Windows 7 Vulnerability Claims

Paul Cooke — Sat, 07 Nov 2009 00:56:00 GMT

Now that Windows 7 is available, a recent blog by Chester Wisnieski (who works at security vendor Sophos), entitled Windows 7 vulnerable to 8 out of 10 viruses, which has stirred some interest.

Here's a quick summary for those who missed Chester's blog. During a test SophosLabs conducted, they subjected Windows 7 to "10 unique [malware] samples that arrived in the SophosLabs feed." They utilized a clean install of Windows 7, using default settings (including the UAC defaults), but did not install any anti-virus software. The end result was 8 of the 10 malware samples successfully ran and the blog proclaims that "Windows 7 disappointed just like earlier versions of Windows." Chester's final conclusion? "You still need to run anti-virus on Windows 7." Well, we agree: users of any computer, on any platform, should run anti-virus software, including those running Windows 7.

Clearly, the findings of this unofficial test are by no means conclusive, and several members of the press have picked apart the findings, so I don't need to do that. I'm a firm believer that if you run unknown code on your machine, bad things can happen. This test shows just that; however, most people don't knowingly have and run known malware on their system. Malware typically makes it onto a system through other avenues like the browser or email program. So while I absolutely agree that anti-virus software is essential to protecting your PC, there are other defenses as well.

Let me recap some of the Windows 7 security basics. Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware. This includes features like User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP) to name just a few. The result, Windows 7 retains and refines the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released.

Beyond the core security of Windows 7, we have also done a lot of work with Windows 7 to make it harder for malware to reach a user's PCs in the first place. One of my favorite new features is the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter was built upon the phishing protection in Internet Explorer 7 and (among other new benefits) adds protection from malware. The SmartScreen Filter will notify you when you attempt to download software that is unsafe - which the SophosLabs methodology totally bypassed in doing their test.

So while I'm not a fan of companies sensationalizing findings about Windows 7 in order to sell more of their own software, I nevertheless agree with them that you still need to run anti-virus software on Windows 7. This is why we've made our Microsoft Security Essentials offering available for free to customers. But it's also equally important to keep all of your software up to date through automatic updates, such as through the Windows Update service. By configuring your computers to download and install updates automatically you will help ensure that you have the highest level of protection against malware and other vulnerabilities.

Internet Explorer 8 Security

Paul Cooke — Fri, 24 Apr 2009 20:20:41 GMT

Here is another story from a Microsoft Program Manger discussing their favorite things in Windows 7. This time it is Eric Lawrence (Senior Program Manager on the Internet Explorer Team) to talk about his favorite security features in Internet Explorer 8, the browser that ships in Windows 7.

Eric Lawrence Discusses His Favorite Internet Explorer Security Features

End to End Trust and Windows 7

Paul Cooke — Tue, 21 Apr 2009 17:32:00 GMT

I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust: A Collaborative Effort. I would assume that many of the readers of this blog are not familiar with the End to End Trust story. In a nutshell, End to End trust is Microsoft’s vision for creating a safer, more trusted Internet. It’s a great vision, but it’s also a big job that requires a commitment and focus on the fundamentals—fundamentals that will help deliver the most secure and privacy-enhanced versions of software and services that we have ever delivered. We’re also not going it alone. End to End Trust requires broad collaboration within the industry and Microsoft will continue to share our best practices with the IT communities of our customers.

Scott talked about how hard we are working across Microsoft to deliver technology innovations that move the needle towards a trusted stack, with security rooted in hardware and an identity metasystem (a big word that means a way of trusting people are who they say they are on the Internet). Even with progress, people still need strong defense in depth security technologies and Scott talked about how Microsoft’s Identity and Security Division is delivering integrated identity and security business solutions today to our customers. But maybe the most interesting thing he touched on was how technology innovations alone are not enough. Innovation also needs to align with political, economic and IT forces to enable the change that is truly needed.

End to End trust is a vision of what’s possible if we collectively work together, and it can help address real world problems that people face every day such as ID theft, online fraud and child safety. If you want to learn more about End to End Trust, visit http://www.microsoft.com/endtoendtrust to find out the entire story.

Now, let’s talk about Windows 7 and the progress we’re making to deliver End to End Trust in the Windows platform. In my blog post yesterday on how Windows 7 helps enable the mobile workforce, I wrote about technologies like DirectAccess, BitLocker To Go, and AppLocker. Each of these technologies plays a part in helping us enable End to End Trust, whether it is strong machine and user authentication with DirectAccess or limiting running software on a system to known, trusted applications with AppLocker. But there are other technologies that help us as well:

Biometric Framework
Fingerprint scanners are becoming more and more common in standard laptop configurations—my laptop came standard with one. Windows 7 helps ensure that fingerprint readers work well and that they are easy to set up and use. This is accomplished by taking the common code that everyone needs to write and standardizing it in the platform so that biometric hardware vendors can concentrate on the code they need to write to make their device work and not have to worry about how it ties into Windows. This new framework makes logging on to Windows using a fingerprint more reliable across different hardware providers and makes fingerprint reader configurations are easy to modify. This puts the user in control of how they log on to Windows 7 and manage the fingerprint data stored on their PC.

