Trend Micro: Windows 8 is very secure but still has attack points

Windows 8 is looking like it will be a more secure operating system to install than Windows 7, but that doesn't mean it's 100 percent. A security researcher claims that he has found at least three attack points in Windows 8 that could leave the OS open to exploits.

Computerworld India reports that, during a presentation at the recent Black Hat security conference, Sung-ting Tsai of Trend Micro said the three attack points are the kernel level advanced local procedure call, the component object model (COM) application programming interface and the Windows Runtime API. So far, Tsai says he has been unable to create anything that exploits these attack points.

However, that doesn't mean that exploits could not be found by someone dedicated to discovering one. The article states that Tsai developed an attack method against the Windows Runtime API. Tsai says he launched an attack " ... via fuzzing -- sending it random commands to see if they cause the API to malfunction and create a vulnerability."

Tsai claims that anyone using this method would need some time and some luck to find a true exploit and he claims he has had some luck in this area.

Tsai previously found a memory corruption issue in the Consumer Preview version of Windows 8. He reported the problem to Microsoft who later patched it with the launch of the Release Preview build.

So even though three weaknesses have been found, it does not mean that they can be exploited, yet. Seeing as Tsai already reported previous weaknesses to Microsoft, hopefully these three issues will be passed along as well to help make Windows 8, the most secure version of Windows ever. 

Source: Computerworld India

Report a problem with article
Previous Story

PCs are one of the best deals out there, according to CPI

Next Story

Digg previews new look, launching on Wednesday

40 Comments

Commenting is disabled on this article.

Weren't Trend Micro the ones that pulled the "we're not going to tell Microsoft" stunt at the last pwn2own?

Applications downloaded from the windows store will be secure, but I've not seen anything that suggests that in the desktop arena that 8 will be any more hardened to viruses than 7 although admittedly UEFI secure boot will be great against rootkits.

.Neo said,
Every OS will have its attack points.

Like .Neo said, every OS has attack points that is a general purpose OS and exposed to the world via network or media access.

Isolate a system from the network and media and make the OS unable to process any 3rd party software or respond to anything but set limited hardware is what is required to get no attack points.

This makes a very limited OS, and even appliance/embedded OSes built today that would have adhered to a no attack point model even 10 years ago, today have attack points, because they are Internet aware and/or accessible.

The only way to not have attack points is to not have any accessible layers, which is not possible on a general purpose OS, at least not with legacy software support constructs.


This article is stating the sky is blue. What is strange is that this is an attempt to somehow call Windows 8 into question, when even the article admits it is more secure in design than Windows 7, and currently Windows 7 has the best security track record in OSes.

Additionally, Windows 8 reduces attack point access when running WinRT Applications, adding on an additional layers of security with sandboxing and App isolation.

To put this in perspective, in theory Chrome has more attack points than a WinRT Application. (Which increases almost exponentially when WebGL or Chrome native code is enabled.)


The trick with attack points is getting through and being able to use them.


Since Vista, Windows has bested Linux and OS X for security and reliability, upholding not only a lead but in a 20 to 1 potential exploit difference with OS X, and a 5 to 1 actual exploit difference with Linux and OS X. (When limited to just Windows 7 data, this shifts upwards closer to 30 to 1 and 7 to 1.)
*The data is out there in number of exploits fixed regard security vulnerabilities in a timeline for OS updates. There is also security information out there for exploits successfully used.

To put this security claim in perspective...
Even with 750 million people running Windows 7, there has not been malware or bots hit it in the same numbers that both OS X and Linux have seen in just the last year, let alone going back to 2009's and its release.

Linux Servers and network devices based on Linux (switches/routers) have been hit with still a large number of unscreened devices and servers remaining botted. Hidden low level devices are a major issue right now, and ironically, these are one of the best ways to load malware on Android, as they packet watch for a secure Google App update and attach malicious code. We had a botted router on a Verizon network infect test devices using this method, and a unscreened Linux router.
(This is also what the hacker groups use, is Linux Server for large scale attacks. And there are attack points in Linux that go back to code first written in the late 80s that is still around.)

