Windows 8 Security: Mostly Good, Some Bad

Even though Microsoft's Windows 8 is not specifically a security release, the new Secure Boot and better memory management hardens the desktop against attackers.

As Microsoft's Windows 8 operating system launches Oct. 26, the company will not be making a great leap forward in securing the desktop against attackers, but a number of baby steps will help make users more secure, say security experts.

Unlike the major security improvements in Windows Vista and Windows 7, in the latest release, Microsoft has focused on creating a graphical user interface that works on the desktop, as well as tablets and smartphones. While the jury is still out on whether the company has succeeded, security professionals say that the company has advanced the operating system's security in many ways.

"They focused much more on baking security into their development process in this product," said Chris Valasek, senior research security scientist at code-security firm Coverity. "And they built other features in that might foil attacks in the near future."

In a review of Windows 8 memory management improvements, Valasek found that the operating system better implements key security technologies, such as address space layout randomization (ASLR). Because of the changes, many of the popular memory attacks that work against Windows 7 will not work against Windows 8 without re-architecting the attack code.

Perhaps the greatest step forward for Windows 8 is the inclusion of Secure Boot, a controversial feature that locks the operating system to the device, making it difficult, if not impossible, to run unapproved software before the operating system boots up. Secure Boot builds on the Unified Extensible Firmware Interface (UEFI), the next-generation firmware that will boot up a computer and hand off control to the operating system.

"With UEFI, a computer will only run operating system kernels that have been digitally signed by an approved software vendor," Wolfgang Kandek, chief technology officer of cloud-security firm Qualys, said in a blog post. "Thus, the user is guaranteed that the operating system has not been tampered with by attackers."

Microsoft is also adding its own app store, an approach made popular by Apple with its iOS applications and which the company started using with Mac OS X as well. Applications available through the Windows App Store will require Microsoft's seal of approval and will be checked for malicious behavior.

"As users begin to favor the App Store as their main source for applications, overall security will be enhanced because it will be near-impossible for an attacker to place a Trojan horse in the store," said Kandek.

Having an app store which enforces some security testing and from which malicious software can be removed, makes the overall ecosystem for a platform more secure. Apple's iOS and Google's Android have benefited from the app store model, which acts an added layer of security.

Finally, Microsoft Internet Explorer 10, released along with Windows 8, will increase the security of any plug-ins, making them more difficult to compromise. However, IE 10 appears to have removed some of the security indicators that give users hints of the threat posed by a Website or link, said Chet Wisniewski, senior security advisor with Sophos, an antivirus firm.

"It becomes much harder to tell that there is a secure connection there," said Wisniewski.

The problem is rampant on mobile devices, because of the lack of screen space to show all the security information—such as padlock icons, certificate information and extended validation certificates—but desktop software has typically given users good visual clues as to the security of a site.

"I'm a little disappointed that Microsoft adopted the mobile browser model," said Wisneiwski.

Overall, however, Microsoft has once again advanced the security of its operating system, Qualys's Kandek wrote.

"Personally, I am in line for upgrading my home Windows machine to Windows 8," Kandek added.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...