How more secure is Windows 7 / Vista, really when compared to XP?

[+Warwagon MVC]

I was listening to the latest security now and an interesting question came up

Question

You sound so optimistic about how the new architecture will protect the OS from all sorts of nasty things. I've only listened to a few new episodes, but I do know you're still doggedly hanging onto XP. I never would have guessed that five years from where I am right now, you would be so against the new platform. For the benefit of those who haven't yet listened to the other episodes, the remaining episodes, would you give the listeners a brief overview of what went wrong? Did Microsoft get lax and start letting every passerby drop code into the kernel? Did the creators of malware find a way to bust through the protection? Or was it really an improvement for security, but other irritating issues kept you from making the switch? Thanks for the show. You are a great service to the Intertubes, says Quib.

Answer

Steve: So, okay. Microsoft clearly improved security dramatically from XP to Vista, and fixed the things that they really didn't do that well, sort of maybe went overboard with Vista, in 7, making 7 more friendly. Yet we don't see attacks which are only effective against XP. All the attacks that we see are always effective against all of them. So when you think about it, there isn't a differentiation. I'm not seeing anything that gets 7 that doesn't also get XP. Why? Because it's still the same operating system. Microsoft comes up with new layers of eye candy and new UI features, but nothing fundamentally changes. I mean, yes, Address Space Layout Randomization gets better, and DEP is more strongly enforced, and a few things like that. But they can't really change much without breaking all of the legacy stuff. So they're limited in what they're able to do. And you could argue that they're sort of running out of things to do at this point. So first of all, looking back at all the patches we've discussed in the last year, nothing is XP only. I can't think of anything that only affected XP.

Steve: Nothing seems to be actually more secure. And I don't see anything that I want over on Windows, lord knows on Vista, but even on 7. I mean, it looks different, but it's just in my way more. So it isn't demonstrating better security. Now, that will change in two years or three years, whenever it is that patches stop being offered for SP3. So at that point I'll think, okay. Either the bad guys will have moved off to Windows 8, and no one will even be bothering to attack XP anymore because it'll be more like Windows 98 is, for which none of these things are effective because it'll just have enough different DNA that it can't be infected. Or maybe I'll switch. I'm not sure. But at the moment, XP is the same as 7 in every way I can tell. Everything I want to do is compatible with XP still. So there's no incompatibility problems. And there's no demonstrated actual effective increase in security. So why would I move?

Now a lot of you will probably not take anything he says seriously because he is still running XP, but I agree with him on his answer. It's not like malware infections stopped dead in their tracks. I also don't see less security patches for the Newer operating systems. In some cases the newer operating systems have more of them. I also see the same amount of infections with Vista and 7 as I do with XP. So while Microsoft added all of this "new security to the operating system, I really don't see it fixing the problem.

[Noir Angel]

He's wrong. The addition of ASLR to Windows has made vector based buffer overflow attacks virtually impossible to pull off, worms like Blaster and Sasser are a lot harder to pull off. Yes there are still security flaws in Windows that are found and fixed but the amount of holes that can be attacked with remote exploits has dropped dramatically. With regards to viruses and malware they are designed to exploit the weakest link in the computer, the user. If the user just clicks allow of course things like UAC are going to be useless.

[Dot Matrix]

Whoever this "Steve" guy is obviously doesn't know about the massive under the hood changes in security Vista and 7 brought about. Good lord.

[Max Norris]

So while Microsoft added all of this "new security to the operating system, I really don't see it fixing the problem.

Well I do agree they've added a bunch of new features to harden the OS in general, by default it's a good deal more secure than XP. But it's been said quite often here in various threads... "you can't fix stupid." If you can convince a person that it's ok to enter a password/click past UAC/skip whatever precaution the OS happens to have, all the security in the world isn't going to stop a malicious program from running. I don't care which OS you're on, if you blindly let an unknown run, you can get burnt. Even better when said user intentionally disables the security mechanisms all for the sake of shaving off a half second of inconvenience.