Recently OS X had around 1 million systems botted. And for Macs, this is a large percentage of active users, and again some of the patches we have seen in OS X in the past couple of years are still from code remnants going back to NeXT/XNU and MACH from the 1980s.


Which brings me to a simple fact, Legacy architectures/models like Linux and OS X have far more attack points than Windows NT.

Which is why placing Windows NT (any version) as security point of discussions due to its architectural attack points is freaking insane in comparison to other OSes.

thenetavenger said,

Like .Neo said, every OS has attack points that is a general purpose OS and exposed to the world via network or media access.

Isolate a system from the network and media and make the OS unable to process any 3rd party software or respond to anything but set limited hardware is what is required to get no attack points.

This makes a very limited OS, and even appliance/embedded OSes built today that would have adhered to a no attack point model even 10 years ago, today have attack points, because they are Internet aware and/or accessible.

The only way to not have attack points is to not have any accessible layers, which is not possible on a general purpose OS, at least not with legacy software support constructs.


This article is stating the sky is blue. What is strange is that this is an attempt to somehow call Windows 8 into question, when even the article admits it is more secure in design than Windows 7, and currently Windows 7 has the best security track record in OSes.

Additionally, Windows 8 reduces attack point access when running WinRT Applications, adding on an additional layers of security with sandboxing and App isolation.

To put this in perspective, in theory Chrome has more attack points than a WinRT Application. (Which increases almost exponentially when WebGL or Chrome native code is enabled.)


The trick with attack points is getting through and being able to use them.


Since Vista, Windows has bested Linux and OS X for security and reliability, upholding not only a lead but in a 20 to 1 potential exploit difference with OS X, and a 5 to 1 actual exploit difference with Linux and OS X. (When limited to just Windows 7 data, this shifts upwards closer to 30 to 1 and 7 to 1.)
*The data is out there in number of exploits fixed regard security vulnerabilities in a timeline for OS updates. There is also security information out there for exploits successfully used.

To put this security claim in perspective...
Even with 750 million people running Windows 7, there has not been malware or bots hit it in the same numbers that both OS X and Linux have seen in just the last year, let alone going back to 2009's and its release.

Linux Servers and network devices based on Linux (switches/routers) have been hit with still a large number of unscreened devices and servers remaining botted. Hidden low level devices are a major issue right now, and ironically, these are one of the best ways to load malware on Android, as they packet watch for a secure Google App update and attach malicious code. We had a botted router on a Verizon network infect test devices using this method, and a unscreened Linux router.
(This is also what the hacker groups use, is Linux Server for large scale attacks. And there are attack points in Linux that go back to code first written in the late 80s that is still around.)

Recently OS X had around 1 million systems botted. And for Macs, this is a large percentage of active users, and again some of the patches we have seen in OS X in the past couple of years are still from code remnants going back to NeXT/XNU and MACH from the 1980s.


Which brings me to a simple fact, Legacy architectures/models like Linux and OS X have far more attack points than Windows NT.

Which is why placing Windows NT (any version) as security point of discussions due to its architectural attack points is freaking insane in comparison to other OSes.

man, I know you didn't sit there and write all this...... 0.o
good read though

ctrl_alt_delete said,

man, I know you didn't sit there and write all this...... 0.o
good read though

It's like a Tim Buckley comic with all of those words. Also you didn't have to quote his wall of text

Edit: just realized your name was ctrl-alt-del lol

This may or may not be accurate, but I wouldn't entirely trust Trend Micro's feelings on it. Their corporate antivirus software has been hopeless at times.

hitman05 said,
This may or may not be accurate, but I wouldn't entirely trust Trend Micro's feelings on it. Their corporate antivirus software has been hopeless at times.

Certainly not my first choice for security, but my undergrad seems to love it be it worthless or not.

este said,

what?

What do you mean "What?" Do I honestly need to spell it out for you? There will always be an idiot that gets a email, clicks the link, and gets hit. Windows 8 is no exception to this, nor is OS X and Linux.

