11:26 am (UTC-7) | by Jamz Yaneza (Threat Research Manager)
With its launch of Windows 8, Microsoft promises a rejuvenated OS and brand that translate to improved user experience. But when it comes to security, did Microsoft take it up a notch?
Beyond Window 8’s interface and over-all experience, users are also concerned with its resilience against threats. Below are some of my observations on certain security changes that Microsoft implemented on Windows 8.
Windows Defender. Microsoft returns with their full product (previously known as One Care) pre-installed. Windows 7 came with a spyware-only version of Windows Defender (though users could download the free Microsoft Security Essentials for free). Now, though Windows Defender combines both spyware and antivirus capabilities. On retail versions, users have the choice of installing their security product, preferably from the Microsoft App Store. However, if no security product is installed after two-weeks then Windows 8 will activate Windows Defender.
This is a smart decision by Microsoft, as this sidesteps possible legal issues by giving users an opt-in opportunity. For users who may forget to install their favorite security product, Windows Defender provides baseline security level.
UEFI. This is the much delayed replacement to the legacy BIOS and MBR. It allows vendor customization, physical device determination and driver loading prior to boot, thereby speeding up the boot-up process.
Apple OS X machines and servers have been using UEFI for a long time as a default. It is programmable such that in combination with various technologies can present a unified boot-up process including corporate boot logos, etc.
The use of UEFI appears to be a good choice. However, it has its caveat. Due to legacy issues and no governing body over UEFI standard, Windows 8 systems that ship via OEM will only contain Microsoft’s keys, inadvertently preventing installation of alternative operating systems or at least making it very difficult to do so. The only workaround for the certificate and key signed issues is to piggyback on Microsoft’s and thereby side-stepping the issue and inadvertently ceding system control on that aspect.
ELAM + Secure Boot. This is a new response to rootkit installation, in combination with UEFI. Basically, each loaded device driver is checked against an allowed list. This is supposed to prevent bootkits (boot level rootkit) from taking hold pre-boot.
Bootkits, as most of us are only too familiar with, is a difficult problem that may prompt most users to wave a white flag. They take full control beyond the OS and can present any system status it desires. With such a severe hold of an infected machine, the underlying OS and applications launched (including security software) is unable to determine if indeed the system is infected, in turn stalling the implementation of any fix or solution.
Microsoft may have taken its cue from its competitor Apple, as bootkits on devices with Mac UEFI are unheard of. By pushing the UEFI envelope in Windows 8, the software vendor intends to veer away from this bootkit problem – and hopefully for good. This security comes at a cost of a learning curve and the alternative OS controversy mentioned, but it will be up to end users and companies to weigh-in if an extra layer peace of mind is worth the inconvenience.
Bottom line, will these implementations fully secure Windows 8? I have my doubts. Beyond UEFI and ELAM, the point of Windows Defender as a pre-built option is that with varied choices of software, users must also do their share to protect themselves from threats.
For cybercriminals, applications and vulnerabilities are low-hanging fruits. These bad guys are bent on circumventing stricter and improved solutions. After all, security is an ongoing rat race – as long as there is money and information to be gained and sold, issues are likely to surface. An extra knife in the battle, though, isn’t such a bad idea.
Share this article