[Hum]

I'm no expert, but I have not had any infection problems with the Windows 7 computer, as I did once in a while with Windows XP.

[+Warwagon MVC]

Well I do agree they've added a bunch of new features to harden the OS in general, by default it's a good deal more secure than XP. But it's been said quite often here in various threads... "you can't fix stupid." If you can convince a person that it's ok to enter a password/click past UAC/skip whatever precaution the OS happens to have, all the security in the world isn't going to stop a malicious program from running. I don't care which OS you're on, if you blindly let an unknown run, you can get burnt. Even better when said user intentionally disables the security mechanisms all for the sake of shaving off a half second of inconvenience.

In the reverse if a smart person who wasn't an idiot was using XP they wouldn't be that bad off.

[+Warwagon MVC]

I'm no expert, but I have not had any infection problems with the Windows 7 computer, as I did once in a while with Windows XP.

I've never had an infection with vista or windows 7 BUT I also NEVER had a virus on XP either from the Time it RTM'ed till the time I upgraded to vista.

[Dot Matrix]

In the reverse if a smart person who wasn't an idiot was using XP they wouldn't be that bad off.

I disagree. Even a smart person using XP is missing a lot of the preventative features of Windows Vista/7. It certainly isn't too hard to initiate a drive by on XP that would bypass the AV entirely, once the AV is bypassed, there is little to noghting standing in the malwares way!

[Noir Angel]

In the reverse if a smart person who wasn't an idiot was using XP they wouldn't be that bad off.

It's all relative. All users, both smart and dumb would still be more secure using 7 than they would on XP. Granted by how much is a question that depends on who you ask but on the Internet it's my opinion that even being fractionally more secure is still advantageous to the end user. It's also worth nothing that the requirement for digital driver signing and the prevention of kernel patching on 64 bit versions of Vista and 7 adds even more security and stability.

[Max Norris]

In the reverse if a smart person who wasn't an idiot was using XP they wouldn't be that bad off.

I won't argue with that, as long as the user in question follows safe computing and has a safety net for if they make a mistake. When I used to use XP I've only been infected once, and it was a case of self-inflicted dumbassery on my part.. deserved what I got, and easy recovery via a mirror. Trick is educating the 'average user', and since people in general are dumb (in general.. that's not directed at anyone), Windows 7 would be the safer bet.

[Brandon Live Veteran]

In the reverse if a smart person who wasn't an idiot was using XP they wouldn't be that bad off.

XP doesn't support sandboxing (particularly useful for browsers). It doesn't matter if you're "smart," it's still less secure. Then there are the big features like ASLR, NX, PatchGuard, etc. But more than that (and despite what "Steve" says) new versions of Windows aren't "new layers."

The sandboxing in 8 (particularly for Metro apps and "Enhanced Protected Mode" in IE) goes far further than anything we've had before.

[+Warwagon MVC]

What about this from back in 2010 as an example

"A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to "system," and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed."

http://nakedsecurity...s-uac/#comments

[simplezz]

Windows Malware, Viruses, keyloggers, and Rootkits have evolved quite a bit over the years. The trend seems to be - they get better and better at hiding themselves (Rootkits in particular). I've found many instances of Windows Rootkits on Vista and 7 and the owners didn't even notice anything. So when someone comes out and says boastfully "My system has never had a virus" or "I don't even need to run an anti-virus with Windows 7", pay no attention, it's all bravado. every single Windows 7 and Vista PC is vulnerable, no matter what Microsoft or some obscure paid report says.

While it's true that the user is the weakest link in the chain (usually), the Windows and Microsoft platforms have allowed a vast malware ecosystem to develop around them. Unfortunately as long as Windows supports the Win32 API, there will be millions of active infections worldwide. Windows RT's attempt to remedy that situation on tablets is a step forward, but I can't see it improving the desktop version any time soon.