Also, idiots who have nothing better to do than to create viruses. They might be a smarter idiot, but still an idiot none the less. Two idiots combined = profit for AV companies and Best Buy Geek Squad and Apple.

Kimleng said,
Also, idiots who have nothing better to do than to create viruses. They might be a smarter idiot, but still an idiot none the less. Two idiots combined = profit for AV companies and Best Buy Geek Squad and Apple.

And there's nothing idiotic about job security

Kimleng said,
Also, idiots who have nothing better to do than to create viruses. They might be a smarter idiot, but still an idiot none the less. Two idiots combined = profit for AV companies and Best Buy Geek Squad and Apple.

I beg to differ. People who create viruses are not idiots, they may be ill-intended but not idiots.

Terracotta said,

What do you mean "What?" Do I honestly need to spell it out for you? There will always be an idiot that gets a email, clicks the link, and gets hit. Windows 8 is no exception to this, nor is OS X and Linux.


Hmm.... because even if there were not 'idiots' in the world, viruses would still exist?
'Idiots' are not the ones who create the viruses you know.

Terracotta said,

What do you mean "What?" Do I honestly need to spell it out for you? There will always be an idiot that gets a email, clicks the link, and gets hit. Windows 8 is no exception to this, nor is OS X and Linux.

Not everyone that gets viruses are idiots. Read about Stuxnet and Flame malware. The first was introduced through espionage (probably an agent entering the home of one of the workers of the nuclear facilities and inserting the virus on his/her laptop/pendrive), the second by exploiting MS Windows update security certificates (no Windows user would be able to avoid it).

How would you prevent from getting either one?

Terracotta said,
As long as there's idiots, there will be viruses...

Wow, this turned into a Logic Class 101 argument.

Right now constraints against social engineering has the greatest potential for reducing security risk.

Just bringing parity with what enterprise users/employees have already had drilled into their heads to home users can be valuable still in reducing end user exposure/risk.

There are also automated screening technologies like IE introduced, that truly does bring down the number of 'idiot clicks' by flat out blocking access to the site, not running the code, and other mechanisms it has to shut down exposure based on severity.


However as long as there are people that want to clever 'idiots' and create malware or have a financial gain from them, it will continue, as there is always a Lex Luthor or Brainiac that is smarter than the person writing the code.

We have team members that thankfully are on the Watchtower side of this battle, but potentially could be the Arch Villians of exploits and malware.

And this is where high level language code makes their job so easy it is scary.

They potentially can dig through machine code to find an exploit, but this is a long process, and impossible when it is obfuscated/encrypted at a high enough level.

However, OSS is a dream to them. Having a high level language to dig through with no encryption or obfuscation, and they can pull rabbits out of the Matrix and make Neo cry.

We have had situations with brilliantly locked servers, and they go grab a bit of code from a few areas they know are weak, especially older *nix code in use, and in a few minutes they find a bit of code that they are smarter than the person that wrote it.

All they need is to find a tiny flaw or a new exploit that protection was never added to the code, and pop, in less than 30mins, they have the server compromised, and back in control of the proper owner. (All faster than other recovery mechanisms, especially when the IT person that locked the box was bright.)

In an Windows Server environment, this is not a viable option, and normal recovery is the recourse.


Idiots on both sides are dangerous; however, the unintentional idiots have room to be helped.

Kimleng said,
Also, idiots who have nothing better to do than to create viruses. They might be a smarter idiot, but still an idiot none the less. Two idiots combined = profit for AV companies and Best Buy Geek Squad and Apple.

Lol no the people who make viruses are somewhat intelligent the people who get them are generally idiots...

Everything is designed by human. What do you think? lolz ... There will always be someone smarter to break someone's codes. All they can do is to make it harder and less people know how to break it.

Windows users are very smart even though there are still stupid home XP users(corporate has reason to use XP), and these antivirus companies knows that so they try to scare people so they buy their product which will keep them alive but seriously Microsoft security essential is good enough for normal users for more advanced users addition of COMODO firewall is unbeatable combination and with windows 8 we don't need antivirus because security essential is now a part of windows 8.

