USA Today publishes misleading editorial on Windows 8 security


A new editorial by USA Today claims Windows Store apps could potentially include viruses.

For the second consecutive month, a major news outlet has published a misleading article about the security of Microsoft's latest Windows releases, Windows 8 and Windows RT.

USA Today has published an editorial stating the Windows 8 is susceptible to potentially infected "widely available, consumer smartphone apps" that Windows system administrators need to worry about. The editorial follows an Inc.com article last month that incorrectly stated Surface with Windows RT was vulnerable to traditional Windows viruses.

The editorial, written by Mark Austin, co-founder of Windows privilege management company Avecto, states the app store in Windows 8 and Windows RT could lead to "a whole new set of vulnerabilities" that organizations using Windows haven't had to face before. Part of Austin's argument revolves around the fact that malware has been distributed to Android users through apps. Austin's editorial fails to mention that these apps are obtained through third-party locations – not the Google Play Store – and require users to change their settings to allow the installation of unsigned apps.

As with the Google Play Store, apps in the Windows Store are reviewed by Microsoft and scanned for malware prior to being certified; these apps also require a digital signature from Microsoft. As explained in a Building Windows 8 blog post by John Hazen, a Microsoft program manager for its developer experience team, the digital signature prevents fraudulent apps from running on Windows 8 devices.

"Windows uses digital signatures to ensure the integrity of your app all the way from the Store to installation and even when the app is loaded and running on your customer’s computer," Hazen wrote in the blog post. "If Windows detects that the app no longer matches its digital signature, it guides the customer to download a corrected version from the Store."

According to Austin, however, Microsoft could let "malicious applications to slip through the cracks, ultimately infecting a company's entire network," although he gives nothing to support his assertion. Austin also argues that an app being approved by Microsoft for the app store "does not necessarily make it suitable for business use."

Another aspect of Austin's argument is the recent release of a tool that enabled users to pirate paid apps from the Windows Store. That tool also allowed users to sideload unsigned apps to Windows 8 devices but must be performed each time the machine is booted, as the bypass is only temporary. 

Again, however, Austin fails to mention that users would have to use a tool to allow the installation of these unsigned apps that could theoretically be infected with malware – something that's unlikely for most users, especially business users.

Source: USA Today | Image via Microsoft

Report a problem with article
Previous Story

Nokia's Asha range outselling Lumias 2:1

Next Story

Anonymous hacks MIT website, leaves a tribute to Aaron Swartz

42 Comments

Commenting is disabled on this article.

digitaly signed doesn't mean it safe,...

...er wait,
"signed = safe" was the nonsense that old IE spouted when its encounter website that want you to download their duboius toolbars/activeX/add-ons/browser-helper/plug-ins/codecs.

The only security hole that exists in Windows 8 if you can even call it that exists if the companies IT department leaves their users as Admins and leaves the store enabled.

One of the first things I've done when setting up the few Windows 8 PCs that I have which ended up being used for business purposes is gone into the Group Policy editor and shut the store off.

No Minesweeper/Solitaire/Chess for you!!!

A major news organization publishes misleading, inaccurate information about Windows. What else is new. Welcome to the politics of technology.

First:

VIRUS IS NOT THE SAME THAN TROJAN.

Second:
Practically, no system is trojan free and it is pretty hard to find a trojan code inside a program.

Third:
Certification is a joke, they just check some basic task such "this apps open?", "it takes too much time to open?", and such.

Brony said,
Third:
Certification is a joke, they just check some basic task such "this apps open?", "it takes too much time to open?", and such.

I'm pretty sure the automatic code validation is a little more complex than this.
You don't really have a clue, do you?
Plus, you have to pay a fee for participation in the store which comes with a terms of service.
I'm quite certain you'd have to commit fraud just the opportunity to have your malicious code fail validation.
You must be thinking of other app markets and how they function.
Windows Store code is highly vetted for more than just operational characteristics.

"The editorial, written by Mark Austin, co-founder of Windows privilege management company Avecto,"

Yeah. He has NOTHING to gain from stating that Win 8 is insecure.

If Windows 8's reputation is being dragged through the mud then Neowin must rise to defend it. USA Today aren't even wrong, per say.

What's next? If someone posts a bad review of Microsoft/A Microsoft product this site will criticize them.

With each new version of Windows, we have some company that stands to make money by selling security solutions, and somebody from that company claims that the newer version Is less secure than the previous version. It happened with Win7 (was it Semantic that made claims?), and Vista before that, and XP before that. There were claims that the new TCP/IP stack would not only open Windows to new viruses, but also bring down the entire internet. People would just blindly click allow on every UAC dialog, allowing every virus known (or unknown) to run rampant over the internet, destroying every Windows computer available.

