Windows 7 Vulnerability Claims

Now that Windows 7 is available, a recent blog by Chester Wisnieski (who works at security vendor Sophos), entitled Windows 7 vulnerable to 8 out of 10 viruses, which has stirred some interest.

Here's a quick summary for those who missed Chester's blog. During a test SophosLabs conducted, they subjected Windows 7 to "10 unique [malware] samples that arrived in the SophosLabs feed." They utilized a clean install of Windows 7, using default settings (including the UAC defaults), but did not install any anti-virus software. The end result was 8 of the 10 malware samples successfully ran and the blog proclaims that "Windows 7 disappointed just like earlier versions of Windows." Chester's final conclusion? "You still need to run anti-virus on Windows 7." Well, we agree: users of any computer, on any platform, should run anti-virus software, including those running Windows 7.

Clearly, the findings of this unofficial test are by no means conclusive, and several members of the press have picked apart the findings, so I don't need to do that. I'm a firm believer that if you run unknown code on your machine, bad things can happen. This test shows just that; however, most people don't knowingly have and run known malware on their system. Malware typically makes it onto a system through other avenues like the browser or email program. So while I absolutely agree that anti-virus software is essential to protecting your PC, there are other defenses as well.

Let me recap some of the Windows 7 security basics. Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware. This includes features like User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP) to name just a few. The result, Windows 7 retains and refines the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released.

Beyond the core security of Windows 7, we have also done a lot of work with Windows 7 to make it harder for malware to reach a user's PCs in the first place. One of my favorite new features is the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter was built upon the phishing protection in Internet Explorer 7 and (among other new benefits) adds protection from malware. The SmartScreen Filter will notify you when you attempt to download software that is unsafe - which the SophosLabs methodology totally bypassed in doing their test.

So while I'm not a fan of companies sensationalizing findings about Windows 7 in order to sell more of their own software, I nevertheless agree with them that you still need to run anti-virus software on Windows 7.  This is why we've made our Microsoft Security Essentials offering available for free to customers. But it's also equally important to keep all of your software up to date through automatic updates, such as through the Windows Update service. By configuring your computers to download and install updates automatically you will help ensure that you have the highest level of protection against malware and other vulnerabilities.

Tags: , , , , , , , ,

Comments

  1. Disk4mat
    Posted on: November 06, 2009 at 8:32PM  

    W7 or any edition is as secure as the user. From my experince, the majority of repairs I've done was becuae a user downloaded a cracked game (warez) or otherwise clicked yes and ok knowing they were putting themself at risk (questionable file).

    But I do think that 7 is better then Vista and Vista better than XP.

  2. HunterA3
    Posted on: November 10, 2009 at 1:15PM  

    I love how the author of the Sophos article points out the number of insecure Windows systems that are currently spreading the latest big ugly worms and viruses, but fails to acknowledge that most of those installs--if not the vast majority--are from pirated versions of windows being uses mainly in SE Asian countries where piracy is out of Microsoft's ability to control and shouldn't be held accountable for.

  3. prafulkapadia
    Posted on: November 10, 2009 at 3:44PM  

    The article about vulnerabilities says that the viruses run even with UAC enabled. Whilst there's no doubt that anti-virus (AV) software should be installed, shouldn't UAC at least tell you that an unauthorised program is about to run?

    The problem with relying just on AV software is that you could have a virus on your PC before your AV vendor has worked out (and issued) its antidote. On the other hand the OS always knows its about to execute a program.

    If programs can bypass UAC that pretty much renders it useless. It's a bit like an umbrella with holes, which admittedly gives you some protection but no one would buy one.

    Is this an instance where MS has favoured convenience for the user over security? If so, I would rather have the option of always being told a program is being executed (at least once) and approving it. Let those who don't care except a lower UAC setting.

    I'd appreciate some clarification.

