|Innovating The Next Big Thing||June 18, 2013|
• Analyst Insights
• Enterprise Insights
• Network & Information Security
• Enterprise Mobility
• Remembering 9/11
Next Innovator Group
Feedjit Live Web Stats
• Ghost City
McAfee Blogs: Windows 8 Metro Brings New Security Risks
Jun 29, 2012 – Prashant Gupta
With the upcoming Windows 8, Microsoft hopes to finally make Windows a serious contender in the tablet market and to offer a consistent user experience across all Windows devices. Our examination of prerelease software suggests that Microsoft has achieved much of that ambition. However, the company has also created challenges for users that in some ways may increase their security risks.
In a series of blogs, we will highlight for security professionals and IT administrators the security-related changes to Windows 8 and provide a comparison with industry standards. These blogs will offer our analysis of the prerelease version of Windows 8. With new features added and problems fixed with every build of Windows, this current information may not necessarily represent the final version of Windows 8.
This incarnation of Windows scales from 32- and 64-bit devices (such as desktops) down to ARM-based devices (in tablets, for example). Applications developed with Microsoft’s Metro design language, the Windows Store, and the Microsoft Account will comprise Microsoft’s unified ecosystem. This environment caters to the wide range of platforms that Windows supports without the need for platform-specific code and development experience–while also providing a seamless interface and user experience, in Microsoft’s view.
Enhancements in Windows 8 that are clearly visible to users include Windows Defender, Smart Screen, and a more secure environment for Metro applications. The improvements can be divided into four areas: improvements to Windows antimalware components, declarative resource access, application vetting via the Microsoft Store, and restrictive resource access for applications. All of these will make the Metro environment significantly safer. At the same time, however, security risks from rogue applications and vulnerabilities in applications that interact with the web and handle user data leave lots of room for exploitation—not to mention ever-present malware on the desktop.
Technically the attack surface in Windows 8 is bigger than in Windows 7 because of various new components and changed processes, especially the Metro interface. Offsetting this are the significant checks and measures put in place as described in this paper.
Windows 8 brings together years of mature and revamped Microsoft technology. The Microsoft Account is essentially the Windows Live ID, the Metro interface supports Windows Phone 7 and the Xbox, and with the Windows Store Microsoft hopes to create an Apple Store-like market to complete the Windows 8 ecosystem.
Metro offers a tile-style surface that supports both touch and traditional keyboard and mouse interfaces. The start screen of almost two decades of the Windows desktop has now been given a back seat in favor of the Metro start screen, which provides, among other things, “live tiles” that applications can update to show fresh status and an always connected experience for the users.
One significant change for the corporate environment is that there is no official way to disable the Metro interface from Windows 8. Another important change for users is that the new interface focuses on an immersive user experience. This means that operating system shell artifacts such as the taskbar or application menus are no longer visible. When a user opens an application, it uses the entire screen, allowing much more space and providing a fully involved experience.
Although it is possible to use the Metro interface with a keyboard and mouse or touchpad, the interface is clearly awkward. The latest releases of the Windows preview show various tweaks that make the usability of this interface more mouse/keyboard friendly, but the advantage of touch over traditional input interfaces in this interface is very apparent. This can possibly open a market for devices that will bridge this gap or create a completely new market for interface devices.
Internet Explorer 10
Another big change is that Internet Explorer (IE) 10 is now available in both Metro and desktop modes. This duality has advantages for backward compatibility.
In the Metro interface, IE runs in an immersion mode that provides full use of the screen space. The URL bar also becomes invisible. Here is what this looks like:
This is quite different from the regular desktop interface, which looks not much different from the traditional IE:
With this immersive interface, users need to to expose the address bar before entering any credentials to avoid scams. The next two screens show a live phishing site in the Metro interface followed by the legitimate site:
Hard to tell them apart, isn’t it? Now compare both sites with the address bar visible, and you can spot the legitimate one. It has the green address bar and a lock icon indicating a secured SSL connection. We can also see that the fake site is not actually hosted on paypal.com or paypal.de but has paypal.de as a subdomain to a nonpaypal domain.
A browser’s address bar has been a fundamental part of the user experience over the years, and it is still available with Windows 8. But in Metro the address bar will not always be visible; that can lead to trouble. We think the address bar should be visible when you are entering credentials.
Within the Metro interface, IE 10 will have no custom plug-in support; the desktop version will still work with plug-ins. The lack of Metro support is intended to improve performance, reliability, and security; those who need specialized plug-ins can use the desktop version to maintain compatibility.
With IE 10 in Metro mode, Microsoft has, with support from Adobe, introduced a limited version of the Flash player, removing many Flash functions but adding support for touch gestures. These tactile features should make using Flash more friendly with Metro. There might be a catch though: Within Metro, Flash doesn’t appear to work for all websites. Flash support will be enabled for a certain list of sites chosen by Microsoft. Flash games on the gaming site miniclip.com, for example, work in Metro, but a Flash file uploaded to one of our test sites that works with IE 10 in desktop mode did not work with IE 10 Metro.
In future blogs we’ll examine the new interface, enhancements and risks in Windows 8, and securing applications. Stay tuned.
I’d like to thank my colleague Igor Muttik for his assistance with this analysis.
» Send this article to a friend...
» Comments? Tell us what you think...
» More Network & Information Security articles...
