Prashant Gupta is a Security Architect for McAfee Labs. His work in malware analysis and anti-virus for managed ...
This is our second look at security-related changes to Windows 8 and the new Metro interface. Our first post introduced the topic and examined some of what’s new and potentially risky in Internet Explorer 10. Today, we’ll discuss improvements and possible problem points in the Windows Store, background tasks, the Windows 8 interface, and more.
The Windows Store is similar to applications stores or markets for other platforms. To install apps, a customer needs to have a Microsoft Account (or a current Windows Live account).
The Windows Store currently does not prompt users to review the capabilities being requested by a new application. This information is visible in the details page for the application:
If an application attempts to access something that it hasn’t requested at installation, then the application will be denied access to that resource. It is important that users review the capabilities requested by their applications and not install those that request permissions that make the users uncomfortable. Odd requests can be a warning flag, for example, if a photo-editing app requests access to text messaging (SMS) yet has not explained why this capability is required. Purpose-built security software always adds value and provides more layers of protection from such rogue applications.
With Metro, all applications that are not in the foreground are suspended—so they don’t chew up resources that the foreground application could use. But Metro applications can also be active while in the background. Here are some triggers that will cause activity:
|Trigger event||When task is triggered|
|ControlChannelTrigger||On incoming messages on the control channel|
|InternetAvailable||The Internet becomes available|
|InternetNotAvailable||The Internet becomes unavailable|
|LockScreenApplicationAdded||An app tile is added to the lock screen|
|LockScreenApplicationRemoved||An app tile is removed from the lock screen|
|MaintenanceTrigger||Time for maintenance background tasks|
|NetworkNotificationChannelReset||A network channel is reset|
|NetworkStateChange||A network change such as a change in cost or connectivity occurs|
|OnlineIdConnectedStateChange||Online ID associated with the account changes|
|PushNotificationTrigger||A raw notification arrives on the Windows Push Notification Service channel|
|ServicingComplete||The system has finished updating an application|
|SessionConnected||The session is connected|
|SessionDisconnected||The session is disconnected|
|SessionStart||The user session starts|
|SmsReceived||A new SMS message is received by an installed mobile broadband device|
|TimeTrigger||A time event occurs|
|TimeZoneChange||The time zone changes on the device (for example, when the system adjusts the clock for daylight saving time)|
|UserAway||The user leaves|
|UserPresent||The user returns|
Although background triggers are not security risks per se, Metro will allow applications to run in the background. The trigger will launch a terminated application or unfreeze a suspended application and the run the task without bringing the application to the foreground. The user will not know the program is running.
With Windows 8 (apart from the Metro interface) Microsoft has made significant improvements over the previous version. Fixes and upgrades include address space layout randomization, heap randomization, kernel fixes, and improvements to use-after-free issues in IE 10.
Let’s look at some noteworthy changes that will be visible to users. We’ll cover more improvements in future posts.
The SmartScreen feature, introduced in earlier versions of IE, has become Windows SmartScreen. This helps protect users from downloading or running suspicious or malicious applications. As you might expect, however, it allows you to run the executable anyway.
SmartScreen warns users who try to download a suspicious executable, but users may override the warning. This freedom poses a risk if such downloads are not secured by policy or antimalware solutions.
Windows Defender has been around for a while, but in Windows 8 it will come packaged with Windows and provide a first line of defense for users without an independent security suite installed. Windows Defender will detect viruses and other malware; that’s an improvement on previous versions, although in third-party tests Microsoft security solutions have performed at no better than an average level, according to the “Virus Bulletin” RAP averages quadrant. Windows Defender is a good first step toward effective security, but “defense in depth” is better. Consumers should install a desktop security suite to provide better protection than Windows can offer. In a corporate environment this defense becomes even more important, and security policies can be better enforced with an endpoint security suite.
A browser must provide everything from text, forms, and images to complex resource-intensive activities such as script execution and video. Browsers that have adopted the HTML5 standard are much more feature rich, and they are also a gateway to some rich applications that require system resources not available within Metro. But these user and application demands are difficult to meet in Windows 8 due to the significant restrictions placed on the Metro environment.
To provide developers and users with a choice to change the default browser in Windows 8, Microsoft has introduced a new class of applications: the “Metro style enabled desktop browser.” These applications can be registered as the default browser and can execute within the immersive Metro interface. This is an interesting twist because this non-Metro, non-Windows-Store application can influence Metro. It shouldn’t take long before we see custom tricks to get nonbrowser applications posing as browsers.
To Microsoft’s credit the Metro browser installation is not entirely unattended. To select a default browser, the user sees the following screen:
Any changes that modify the system state generally by default put the user in control of the change rather than the application. This control is great, but it puts great responsibility on users to see, understand, and make the right decisions. These decisions can be improved significantly by relying on advice from antimalware vendors, which have greater visibility and can offer proactive measures to boost security for Windows 8.
Windows has great influence and market share, but that also places great responsibility on Microsoft. Windows 8 will provide users with a number of new interface paradigms. New and skilled users alike will need to learn to survive in this new environment. They must:
“Old” Windows (with its desktop applications) still lies under the hood of Metro and is still vulnerable to conventional threats to IE or Office as well as to new Metro applications. Microsoft’s new security features will apparently require attackers to use a higher degree of sophistication to exploit systems. Yet past improvements have not deterred malware authors, and there is no reason to believe that new ones will either. Good user education remains of paramount importance.
Users must ensure that any operating system is patched, and that their machines have an antimalware solution that is kept up to date.
Future posts will include more analysis of Windows 8 and the state of its security. We will also further explore implications for users and discuss best security practices for the operating systems and applications.