There is money to be made, and why not spread some FUD to line your pockets with a few more dollars? And when the competition makes the same mistakes that Microsoft made years ago (Trojans in Android, or when Apple suffered from the same problems that Outlook had over a decade ago), well, we will just ignore those problems because there is no money to make there.

Even if Microsoft let a malicious App slip through the screening process, the security mechanisms of the WinRT framework would prevent the App causing damage or affecting the OS or other Apps.

Windows 8 Apps are in a sandbox in a sandbox that can't touch other toys in the sandbox. There is no OS system or App model in the world that even comes close to this level of security. iOS Apps are many times more likely to cause problems or be plagued with Malware, and Android Apps are generations behind this level of security.

The author is from a company peddling security software solutions, but doesn't even understand how the new Windows 8 App framework works in regard to security. Brilliant.

Everyone should email this person with just one phrase:
Application Isolation

*smacks head*

USA Today's a reputable news outlet. The only problem is most news outlets who cover technology cover a much broader view of technology than the tech outlets you read -- a lot of times they're simply not very well versed in more intricate information.

I'm more surprised that an executive at a Windows security company would write an article that omits several key details and misleads readers. It's possible it was ghostwritten for him, but I'm still surprised he'd sign off on it.

This is why I don't take everything I hear on news outlets seriously. Things like this make me think that these people don't take their job seriously.

You may not take it seriously, but most Americans will believe what they see on the news. They don't care what the source is, as long as it looks interesting, they'll read it.

link6155 said
You may not take it seriously, but most Americans will believe what they see on the news. They don't care what the source is, as long as it looks interesting, they'll read it.
Well I live in Canada and I know some people who are just like you described to me. They believe everything they hear without questioning anything..

“In theory, theory and practice are the same. In practice, they are not.”

Would be nice if assumptions were made against practical aspects rather than theoretical. In theory I could take over the world too if [insert way of doing it here] /s

Wow, just about the only accurate statement was:

Austin also argues that an app being approved by Microsoft for the app store "does not necessarily make it suitable for business use."

And that is beyond common sense. LOL.

Lots of fail here for sure.

M_Lyons10 said,
Wow, just about the only accurate statement was:

And that is beyond common sense. LOL.

Lots of fail here for sure.

The irony is that not only does Microsoft allows private App signing and distribution for 'business' customers, Microsoft also provides Apps signing and privately accessible distribution through Microsoft.

What a clown this guy must be.

What happened to articles written by those with journalistic integrity, whose articles relied on topics based in fact, rather than opinion?

It seems like, new outlets are willing to give their soapbox to anyone with a keyboard these days.

ahinson said,
What happened to articles written by those with journalistic integrity, whose articles relied on topics based in fact, rather than opinion?

It seems like, new outlets are willing to give their soapbox to anyone with a keyboard these days.

Definitely agree with that. It's not like what it used to be.

ahinson said,
What happened to articles written by those with journalistic integrity, whose articles relied on topics based in fact, rather than opinion?

It seems like, new outlets are willing to give their soapbox to anyone with a keyboard these days.

There was a time when you picked up PC Mag or Byte or virtually most of the technical based magazine/journals, and the majority of the authors of articles were people we CS and Engineer education backgrounds.

Today, you are lucky to get a technical writer than can turn on their computer without help.

As for people that 'get' technology and can not only write accurately on a subject, but convey what the overall meaning of the technology is or how it will affect people is non-existent.

Take goofs like Leo L. or Chris P. - they are personalities that have almost no credible industry background or technical education. Yet people listen to their podcasts and read their blogs.

Even take a Paul Thrurrot, he has virtually no technical education or background, and couldn't even write about NT's HAL and Windows 8 on ARM without mixing it up so bad that he concluded NT's HAL made Windows harder to port. By nature the HAL only exists to make Windows EASIER to port. Yet this baffled him to mind numbing confusion.

This also goes beyond public journalism:
Our company did research last year about tech writing and in house technical writers that provide information to their company. 98% of the people writing the information/articles had no computer education or real world experience beyond being a basic user. And these are the people sending out and writing technical information for banks and hospitals on their highly technical systems and equipment, and are filled with inaccurate information. (So if the next time you are in a hospital and the person using the ECG machine isn't doing it correctly, thank the person that has no understanding of the technology or even medicine that wrote the instructions the staff was trained from.)

