Just when you thought Windows was no longer a target for hackers and malware developers, Chris Valasek’s pronouncement that Windows 8 is more secure just might bring back the Mongol hordes to the Windows gates. Valasek is a Senior Security Researcher at Coverity (a San Francisco-based software security company), and he loves reverse-engineering systems to find weak spots and vulnerabilities. With Windows 8, Valasek says he’d be wasting his time and would rather hack Windows 7.
If I was writing an exploit I would not want to do it for Windows 8. There are a lot of hurdles to overcome when writing an exploit that would target this operating system.
There’s the rub though, because when you give hackers a challenge, they love proving you wrong. Although Valasek himself is an ace hacker, there will be others lurking in the background that will try to feed him his foot. In an interview with The Register, Valasek said the Windows Memory Managers, the Windows 8 app container, IE 10 and the secure boot feature will work together to make Windows 8 a lot tougher to infiltrate with malware.
Windows Memory Managers
Windows 8 promises more “exploit-mitigation technologies” with Windows memory managers. The Windows Heap Manager and Kernel Pool Allocator will make Windows 8 much harder for hackers to take advantage of buffer overflow weaknesses and infiltrate the system with malware.
Software bugs will always be a factor in operating systems, but the heap and kernel pool allocator managers will greatly reduce vulnerabilities. Valasek says the point is reducing risks by limiting opportunities for attack.
There are always going to be vulnerabilities but you can make it difficult to leverage vulnerabilities to write exploits. It’d be naive to think there’ll be no new (vulnerabilities).
Windows 8 App Container
Winfows 8 applications will be added on via the App Container, and the new apps will only work as advertised, no more, no less. No more piggy-backing opportunities for malware, and if by chance they do hitch a ride, they will be limited by the app’s functionality.
Valasek explains how the App Container works.
These new Windows 8 Apps will be contained by a much more restrictive security sandbox, which is a mechanism to prevent programs from performing certain actions. This new App Container provides the operating system with a way to make more fine-grained decisions on what actions certain applications can perform, instead of relying on the more broad ‘Integrity Levels’ that debuted in Windows Vista/7.
Internet Explorer 10
Microsoft’s default browser, Internet Explorer gets a new upgrade in version 10. IE 10 reportedly comes with a mode that allows you to disable support for Flash, Java and other third-party plugins. While this mode may affect users’ browsing experience, it is a valuable option to have when some of the most successful malware exploit Java’s vulnerability (like last April’s Flashback / FlashFake Trojan affecting almost 700,000 Macs).
When users opt for third-party plugins to run, said plug-ins will be randomly relocated by IE 10 using ForceASLR (Force address space layout randomization). All modules loaded by the browser will be randomized according to instructions given to the OS. This development will make it more difficult to develop exploits for buffer overflow attacks.
A gnarly issue at best, Secure Boot prevents unauthorized operating systems, drivers or firmware to run when you start your Win 8 PC. The instructions are hard-wired to the Unified Extensible Firmware Interface (UEFI), and only systems with the right digital signature will be able to boot with Win 8. Open-source folks are up in arms about this security feature because this means their “alternate operating systems” won’t be allowed to load on Win 8 devices.
Fedora (by Red Hat) wants to be able to load its Linux OS on Win 8 so it bought the rights to use Microsoft’s signing services (for $99) from Verisign. Red Hat developer Matthew Garrett explained in his blog why this had to be done.
It’s not really an option to force all our users to play with hard to find firmware settings before they can run Fedora. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven’t found them. (This option) wasn’t hugely attractive, but is probably the least worst.
Ubuntu (by Canonical) is going a different route, opting to work with device manufacturers to use its own set of UEFI requirements. Garret also explained what the Ubuntu Key is about.
It’s basically the same set of requirements as Microsoft have, except with an Ubuntu key instead of a Microsoft one. The significant difference between the Ubuntu approach and the Microsoft approach is that there’s no indication that Canonical will be offering any kind of signing service. A system carrying only the Ubuntu signing key will conform to these requirements and may be certified by Canonical, but will not boot any OS other than Ubuntu unless the user disables Secure Boot or imports their own key database. A certified Ubuntu system may be more locked down than a certified Windows 8 system.
Canonical founder Mark Shuttleworth explained why Ubuntu took this route.
We’ve been working to provide an alternative to the Microsoft key, so that the entire free software ecosystem is not dependent on Microsoft’s goodwill for access to modern PC hardware. We’re pressing OEM partners for options that will be more broadly acceptable than Red Hat’s approach.
Whatever happens, users will still be able to turn off Secure Boot (well, except for ARM-powered PCs) if they don’t want it. We should all be thankful the entire OS is geared for your security, and not just full of Metro glitz and glamour.
Microsoft is offering a preview of Windows 8, check it out to see what all the buzz is about.