Microsoft's Windows 8 is seen by many as representing an evolutionary jump for the operating system (OS), but what about security? Has there been an evolutionary leap there?
In the run-up to the launch, much has been said about the new user interface because, on the surface, Windows 8 looks very different to anything Microsoft has done before.
But is that true when it comes to security? If Microsoft is to win back the enterprise as it goes in pursuit of tablets and other mobile devices, Windows 8 security is likely to be an important factor.
Windows 8 features embedded hardware security
Perhaps one of the most important developments in Windows 8 is Microsoft’s decision to focus on active embedded hardware security.
This move comes in response to a rapidly changing cyber landscape, marked by the threat of sophisticated boot sector viruses, compliance with data protection laws, an increasingly mobile workforce and porous network perimeters, according to Brian Berger, executive vice-president of marketing and sales at Wave Systems.
“In doing so it means that hardware-based security becomes even more pervasive in broader platform types, and a very real, and cost-effective, option for securing business continuity and data. It also represents a powerful endorsement of open industry standards for hardware embedded security,” said Berger.
With advances in malware detection, modern authentication for network access and encryption, Windows 8 will provide support for remote attestation by trusted third parties.
“This supports the market need for platform level authentication and native support for SEDs as part of the operating system. Windows 8 platforms will include a TPM and optional SED support built into the OS,” said Berger.
He also believes that SEDs will enable a superior user experience and greater security that has eluded many companies and organisations to date.
According to the Trusted Computing Group (TCG) – which published the TPM specification – the technology offers a cheaper and better alternative to software-based information security systems.
The TCG, of which Microsoft is a founder member, claims the technology has reached tipping point, with TPMs now in more than 600 million computing devices.
While there has been third-party support for SEDs on Windows XP, Vista and Windows 7, Windows 8 will provide native support for SEDs as part of the operating system.
Microsoft should push for an operating system that has no backward-compatibility so that it can move onto a new, more secure architecture
James Lyne, Sophos
This means Windows 8 will have built-in encryption key management capability for SEDs, which reduces the affect of encryption on system performance by offloading encryption processing to hardware instead of using software-based encryption.
The active use of TPMs allows boot level security features to be implemented. TPMs used in conjunction with the Windows 8 supported hardened UEFI BIOS standard can also enable the enterprise to check the platform's integrity that can be affected by malware in the pre-boot state, ensuring the device has not been altered by malicious code.
“It does this through hardware-protected measurements bound to the platform. Software security fails to do this,” said Berger.
Windows 8, he said, will modernise access control and data management, while simultaneously improving data security within the enterprise.
Seeing a commercial opportunity, Wave Systems is geared to provide software support for TPMs and SEDs to make it easier for enterprises to implement these strategic security features on both Windows 7 and Windows 8.
“The launch of the new OS also brings fresh capability for the management of virtual smartcards and DirectAccess,” said Berger.
This allows enterprise users to establish their identity using the machine as a token-for-network logon, he said, eliminating the need for multiple passwords which fail to live up to the current threats we face. It also simplifies the user experience and provides higher assurance, reducing helpdesk costs.
The move to UEFI and TPM to enable trusted boot and to secure the boot chain is a significant step forward, according to James Lyne, director of technology strategy at Sophos.
“Master boot record (MBR) loaders are undetectable by most anti-malware systems, and this has been very painful, so it is good to have a way of tackling this problem in the OS,” he said.
However, according to Lyne, in releasing Windows 8, Microsoft has squandered the opportunity to address a well-known vulnerability in the way its operating system handles IPv6 traffic.
Using a simple tool such as flood_router6 from the thc-ipv6 package, a remote attacker can cause a denial of service or system hang by sending multiple router advertisement (RA) messages with different source addresses.
Updating the routing tables and configuring IPv6 addresses requires 100% of processing resources. If a network is flooded with random router announcements, Windows and other operating systems struggle to update their routing tables, causing systems to hang.
Microsoft has missed the opportunity to fix this problem in Windows 8, said Lyne, as well as the opportunity to improve the certificate store and the management of trust to reduce the vulnerability to rogue or compromised certificate authorities by using the TPM more and the ability to intercept and lock down fake certificates used by malware.
Windows 8 security report card: Has shown improvement, but could do better. Some areas still need work
Differences in the different versions of Windows 8 could create also security gaps, said Lyne.
There are three versions: Windows 8, which is the “home” edition; Windows 8 Pro, which includes features for enterprises, such as support for Hyper-V, BitLocker, a virtual private network (VPN) client and group policy support; and Windows RT, which is built for ARM-powered devices such as low-powered tablets and lifestyle PC devices.
“My worry is that enterprises and other users will treat them all the same when it comes to security, but the risks are different,” said Lyne.
Windows RT provides a much higher security standard, for example, as only approved apps will run. “Microsoft has adopted a similar approach to Apple in creating a walled garden; it will be strict, but not quite as strict as Apple about what apps are allowed,” said Lyne.
He believes, however, that for Microsoft to improve security significantly, Windows needs to make a break from the shackles of backward-compatibility. “Microsoft should push for an operating system that has no backward-compatibility so that it can move onto a new, more secure architecture,” said Lyne.
“The rate at which enterprise users have moved to the iPad and similar devices, demonstrates that enterprises are more open to change, are more willing to change doctrine in return for tangible benefits than Microsoft thinks,” he said.
Lyne believes Microsoft should have taken the opportunity to push the walled garden approach of Windows RT into the other versions of the operating system.
“While Windows 8 moves in the right direction in terms of security, it is not that much different from Windows 7,” he said.
For the enterprise, as the operating systems get better at security, there is a growing need to be vigilant about social engineering as a way of getting past defences, said Lyne.
“As far as Windows 8 is concerned, assume that all the malware that worked on Windows 7 will work and that you still need to protect against it, and don’t assume all versions of Windows 8 are equal in terms of security and have the same risks,” he said.
Windows 8 security report card: Has shown improvement, but could do better. There are still some areas that need work.