To be fair, this wasn't a news article. It was an Editorial. And you will have to look long and hard to find an editorial in a newspaper that includes facts lol.

thenetavenger said,
Take goofs like Leo L. or Chris P. - they are personalities that have almost no credible industry background or technical education. Yet people listen to their podcasts and read their blogs.
I liked this comment, until you started bashing good people like Chris Pirillo.. He's actually really good at what he does and it's a shame that you're too blind to see that..

thenetavenger said,

There was a time when you picked up PC Mag or Byte or virtually most of the technical based magazine/journals, and the majority of the authors of articles were people we CS and Engineer education backgrounds.

Today, you are lucky to get a technical writer than can turn on their computer without help.

As for people that 'get' technology and can not only write accurately on a subject, but convey what the overall meaning of the technology is or how it will affect people is non-existent.

Take goofs like Leo L. or Chris P. - they are personalities that have almost no credible industry background or technical education. Yet people listen to their podcasts and read their blogs.

Even take a Paul Thrurrot, he has virtually no technical education or background, and couldn't even write about NT's HAL and Windows 8 on ARM without mixing it up so bad that he concluded NT's HAL made Windows harder to port. By nature the HAL only exists to make Windows EASIER to port. Yet this baffled him to mind numbing confusion.

This also goes beyond public journalism:
Our company did research last year about tech writing and in house technical writers that provide information to their company. 98% of the people writing the information/articles had no computer education or real world experience beyond being a basic user. And these are the people sending out and writing technical information for banks and hospitals on their highly technical systems and equipment, and are filled with inaccurate information. (So if the next time you are in a hospital and the person using the ECG machine isn't doing it correctly, thank the person that has no understanding of the technology or even medicine that wrote the instructions the staff was trained from.)


Having technical backgrounds doesn't make people immune to ignorant opinions about technology.

dtourond said,
Chris Pirillo.. He's actually really good at what he does and it's a shame that you're too blind to see that..

Yeah, he's great at being a blowhard and a shill. I'm not too blind to see that.

deadonthefloor said
Yeah, he's great at being a blowhard and a shill. I'm not too blind to see that.
Hmm, I don't know about that..

deadonthefloor said,

Yeah, he's great at being a blowhard and a shill. I'm not too blind to see that.

I agree. He's definitely not someone I trust to give me a non-biased point of view.

ahinson said
I agree. He's definitely not someone I trust to give me a non-biased point of view.
Well I know he's a genuine person and gives honest tech. information like it is.

Another blinded person..

dtourond said,
Well I know he's a genuine person and gives honest tech. information like it is.

Another blinded person..

I guess you never watched TechTV. If you did, you would have a different opinion.

ahinson said,
I guess you never watched TechTV. If you did, you would have a different opinion.
I actually did watch TechTV. Not all the time but I've definitely seen it more than once. I like Chris, he can get on a personal level and share that with his viewers and not be just some boring tech geek like a lot of other people are these.

Not this crap again.

Even the U.S. department upgraded to Windows 8.

"a whole new set of vulnerabilities" I'd say it's always the same, each time you try to add a new feature (or set of features), that's the risk you take. But, considering that Windows 8 has bigger defenses against viruses than Windows 7 (Smart Screen for example) , and the Metro apps sandboxed, I belive that there are more pros than cons that stand for security on 8 than on previous Windows OSes.

Jose_49 said
considering that Windows 8 has bigger defenses against viruses than Windows 7 (Smart Screen for example), and the Metro apps sandboxed, I believe that there are more pros than cons that stand for security on 8 than on previous Windows OSes.
Agreed.

Jose_49 said,
Even the U.S. department upgraded to Windows 8.

You mean, they have a license to use it. Like any renewed contract.

I don't disagree though, that apps on the store are screened and (most likely) won't have viruses...

Raa said,

You mean, they have a license to use it. Like any renewed contract.

I don't disagree though, that apps on the store are screened and (most likely) won't have viruses...

1) The contract was more than a renewal. You might want to fact check something that you think you are correcting in another post.

2) It would be extremely hard to get through Microsoft's screening, that is highly automated and rips the code apart to find any malicious tendencies. Microsoft isn't just testing the compiled binary, and is doing more than a few simple checks. (The technology they are using is several generations beyond Apple's store, and isn't even in the same class as Android's horrid system that has virtually no checking and doesn't even enforce certificates or checksums when installing trusted Apps.)

3) Even if a Windows Store App did have malicious code, there is also the whole security model of Windows Store Apps (WinRT Framework) that starts with App isolation, that is running in its own sandbox that is running inside WinRT with its managed sandbox that is sitting on .NET technologies that are also sandboxed. So for example, if you purposely install Malware, it poses no danger, as it can't touch anything.


To equate the Windows 8 Store Apps to Android is beyond insane. Heck use an existing reference, like WP7 and WP8 Apps and security and notice it has not had an issue yet. And Windows 8 Store Apps are effectively using the same model and security technologies and Microsoft is using the same screening processes.