    Praful

  4. n4cer
    Posted on: November 10, 2009 at 8:42PM  

    There's no indication that the malware bypasses UAC. UAC elevation is only triggered when performing privileged actions on the system. If the malware was engineered to run within the constraints of the standard user account, UAC would not be triggered, however the malware could still affect files the standard user account may access, such as those within the Documents folder of that account.

    As stated in this blog, Sophos bypassed many of the features that could protect the user in a realistic use case (SmartScreen, Protected Mode, etc.) when they actively installed the malware on the system rather than going through normal vectors.

    Sophos' implication that UAC should act as a barrier to malware is rediculous -- that's not its goal. Any protection gained from UAC is a side-effect of enabling the user to be productive without giving applications full-time, full system access. There's still a lot that can be done in the user's context, you just can't affect the entire system (barring exploitable vulnerabilities).

  5. n4cer
    Posted on: November 10, 2009 at 9:07PM  

    BTW, the Attachment Execution Service would prompt you when attempting to run an unsigned executable, particularly if originating from untrusted locations such as the Internet. This is another detail Sophos omits, and unless they manually unblocked the executable (thus removing the origin tag), they would've encountered this prompt on any computer upon which they installed the malware.

    Code Integrity would do the same for kernel mode components.

  6. prafulkapadia
    Posted on: November 14, 2009 at 2:57PM  

    Thanks for the explanation, n4cer.

    Does the Attachment Execution Service (AES), therefore, prompt when any malware that gets onto your computer from the internet tries to execute? Is there a way to bypass having the origin tag put on a file from the internet?

    The malware you mentioned in your first reply (that infects your files in your Documents folder ) would also trigger a propmpt if it has been downloaded from the internet. Is that correct?

    Praful

  7. n4cer
    Posted on: November 22, 2009 at 2:40PM  

    If the user downloads the malware using an application that does not support AES (e.g., Firefox 2.x or below), the executable will not be tagged (at least, this was true on XP SP2). Depending on the executable's function, you may be prompted if it is not signed. For the standard user scenario where the executable does not require additional privileges, you would not likely be prompted (e.g., you run it and it can delete your documents without warning).

    The Windows Command Prompt (cmd.exe) also does not implement AES (so most existing cmd scripts, etc., continue to run as expected), so if you can get the user to execute the (tagged) malware using it, (again, depending on the executable's function) you will not be prompted. If it gets handed off the ShellExecute, for instance, you will be prompted.

    Along the social engineering path of getting the user to execute via cmd, you could also try to get them to remove/change the value of the ZoneIdentifier tag by either telling them to click the Unblock button in the properties dialog for the executable, or running some command. These are largely user trust issues though, not inherent OS vulnerabilities. Though much of today's malware relies on social engineering (e.g., Antivirus 20xx). This is where built-in solutions like SmartScreen, Defender and MSRT, and good AV products can help.

Trackbacks

  1. Posted by: Twitter Trackbacks for Windows 7 Vulnerability Claims - Windows Security Blog - The Windows Blog [windowsteamblog.com] on Topsy.com on November 06, 2009 at 7:20PM

    Pingback from  Twitter Trackbacks for                 Windows 7 Vulnerability Claims - Windows Security Blog - The Windows Blog         [windowsteamblog.com]        on Topsy.com

  2. Posted by: uberVU - social comments on November 06, 2009 at 7:44PM

    This post was mentioned on Twitter by rv53705: La respuesta a Sophos sobre la vulnerabilidad e inseguridad de #Windows7 http://bit.ly/44B4Vt

  3. Posted by: Study : Windows 7 is still susceptible to 80% virus - Page 2 - Windows Help Forum on November 07, 2009 at 2:01AM

    Pingback from  Study : Windows 7 is still susceptible to 80% virus - Page 2 - Windows Help Forum

  4. Posted by: Windows 7 Vulnerability Claims | Windows 2008 Security on November 07, 2009 at 8:01AM

    Pingback from  Windows 7 Vulnerability Claims | Windows 2008 Security

  5. Posted by: Microsoft Responded To Sophos Windows 7 Vulnerability Claim | Windows 7 hacker on November 08, 2009 at 3:51AM

    Pingback from  Microsoft Responded To Sophos Windows 7 Vulnerability Claim | Windows 7 hacker

  6. Posted by: [Windows 7] Tips & trucs! on November 08, 2009 at 12:03PM

    Pingback from  [Windows 7] Tips & trucs!

