Thursday, May 2, 2013

Microsoft Windows 8 Legacy: An Unacceptable Level of Risk

by Dietrich Schmitz

Microsoft Windows still dominates the U.S. business landscape.  No question there.

But on the consumer side of things, it's a different story.

Today, I discuss why it is vital for readers to understand the seriousness of the risk they assume by using Microsoft Windows.  In particular, I am referring to the 'Legacy' (x86) Windows 8 version and its predecessors. (Image credit: valuendo dot com)

If you are using Windows, please pay close attention as I show how you default to exposing yourself to a high level of risk, without even knowing it.

Legacy Windows NT Kernel


All of the bally-ho aside regarding the newest Windows 8 Modern UI, under the hood, Windows 8 still retains a WinNT kernel designed and written for Windows 2000.  That's right. Substantially, it inherits all rearward features necessarily to maintain compatibility with Enterprise and small business application needs.  And along with that inheritance comes a raft of security issues which continue to plague the operating system going forward.

Security Measures

Microsoft has seen fit to bolster their own application suite Office with their version of a protected mode sandbox.  I say 'their version' because it is mostly circumventable.  They also have 'feathered their own nest' by bolstering Internet Explorer, the default browser on Windows, with its own protected mode sandbox.  This is relying upon the same underlying technology to defeat security exploits.

The point to note here is that Microsoft has seen fit to provide security for their own suite of applications, but essentially leave third-party developers 'high and dry' to figure out how to secure their software solutions.

This is a big issue to my mind.  It should be the responsibility of the underlying operating system to provide default security measures, e.g., sandboxing to all third-party software.

Unlike Windows, Linux provides these security measures so that software vendors can focus on developing quality software.  Yet, to write for Windows, they necessarily need to become security experts.  That is just wrong.

It essentially places Microsoft's 'competition' at a distinct disadvantage as they need to allocate extra resources and 'know-how' to implement security sandboxing.  Google's Chrome for Windows does offer its own sandbox.

Despite of their best efforts, Google Engineers have documented and identified limitations on what their sandbox can do to protect you on Windows.  It is an admission to the underlying deficits in Windows' security design.  Regardless of what they do, their sandbox will still permit security exploits to escalate and gain Administrative rights to a Windows system.

When a security exploit succeeds in gaining Admin rights, it effectively can do anything it wants to a system.  The system is essentially 'owned' by the exploit and can embed itself in such a way as to 'hide' and fly 'below the radar' of Anti-Virus software going fully undetected as it executes its nefarious activities on your system.

Here is a formal statement from Google's own Engineers on the topic of security and their sandbox limitations on Windows:


Other caveats 
The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service
In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox. 

I've highlighted in red the text which you should be concerned about--very concerned.

Security Ramifications


What does this mean?

Well, from the standpoint of what an operating system should do, once the exploit 'succeeds' in escalating to Administrative privileges, there are no other 'cross-checks' which will occur on Windows to policy check the SYSTEM calls made by the exploit.  It now has unfettered access and can do what it will with your system.

Unlike Windows, with Linux you have, for example, in the case of Fedora Linux, SELinux which if enabled will apply a policy to the Application in question to effectively 'police' all of its activities, including on the kernel (SYSTEM) level.  This is the needed cross-check which Windows x86 Legacy sorely lacks and is the ongoing source of attacks that will continue to provide a 'shooting fish in a barrel' environment.

In lieu of a solution, world-wide criminal activity that exploits Windows Legacy continues to grow unabated.

It is a most serious situation for both businesses and consumers.  Often the user visiting a compromised website won't even know their system has been compromised by a Drive By as it silently burrows into their system.

Lack of a Repository System

Windows Legacy applications are not protected by a repository system.  The purpose of the Linux repository is to house all vetted software applications and binary drivers and provide a GnuPG keyring secured 'fingerprint' of their authenticity and to assure that they have not been tampered with.

One of the many long-standing issues with Microsoft Windows has been the lack of a repository-based system, which opens up the possibility for users to venture 'into the wild' of the Internet to find various software.  When a user accepts and downloads one of these applications from the Internet, they are making an implicit decision to 'trust' that application.

When a user downloads, for example, a game, which in this example happens to be laden with an exploit which will spawn when the application starts, unbeknownst to the user, it is referred to as a Trojan Horse application.  It runs under various pretexts, including offering a game, a utility of some kind, even rogue security software pretending to protect your system.  They all include  a 'payload' which deploys on your system.

The point of a repository and one of the key benefits of open source is that 'many eyes' vet and review software for approval to be included in the repository, deemed safe to use and devoid of any malware or virus code.  This has been one of the corner stones of using Linux open source software.

Pwn2Own/Pwnium 2013

This year's CanSecWest Pwn2Own challenge drew more 'shooting fish in a barrel' so-called security experts to yet another annual challenge to attempt to compromise a Windows Legacy based system running with various browsers.  The results are here. Suffice it to say, it wasn't difficult for the challengers to exploit Windows, even Chrome with its sandboxing technology was fully compromised.

In a separate hall of the same CanSecWest convention was held Pwnium 2013, sponsored by Google and with a configured stock Chromebook.  The goal was to have security experts attempt to exploit the Chromebook system running ChromeOS, a Linux kernel based operating system written by Google for the Chromebook.

In stark contrast to Pwn2Own, there was no successful attempt to fully compromise the operating system.

This is quite emblematic of just how safe Linux truly is while Microsoft Windows security continues to leak like a colander.

Today, if you are using a Linux Distro with a kernel equal to or newer than version 3.5, you can run Google's Chrome browser and be assured that it will run in its own sandbox provided by the underlying operating system, Linux.  Chrome in this context uses not SELinux, but seccomp-bpf to provide the sandbox to your browser session.

Rest assured your Internet activities will be safe with seccomp-bpf and if you want to confirm that it is running, type into your Chrome browser bar this url:

chrome://sandbox


You should see this information:



Free Software Foundation Campaign

The Free Software Foundation has taken recently to running a rather aggressive campaign.
Go to the website and judge for yourself.  I hope the information helps you to make an informed decision that includes switching away from Windows to Linux.

FSF's Upgrade from Windows 8 Campaign


Conclusion

I hope at this point that you have gotten a better sense for the level of concern I have for using Windows 8 Legacy.  The risk is simply unacceptable on so many levels.

Please give Linux a try today and discover a whole new world of truly secure, sharing and openness.

This is what humans do best.  So, do the right thing.

-- Dietrich

Enhanced by Zemanta

0 comments:

Post a Comment