• TechnologyInnovator
• NextInnovator
• EnterpriseInnovator
• SecurityInnovator
• DefenseInnovator
• WirelessInnovator 
• HPinnovator
• EnergyInnovator
• TransportationInnovator
• SMBinnovator (beta)

• NextInnovator(at)Live.com

• Ghost City
• Frontline Sentinel
• Innovation Insights
• WebInno
• Over the River
• Enderle Group
• Security Insights Blog 
• McAfee Audio Parasitics
• Rethinking Security
• Ovum
• iSuppli
• Canalys
• eMarketer 
• CRM Help Desk SW 
• Rethink Research
• The Gadgeteer
• Master the Moment

 

This is our second look at security-related changes to Windows 8 and the new Metro interface. Our first post introduced the topic and examined some of what’s new and potentially risky in Internet Explorer 10. Today, we’ll discuss improvements and possible problem points in the Windows Store, background tasks, the Windows 8 interface, and more.

Let’s Go Shopping

The Windows Store is similar to applications stores or markets for other platforms. To install apps, a customer needs to have a Microsoft Account (or a current Windows Live account).

The Windows Store

The Windows Store currently does not prompt users to review the capabilities being requested by a new application. This information is visible in the details page for the application:

Application capabilities

If an application attempts to access something that it hasn’t requested at installation, then the application will be denied access to that resource. It is important that users review the capabilities requested by their applications and not install those that request permissions that make the users uncomfortable. Odd requests can be a warning flag, for example, if a photo-editing app requests access to text messaging (SMS) yet has not explained why this capability is required. Purpose-built security software always adds value and provides more layers of protection from such rogue applications.

Background Tasks

With Metro, all applications that are not in the foreground are suspended—so they don’t chew up resources that the foreground application could use. But Metro applications can also be active while in the background. Here are some triggers that will cause activity:

Although background triggers are not security risks per se, Metro will allow applications to run in the background. The trigger will launch a terminated application or unfreeze a suspended application and the run the task without bringing the application to the foreground. The user will not know the program is running.

Windows 8 vs. Windows 7 Interfaces

With Windows 8 (apart from the Metro interface) Microsoft has made significant improvements over the previous version. Fixes and upgrades include address space layout randomization, heap randomization, kernel fixes, and improvements to use-after-free issues in IE 10.

Let’s look at some noteworthy changes that will be visible to users. We’ll cover more improvements in future posts.

Windows SmartScreen

The SmartScreen feature, introduced in earlier versions of IE, has become Windows SmartScreen. This helps protect users from downloading or running suspicious or malicious applications. As you might expect, however, it allows you to run the executable anyway.

Windows SmartScreen

SmartScreen warns users who try to download a suspicious executable, but users may override the warning. This freedom poses a risk if such downloads are not secured by policy or antimalware solutions.

Users can choose to bypass warnings

Windows Defender

Windows Defender has been around for a while, but in Windows 8 it will come packaged with Windows and provide a first line of defense for users without an independent security suite installed. Windows Defender will detect viruses and other malware; that’s an improvement on previous versions, although in third-party tests Microsoft security solutions have performed at no better than an average level, according to the “Virus Bulletin” RAP averages quadrant. Windows Defender is a good first step toward effective security, but “defense in depth” is better. Consumers should install a desktop security suite to provide better protection than Windows can offer. In a corporate environment this defense becomes even more important, and security policies can be better enforced with an endpoint security suite.

Browsing Metro Style

A browser must provide everything from text, forms, and images to complex resource-intensive activities such as script execution and video. Browsers that have adopted the HTML5 standard are much more feature rich, and they are also a gateway to some rich applications that require system resources not available within Metro. But these user and application demands are difficult to meet in Windows 8 due to the significant restrictions placed on the Metro environment.

To provide developers and users with a choice to change the default browser in Windows 8, Microsoft has introduced a new class of applications: the “Metro style enabled desktop browser.” These applications can be registered as the default browser and can execute within the immersive Metro interface. This is an interesting twist because this non-Metro, non-Windows-Store application can influence Metro. It shouldn’t take long before we see custom tricks to get nonbrowser applications posing as browsers.

To Microsoft’s credit the Metro browser installation is not entirely unattended. To select a default browser, the user sees the following screen:

The default browser selection screen