  7. Posted by: noneed.info » Blog Archive » Windows 7 Vulnerability Claims – Windows Security Blog – The … on November 09, 2009 at 1:53AM

    Pingback from  noneed.info  » Blog Archive   » Windows 7 Vulnerability Claims – Windows Security Blog – The …

  8. Posted by: Windows 7 Vulnerability Claims – Windows Security Blog – The … | Windows (7) Affinity on November 09, 2009 at 2:28AM

    Pingback from  Windows 7 Vulnerability Claims – Windows Security Blog – The … | Windows (7) Affinity

  9. Posted by: Windows 7 Vulnerability Claims - Windows Security Blog - The … on November 09, 2009 at 4:49AM

    Pingback from  Windows 7 Vulnerability Claims - Windows Security Blog - The …

  10. Posted by: Windows 7 Vulnerability Claims – Windows Security Blog – The … : News IT on November 09, 2009 at 6:45AM

    Pingback from  Windows 7 Vulnerability Claims – Windows Security Blog – The … : News IT

  11. Posted by: Donna's SecurityFlash on November 10, 2009 at 6:14AM

    Microsoft executive accuses security company Sophos of sensationalizing claims that Windows 7's User

  12. Posted by: You still need an antivirus software in Windows 7 (like a hole in the head?) · Digital explorations on November 10, 2009 at 2:30PM

    Pingback from  You still need an antivirus software in Windows 7 (like a hole in the head?) · Digital explorations

  13. Posted by: K??rnel de Windows requiere parche urgente | bSecure on November 11, 2009 at 10:11AM

    Pingback from  K??rnel de Windows requiere parche urgente | bSecure

  14. Posted by: K??rnel de Windows requiere parche urgente | Netmedia.info on November 11, 2009 at 10:11AM

    Pingback from  K??rnel de Windows requiere parche urgente | Netmedia.info

  15. Posted by: Windows 7 UAC default settings insecure - Page 2 - Raymond.CC Forum on November 12, 2009 at 10:03PM

    Pingback from  Windows 7 UAC default settings insecure - Page 2 - Raymond.CC Forum

  16. Posted by: Microsoft: Windows 7 Malware Threat 'Sensationalized' « The IT Juggler on November 15, 2009 at 1:04AM

    Pingback from  Microsoft: Windows 7 Malware Threat 'Sensationalized' « The IT Juggler

  17. Posted by: Windows 7 vulneravel a 8 de cada 10 virus? « Nataniel. Notes about IT in Angola on November 15, 2009 at 4:03PM

    Pingback from  Windows 7 vulneravel a 8 de cada 10 virus? « Nataniel. Notes about IT in Angola

  18. Posted by: McAfee Security Insights Blog » Blog Archive » Does Windows 7 Change The Security Equation? on November 16, 2009 at 7:57PM

    Pingback from  McAfee Security Insights Blog  » Blog Archive   » Does Windows 7 Change The Security Equation?

  19. Posted by: Does Windows 7 Change The Security Equation? on December 12, 2009 at 6:03AM

    Pingback from  Does Windows 7 Change The Security Equation?

  20. Posted by: Sophos going downhill – or Sohos Vs Microsoft Security Essentials-Bloggy Bloggy My Blog on February 08, 2010 at 1:08PM

    Pingback from  Sophos going downhill – or Sohos Vs Microsoft Security Essentials-Bloggy Bloggy My Blog

Syndication

Recent Posts

Tags

View more

Archives

© Copyright 2009 Microsoft Corporation. All Rights Reserved.   |   Privacy Statement