Windows 8 Security: What You Need to Know

All applications submitted to Windows 8’s Windows Store must be digitally “signed,” encouraging malware authors to try and steal digital certificates.

Windows 8 features tightened cyber-security, suggests Aryeh Goretsky, distinguished researcher at anti-malware vendor ESET and a member of its Zeroday Emergency Response Team. In addition to enhanced versions of existing security measures, the next-generation operating system includes several new capabilities that thwart specific, hard-to-combat threats.

Despite those new capabilities, bad actors could still inject malware by exploiting users unfamiliar with new features of Windows 8, so read on to find out what you can do to keep data safe.

“Windows 8 is, in our opinion, the most secure version of Microsoft Windows to date,” Goretsky said. “That does not, however, mean that it is invulnerable to all threats. If there is one thing we have seen time and time again, it is that those who create malware adapt it to take advantage of technologies as they come into the mainstream.”

For users without subscriptions to their own favorite anti-malware scanning suite, Windows Defender is bundled with all flavors of Windows 8. However, the savvy Windows user will notice that Defender is not just anti-spyware—according to Goretsky, it’s essentially a rebadged version of Microsoft’s Security Essentials anti-malware scanner. Unlike previous versions, which were difficult to remove, this improved version of Windows Defender can be easily uninstalled by users who want to add more robust anti-malware solutions that provide higher granularity of threat detection, task scheduling, centralized management and reporting.

Rootkits, which use stealth mechanisms to get past anti-malware scanners by disabling or bypassing the operating system, often threatened users of previous Windows versions. To beat rootkits, Windows 8 has incorporated several very effective changes into the boot process itself, according to Goretsky. For instance, to combat bootkits—one flavor of rootkits that subvert the boot process itself by installing their own code in place of the normal boot code—Windows 8 includes an improved kernel and device driver manager as part of its Trustworthy Computing (TwC) initiative for Windows.

In addition, vendors that include Windows 8 with their hardware are now being required to switch from the outdated Basic Input/Output System (BIOS) firmware to the newer Unified Extensible Firmware Interface (UEFI), which is managed by the UEFI Forum, a consortium of several hundred companies including Apple, Canonical (Ubuntu), Dell, Hewlett-Packard, IBM, Intel, Lenovo, Microsoft, Oracle and Red Hat.

One essential part of UEFI is Secure Boot, which prevents rootkits from loading by requiring that boot loader code—the first code loaded from disk into memory—be digitally signed with a certificate derived from a key stored in the UEFI firmware on the computer’s motherboard. Digital certificates verify that the boot code is unmodified by rootkits, thus guaranteeing its authenticity.

“Microsoft’s Secure Boot requirement greatly reduces the attack surface currently exploited by bootkit forms of rootkit malware on systems using BIOS-based firmware,” Goretsky said.

But Secure Boot isn’t foolproof, as demonstrated by the Stuxnet worm, which made use of digital certificates stolen from Chinese hardware manufacturers JMicron Technology Corp. and Realtek Semiconductor Corp. Fortunately, Stuxnet was relatively benign unless run on specific network configurations that included Siemens industrial controllers. Nevertheless, it did prove that digital certificates can be stolen and used for nefarious purposes, and since all applications submitted to the Windows Store must be digitally signed, malware authors will likely be encouraged to steal digital certificates in the future.

Goretsky also points out that software developers themselves are more likely to become targeted by malware authors, given how the bulletproof aspects of Windows 8 could be subverted by injecting malicious code into digitally signed software before it is distributed (as was demonstrated by the Induc virus, which spread between computers for years before it was detected).

Secure Boot supported by UEFI firmware can even be used to insure other operating systems are rootkit-free, something that Goretsky claims has been misunderstood by Windows 8 notices. For instance, Red Hat and Canonical both support UEFI Secure Boot for their flavors of Linux.

One new security function of note is Windows 8’s Early Launch Anti Malware (ELAM) technology, which insures that third-party anti-malware code loads as the first non-Microsoft device driver during the boot process.

“ELAM is important because, like UEFI’s Secure Boot, it vastly improves the security of the computer at an early stage, in this case, as the operating system has begun to load,” Goretsky said.

ELAM anti-malware device drivers are limited to 128 Mbytes and cannot remove malware they detect. By installing before other non-Microsoft device drivers, ELAM detects and prevents malicious code from taking control of Windows 8 during the boot process, and—by passing control to full-featured third-party anti-malware suites immediately after the boot process—allows full-system scans and remediation before malware can cause significant harm.

Because of these security hardened features of Windows 8, some threats to new Windows 8 users may come from unfamiliarity with the new user interface, previously known as “Metro.” For instance, malware could present itself as a warning message in the new interface, tricking unsophisticated users into running programs that pretend to be patches to fix problems that don’t exist, but instead install malware. Windows 8 does include new warning messages that alert users to such tricks, but even seasoned users may ignore them due to “alert fatigue” from all the daily pop-ups.

New avenues for spoofing are also available to malware authors, since Windows 8 supports a whole host of new sensors including GPS locators, barometers, thermometers, accelerometers, gyroscopes and digital compasses. For instance, by spoofing a thermometer sensor reading, a Windows 8 computer could be forced to automatically shut down because it believes the computer is overheating.


Image: Microsoft