Improved Smart Card Support
Password-based authentication has well-understood security limitations; however, deploying strong authentication technologies like smart cards remains a challenge for many. Windows 7 enhances the smart card infrastructure advances made in Windows Vista through support of Plug and Play. This eases deployment of smart card infrastructures because drivers for both smart cards and smart card readers are automatically installed, without the need for administrative permissions or user interaction. I think this new behavior is going to ease the deployment of strong, two-factor authentication for many organizations.

BitLocker
I’m a big fan of BitLocker, it helps prevent a thief who boots another operating system or runs a software hacking tool from breaking into my laptop if they happen to get a hold of it. This holds true for both the operating system volume (C: drive) and my data volume (D: drive). Most customers I talk to love the encryption protection that BitLocker provides, but many are not aware that BitLocker also does integrity checking of early boot components to help ensure that the system has not been tampered with and that the encrypted drive has not been swapped out to another computer. This integrity checking ties back into the “security rooted in hardware” that is a part of End to End Trust. This integrity checking utilizes a Trusted Platform Module (a smart card like chip on the system motherboard) to help protect the encryption keys utilized by BitLocker. This is true for BitLocker in Windows 7 as well as Windows Vista.

We’ve also listened to feedback and made enhancements to Windows 7 BitLocker to provide a better experience for IT Pros and for end users. One of the simple enhancements we made is to right-click enable the BitLocker protection of a disk volume. Now I can go to Windows Explorer and right click any disk volume, including my removable BitLocker To Go volumes, and encrypt them right there without having to go to the Control Panel.

Another big change was the addition of Data Recovery Agent (DRA) support for all protected volumes. The DRA is a certificate-based data recovery agent that can be utilized to recover the contents of any BitLocker protected volume. Since the group policy settings are separate for Operating System Drives, Fixed Data Drives, and Removable Data Drives, customers have flexibility in how they want to configure their recovery options for the different threats that each separate drive type may experience.

With BitLocker and BitLocker To Go, enterprises can rest assured that their information and data is secure, no matter where their employees are working. I know I feel better knowing my laptop and all of my USB sticks are protected!

Internet Explorer 8

I know folks are more concerned than ever about protecting themselves while online, particularly form identity theft, malware, and other potentially dangerous online threats. I feel like we have done a lot in the platform and the security technologies we have been talking about this week (Firewall, DirectAccess, BitLocker To Go and AppLocker) are a part of the protection equation. But Internet Explorer 8 is also another huge piece of the equation as users spend more time online, in their browsers. IE 8 is the most secure web browser on the market and provides another, vital layer of defense against online threats.

We built upon the phishing protection in Internet Explorer 7 with the SmartScreen Filter, which now adds protection from malware – a threat that is growing significantly faster than phishing.

We also built in support for protecting users against type-1 (or “reflection) Cross-Site Scripting (XSS) attacks. XSS threats try to exploit vulnerabilities in the websites we visit and are quickly becoming one of the most prevalent ways web sites can be compromised. The bad news for you and I is that an XSS attack can help a bad guy steal our usernames and passwords for our online bank accounts or other confidential information. The XSS filter in IE 8 uses heuristics to detect such attacks and, when they are detected, prevent their execution. This should help you and I safe from the most common form of XSS attacks in use today.

Another innovation concerns ClickJacking. While a lot or people have heard of phishing attacks, a new kind of phishing attack called ClickJacking is on the rise. ClickJacking occurs where an attacker’s web page deceives a person into clicking on content from another website without realizing it – so they’re clicking on something that, for instance, buys something from the site, changes settings on their browser, or provides advertisements that these cybercriminals get paid for. ClickJacking Protection in IE is a feature that allows Web site content owners to put a tag in a page header that will help prevent ClickJacking.

I think the IE team has done a great job with the security in IE 8 and love that it puts people in control of their safety and privacy and helps protect them from new online threats. For those of you who are interested, there is a lot more security goodness in IE 8 on the IE blog and via these links:

Got To Run

I feel great about Windows 7 and the security enhancements we have been able to make. Hopefully as you learn more about the security work that we have put into it, you will reach the same conclusion that I have: Windows 7 is the most robust platform we have ever delivered, it helps support End to End trust, helps keep you and I safe, and was designed to prevent malware from getting onto our PCs to begin with.

There is a lot going on here at RSA and I want to go spend some more time seeing what’s new and exciting. I’ll be back with some of my impressions of RSA in a bit.

Windows Security Blog : Internet Explorer 8

Windows 7 Vulnerability Claims

Internet Explorer 8 Security

End to End Trust and Windows 7