Windows 7 Vulnerability Claims

Windows 7 Vulnerability Claims

  • Comments 11
  • Likes

Now that Windows 7 is available, a recent blog by Chester Wisnieski (who works at security vendor Sophos), entitled Windows 7 vulnerable to 8 out of 10 viruses, which has stirred some interest.

Here's a quick summary for those who missed Chester's blog. During a test SophosLabs conducted, they subjected Windows 7 to "10 unique [malware] samples that arrived in the SophosLabs feed." They utilized a clean install of Windows 7, using default settings (including the UAC defaults), but did not install any anti-virus software. The end result was 8 of the 10 malware samples successfully ran and the blog proclaims that "Windows 7 disappointed just like earlier versions of Windows." Chester's final conclusion? "You still need to run anti-virus on Windows 7." Well, we agree: users of any computer, on any platform, should run anti-virus software, including those running Windows 7.

Clearly, the findings of this unofficial test are by no means conclusive, and several members of the press have picked apart the findings, so I don't need to do that. I'm a firm believer that if you run unknown code on your machine, bad things can happen. This test shows just that; however, most people don't knowingly have and run known malware on their system. Malware typically makes it onto a system through other avenues like the browser or email program. So while I absolutely agree that anti-virus software is essential to protecting your PC, there are other defenses as well.

Let me recap some of the Windows 7 security basics. Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware. This includes features like User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP) to name just a few. The result, Windows 7 retains and refines the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released.

Beyond the core security of Windows 7, we have also done a lot of work with Windows 7 to make it harder for malware to reach a user's PCs in the first place. One of my favorite new features is the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter was built upon the phishing protection in Internet Explorer 7 and (among other new benefits) adds protection from malware. The SmartScreen Filter will notify you when you attempt to download software that is unsafe - which the SophosLabs methodology totally bypassed in doing their test.

So while I'm not a fan of companies sensationalizing findings about Windows 7 in order to sell more of their own software, I nevertheless agree with them that you still need to run anti-virus software on Windows 7.  This is why we've made our Microsoft Security Essentials offering available for free to customers. But it's also equally important to keep all of your software up to date through automatic updates, such as through the Windows Update service. By configuring your computers to download and install updates automatically you will help ensure that you have the highest level of protection against malware and other vulnerabilities.

11 Comments
You must be logged in to comment. Sign in or Join Now
  • The problem with relying just on AV software is that you could have a virus on your PC before your AV vendor has worked out (and issued) its antidote. On the other hand the OS always knows its about to execute a program. http://www.warehousedeals.org/

  • Microsoft Windows 7 lets us handle the issues of the computer with Action Center. It is a known strategy to use a Windows based product for the demonstration of marketing the AV product. Since nearly maximum pc's in the world still in Windows platform. Simple use Microsoft Security Essentials for the purpose.

  • tabela
    2 Posts

    that's useful vulnerabilities article, thanks

  • Thanks for these articles, I enjoyed them!

  • n4cer
    13 Posts

    If the user downloads the malware using an application that does not support AES (e.g., Firefox 2.x or below), the executable will not be tagged (at least, this was true on XP SP2). Depending on the executable's function, you may be prompted if it is not signed. For the standard user scenario where the executable does not require additional privileges, you would not likely be prompted (e.g., you run it and it can delete your documents without warning).

    The Windows Command Prompt (cmd.exe) also does not implement AES (so most existing cmd scripts, etc., continue to run as expected), so if you can get the user to execute the (tagged) malware using it, (again, depending on the executable's function) you will not be prompted. If it gets handed off the ShellExecute, for instance, you will be prompted.

    Along the social engineering path of getting the user to execute via cmd, you could also try to get them to remove/change the value of the ZoneIdentifier tag by either telling them to click the Unblock button in the properties dialog for the executable, or running some command. These are largely user trust issues though, not inherent OS vulnerabilities. Though much of today's malware relies on social engineering (e.g., Antivirus 20xx). This is where built-in solutions like SmartScreen, Defender and MSRT, and good AV products can help.

  • Thanks for the explanation, n4cer.

    Does the Attachment Execution Service (AES), therefore, prompt when any malware that gets onto your computer from the internet tries to execute? Is there a way to bypass having the origin tag put on a file from the internet?

    The malware you mentioned in your first reply (that infects your files in your Documents folder ) would also trigger a propmpt if it has been downloaded from the internet. Is that correct?

    Praful

  • n4cer
    13 Posts

    BTW, the Attachment Execution Service would prompt you when attempting to run an unsigned executable, particularly if originating from untrusted locations such as the Internet. This is another detail Sophos omits, and unless they manually unblocked the executable (thus removing the origin tag), they would've encountered this prompt on any computer upon which they installed the malware.

    Code Integrity would do the same for kernel mode components.

  • n4cer
    13 Posts

    There's no indication that the malware bypasses UAC. UAC elevation is only triggered when performing privileged actions on the system. If the malware was engineered to run within the constraints of the standard user account, UAC would not be triggered, however the malware could still affect files the standard user account may access, such as those within the Documents folder of that account.

    As stated in this blog, Sophos bypassed many of the features that could protect the user in a realistic use case (SmartScreen, Protected Mode, etc.) when they actively installed the malware on the system rather than going through normal vectors.

    Sophos' implication that UAC should act as a barrier to malware is rediculous -- that's not its goal. Any protection gained from UAC is a side-effect of enabling the user to be productive without giving applications full-time, full system access. There's still a lot that can be done in the user's context, you just can't affect the entire system (barring exploitable vulnerabilities).

  • The article about vulnerabilities says that the viruses run even with UAC enabled. Whilst there's no doubt that anti-virus (AV) software should be installed, shouldn't UAC at least tell you that an unauthorised program is about to run?

    The problem with relying just on AV software is that you could have a virus on your PC before your AV vendor has worked out (and issued) its antidote. On the other hand the OS always knows its about to execute a program.

    If programs can bypass UAC that pretty much renders it useless. It's a bit like an umbrella with holes, which admittedly gives you some protection but no one would buy one.

    Is this an instance where MS has favoured convenience for the user over security? If so, I would rather have the option of always being told a program is being executed (at least once) and approving it. Let those who don't care except a lower UAC setting.

    I'd appreciate some clarification.

    Praful

  • I love how the author of the Sophos article points out the number of insecure Windows systems that are currently spreading the latest big ugly worms and viruses, but fails to acknowledge that most of those installs--if not the vast majority--are from pirated versions of windows being uses mainly in SE Asian countries where piracy is out of Microsoft's ability to control and shouldn't be held accountable for.

  • W7 or any edition is as secure as the user. From my experince, the majority of repairs I've done was becuae a user downloaded a cracked game (warez) or otherwise clicked yes and ok knowing they were putting themself at risk (questionable file).

    But I do think that 7 is better then Vista and Vista better than XP.