browser because so many attacks and malware infections are now coming from the Web, he added.
"Internet Explorer 8 is lagging behind the rest of the browser vendors," Sancho said. "I see that as a pain point in the future...that can hold up the security of the overall system."
Asked to comment on the concerns, a Microsoft spokesman said in an e-mail: "Windows 7 is not designed to be a security boundary that prevents malware already on the system from making changes to a user's system. What it is designed to do is make users running with administrative rights, and software developers, more aware when software is attempting to perform an operation that requires full administrative rights...UAC is a security feature only in so far as it helps an increasing number of home and corporate users run in standard user accounts."
For enterprises, Windows 7 offers several interesting security boosts, experts said.
First off, the new operating system addresses an issue that has created headaches for administrators at corporations affected by Conficker and even the U.S. Department of Defense--viruses that spread via USB drive. With Windows 7, most USB drives will not be able to automatically launch a program using a Windows feature known as AutoRun, also known as AutoPlay.
However, some specialized USB flash drives present themselves as CD or DVD drives to the operating system and will still be able to use AutoRun. Because of that, Patrik Runald, senior manager of security research at Websense, said Microsoft should disable the feature entirely. "I don't think they went far enough," he wrote in an e-mail.
And Windows 7 offers BitLocker to Go encryption support for USB drives for the Ultimate and Enterprise editions. It protects the data in case the USB drive is lost or stolen.
The operating system also features an enhanced security controls interface called Windows Action Center that provides more "actionable advice around how to work with firewalls" and other security issues, Wisniewski said.
To see screen shots from Windows Action Center visit this CNET Reviews slide show.
Meanwhile, several security vendors said that working with Microsoft on product support went well for Windows 7.
For example, developers at Kaspersky Lab found it easier to provide support for Windows 7 than for previous versions of Windows because of the early availability of the beta version and the fact that there were relatively minor changes made in the operating system functionality during the beta testing process. "Microsoft did everything to help developers optimize their products for Windows 7," Kaspersky said in a statement.
Correction at 9:02 a.m. PDT: Patrik Runald's name was initially spelled incorrectly in this post.
Windows 7 makes remote connectivity to corporate networks seamless, protects data on thumb drives, and offers fewer user account control prompts to bug users compared to Vista, Microsoft said on Monday.
The software giant began an education blitz about the security features of the newest version of its operating system at the start of the RSA 2009 security conference.
Windows 7, which was released in public beta in January, will have 29 percent fewer user account control (UAC) prompts than Windows Vista has, and fewer prompts in general, according to Paul Cooke, director of Windows Client Enterprise Security.
"We've put users in control and allowed them the ability to tune the level of prompting" using a slider bar, he said in an interview.
Other new security features in Windows 7 are DirectAccess and BitLocker To Go.
DirectAccess offers remote workers the same level of seamless and secure connectivity as they have in the office. The system automatically creates a secure tunnel to the corporate network and workers don't have to manually substantiate a connection, Cooke said.
DirectAccess also allows IT administrators to patch systems whenever a remote worker is on the network, he said.
BitLocker To Go extends the data encryption features introduced in Vista to removable storage devices like USB thumb drives and flash drives. A password or a smart card with a digital certificate stored on it can be used to unlock the data. The devices can be used on any other Windows 7-based machine with the correct password. On XP and Vista machines the data on the drives can be read but not modified, Cooke said.
Smart-card provider Gemalto is offering multifactor authentication for Windows 7 for even more secure access to machines accessing the network, said Ray Wizbowski, director of marketing and communications at Gemalto. Now, a user can insert a card into a smart-card reader built into a laptop and either enter a personal identification number or use a fingerprint to access the data, he said.
Windows 7 also includes AppLocker technology that allows administrators to control the software that runs in the corporate network to ensure that only authorized scripts, installers, and dynamic load libraries are accessed. It also can be used to keep unlicensed software off machines, according to Cooke.
More information about Windows 7 security features are in posts on the Windows Security Blog and the Windows Blog.
- prev
- 1
- next