As long as there are an abundance of under-educated users using PC products, security risks will always be present. However, Windows 8, as much as I disprove of the UI, goes to great lengths to overhaul their security framework to an acceptable, modern-day default. I don't think additional security products are unwarranted, it just depends on your level of computer usage and level of comfort with computers.

Well, no operating system will ever be 100% secure, in a world that changes so quick, I am sure Windows 8 will have its share of security updates. So, Windows 8 will not escape patch Tuesday. I just hope there are no unusual 20 year old NT kernel vulnerability, especially in the 32 bit version.

Mr. Dee said,
Well, no operating system will ever be 100% secure, in a world that changes so quick, I am sure Windows 8 will have its share of security updates. So, Windows 8 will not escape patch Tuesday. I just hope there are no unusual 20 year old NT kernel vulnerability, especially in the 32 bit version.
Windows 8 iso size reduced to at-least 1 gig even thought they added metro which means a lot of code cleaning and noways almost everyone uses 64bit version.

sat2012 said,
Windows 8 iso size reduced to at-least 1 gig even thought they added metro which means a lot of code cleaning and noways almost everyone uses 64bit version.

'Almost' everyone uses 64 bit Windows. I manage a network with 101 clients, 1 server, all are 32 bit. We recently got 10 Dell Netbooks with Windows 7 Professional and guess what, its the 32 bit version. Microsoft is also distributing a 32 bit version of Windows 8, if you didn't know.

sat2012 said,
Windows 8 iso size reduced to at-least 1 gig even thought they added metro which means a lot of code cleaning and noways almost everyone uses 64bit version.

Where is this 1GB ISO if you don`t mind me asking. Not trying to be funny but the RP ones i have are 2.5 and 3.3GB. I still expect that most vulnerabilties found will effect 8, 7, Vista, etc....Not including WinRT in this though...

Riggers said,

Where is this 1GB ISO if you don`t mind me asking. Not trying to be funny but the RP ones i have are 2.5 and 3.3GB. I still expect that most vulnerabilties found will effect 8, 7, Vista, etc....Not including WinRT in this though...

WinRT is not an operating system. If you are referring to the ARM version of Windows thats Windows RT. I know, its stupid

it is really going to be great if the new windows store is very successful because the people that are most vulnerable to these attacks will be protected so much more because they can download apps instead of searching the internet for random programs and getting a virus

My opinion is that most people who get viruses are people who don't know very much about computers but know they can pirate software/movies/music off of the Internet. They search the internet for something for free, but don't have the common sense to determine that the web site they are on is really really shady.

I don't think that the Windows 8 store is going to change that. I hope I'm wrong, but I don't think that I am...

Shadrack said,
My opinion is that most people who get viruses are people who don't know very much about computers but know they can pirate software/movies/music off of the Internet. They search the internet for something for free, but don't have the common sense to determine that the web site they are on is really really shady.

I don't think that the Windows 8 store is going to change that. I hope I'm wrong, but I don't think that I am...


Basically, we need to educate people on how to safely pirate.

Shadrack said,
...

There is no pirating software on Windows RT based tablets. You will only be able to run code that is signed by the Windows Store. This means any code you run must be vetted by MS approval process first.

It's my assumption that both Surface (RT) and Surface Pro will be limited to store signed binaries only.....

So, for some it will change.
I don't know if there are still ways to corrupt a content file to have it execute malicious code.

Shadrack said,
My opinion is that most people who get viruses are people who don't know very much about computers but know they can pirate software/movies/music off of the Internet. They search the internet for something for free, but don't have the common sense to determine that the web site they are on is really really shady.

I don't think that the Windows 8 store is going to change that. I hope I'm wrong, but I don't think that I am...

Apart from malicious websites, people also don't think about the real size of the app they are downloading illegally. MS office is not 256kb.

Lachlan said,
it is really going to be great if the new windows store is very successful because the people that are most vulnerable to these attacks will be protected so much more because they can download apps instead of searching the internet for random programs and getting a virus

hahaha it will be good there will be less moaning about how "Windows always gives me viruses"