Commentsblog comments powered by Disqus
Support This Site
• 6/17 McAfee Blogs: The Defense Department Lists Mobile Security as a Top Priority
• 6/17 McAfee Blogs: The Strategic Consumer
• 6/17 McAfee Blogs: Keeping Your Small Business Safe from Cyberattacks
• 6/17 McAfee Blogs: Exciting Times for SMBs at National Small Business Week!
• 6/17 McAfee Blogs: Why whitelisting is ready for Enterprise desktops
• 6/13 Gartner Says Cloud Office Systems Total 8 Percent of the Overall Office Market and Will Rise to 33 Percent by 2017
• 6/13 Gartner Says Worldwide External Controller-Based Disk Storage Market Grew 0.6 Percent in First Quarter of 2013
• 6/13 Faultline: Vodafone Kabel Deutschland talks confirmed, deal could be dusted in days
• 6/13 Faultline: Comcast sneaks in Homespot revolution as “Neighborhood Hotspots”
• 6/13 McAfee Blogs: Two Steps are Better Than One: Make a Hacker’s Job Harder with Two-step Verification
• 6/12 Gartner Announces Keynote Speakers for its Supply Chain Executive Conference 2013 in Australia
• 6/12 Gartner Says by 2019, 90 Percent of Organizations Will Have Personal Data on IT Systems They Don't Own or Control
• 6/12 iSuppli: Doing What It Does Best: Apple Reinvents Existing iPhones with iOS7 and Competitive Music Launch
• 6/12 McAfee Blogs: Moving up with McAfee Complete Endpoint Protection
• 6/12 McAfee Blogs: Can you answer these three smart business questions about authentication?
• 6/12 HP Security lab Blog: Top 10 things for security people to do at HP Discover 2013 - Las Vegas, NV
• 6/12 HP Security Lab Blog: HP introduces HAVEn to combat $4 billion cyber-theft in Big Data space
• 6/11 Gartner Says Worldwide Security Market to Grow 8.7 Percent in 2013
• 6/11 Gartner Says Less than 10 Percent of Enterprises Have a True Information Strategy
• 6/10 Ovum: Analyst view: Google to buy Waze
• 6/10 Ovum: Analyst view: Apple acknowledges the need for user interface refresh and is willing to do something pretty dramatic
• 6/10 Gartner Forecasts Indian Business Intelligence Software Revenue to Reach $113 Million In 2013
• 6/10 iSuppli: It’s a Tie: Bosch and STM Hold Joint Honors as No. 1 MEMS Suppliers for 2012
• 6/10 iSuppli: 1.3GW of PV Installations Eliminated by EU Anti-Dumping Duties in 2013; Double-Digit Global Growth Still Likely
• 6/10 Wireless Watch: Small Cell World Summit: industry poised to kickstart volume roll-outs
• 6/10 Wireless Watch: Cisco seeks leading role in wireless via small cells
• 6/10 McAfee Blogs: Syrian Crisis Reminds Us to Beware of ‘Charity’ Scams
• 6/9 Frontline Sentinel: Whistleblower (Edward Snowden) Behind the NSA Surveillance Speaks Out [Interview]
• 6/9 Slate: If the NSA Trusted Edward Snowden With Our Data, Why Should We Trust the NSA?
• 6/8 Gartner Says Business Analytics Will Be Central for Business Reinvention
• 6/8 Frontline Sentinel: Practical Tips to Improve Network Security with What You Already Have: Part 2 of 2
• 6/7 Gartner Says India Enterprise Software Market To Reach $3.92 Billion in 2013
• 6/7 iSuppli: Event Cinema Market Takes Off in Europe
• 6/7 McAfee Blogs: Koobface Count Correction
• 6/6 Ovum: Ovum announces winners of inaugural “BYOX Strategy” awards
• 6/6 Ovum: Analyst view: SFDC acquisition of ExactTarget is expensive, but offers significant product synergies
• 6/6 Gartner Says Worldwide Business Intelligence, CPM and Analytic Applications/Performance Management Software Market Grew Seven Percent in 2012
• 6/6 Faultline: Cloud browsers to gut the set top market – ActiveVideo leading the chase
• 6/6 Faultline: TiVo wins its biggest ever settlement - share price barely nods
• 6/6 Canalys: Canalys launches ‘Partner Program Analysis’ service - The latest addition to Canalys’ leading channels research offerings
• 6/6 McAfee Blogs: Forgo Pressure to ‘Share’ and Boost Your Privacy
• 6/6 McAfee Blogs: Summer Web Safety: A Cautionary Tale About The Internet
• 6/6 McAfee Blogs: Malicious Dating, Ad Services Plague Japanese Users
• 6/6 McAfee Blogs: Locking Down Desktops With McAfee’s Application Control
• 6/6 McAfee Blogs: Fraudulent Adult Dating Services Turn 10 Years Old, Still Evolving
• 6/6 HP Security Lab Blog: Combating professional security threats
• 6/5 Ovum: Ovum warns BYOD is here to stay and urges CIOs to respond with a clear strategy
• 6/5 What to Expect at Apple's WWDC
• 6/5 Gartner Says Organizations Must Treat Information as an Asset in its Own Right
• 6/5 Gartner Looks At The Impact of U.S. Visa Legislation on India Offshore Outsourcing in Upcoming Webinar