[AltecXP]

Whoever this "Steve" guy is obviously doesn't know about the massive under the hood changes in security Vista and 7 brought about. Good lord.

http://en.wikipedia.org/wiki/Steve_Gibson_(computer_programmer)

[Noir Angel]

What about this from back in 2010 as an example

"A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to "system," and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed."

http://nakedsecurity...s-uac/#comments

Nobody claimed UAC was perfect, but it's still better to have it than not. Besides, that exploit is just another form of drive by malware it still cannot be installed via remote execution it would still require some form of user interaction to find it's way onto a user's machine.

[Max Norris]

pay no attention, it's all bravado. every single Windows 7 and Vista PC is vulnerable, no matter what Microsoft or some obscure paid report says.

Every OS has vulnerabilities. No exceptions. If you can install software, you can install malware, to think otherwise is delusional. Windows gets targeted on the desktop because there's where the largest user base is, just as *Nix has the most hacks/exploits on the server end of things. Most malware gets installed because of user error; barring an unpatched zero-day exploit (every OS has them), they won't magically appear out of thin air. I can just as easily write up a bit of nasty code for OSX or Linux.

[rfirth]

Neowin article from last year: Avast: Windows XP makes up 74% of rootkit infections

http://www.neowin.ne...tkit-infections

Clearly the usage to rootkit ratio for Windows 7 is much improved from XP and Vista.

[Noir Angel]

Every OS has vulnerabilities. No exceptions. If you can install software, you can install malware, to think otherwise is delusional. Windows gets targeted on the desktop because there's where the largest user base is, just as *Nix has the most hacks/exploits on the server end of things. Most malware gets installed because of user error; barring an unpatched zero-day exploit (every OS has them), they won't magically appear out of thin air. I can just as easily write up a bit of nasty code for OSX or Linux.

Precisely. Microsoft can harden their OS against threats but as long as an OS can execute non native code (and by that I mean anything that isn't a system application / service) there will be ways of getting it to run malware. Microsoft haven't just "let malware develop" they just can't do anything more about it. The best you can hope for is to make remote exploits difficult to pull off and I believe Microsoft's record on that front has improved substantially between XP and 7

It's also worth noting, in a rather amusing case of irony that the main reason we have to thank for the ability to subvert patchguard is the changes Microsoft were forced to make to appease McAffee and Symantec's bitching about the loss of privileged kernel mode.

[Vice]

One of the biggest changes to Windows Vista and Windows 7 that this Steve correctly sighted was address space layout randomisation. The problem is while this makes it more difficult for malicious software to locate a memory space to inject code in to it isn't impossible and in some cases very easy. This is due to in part windows not using ASLR on every system process, only new processes compiled for the latest versions of windows and secondly because the operating system both gives up the true address spaces of running executables and because its implementation is generally weak.

I'll give you one example, lets say you want to find out where a PDF viewer is storing the PDF's it has open so that you can inject some code to make that piece of address space executable. Basically you want to bypass the processors protections that allow software to declare parts of its memory use as data only which means the CPU to try and increase security won't allow anything in that address space to execute. But you can't find it because of ASLR right? - Well you can just start reading the memory address space at random 16 bit lengths until you find a string that matches your planned injection point. It may take a while like a few minutes but many people have only 4GB or less memory and you can already gauge the size of the in-use address range before you begin checking.

The point is ASLR isn't that amazing. The operating system can't hide everything from software running on the system because it would break compatibility with a whole range of applications. The legacy parts of windows hold back its security just like Steve says.

And also I want to point out that he is right about what he says with regards to security in general. Windows Vista and Windows 7 haven't really affected security that much when it comes to difficulty. Infecting the browser by having the browser itself execute your code through a javascript interpretation error is still the easiest way to get on a system. Sandboxing and breaking up the browser in to many smaller executables with significantly reduced permissions is the only way to fight that hazard and when we do the attacks will just go full steam in to social engineering which today is mostly dominated by weaker programmers who can't find and write exploits for vulnerabilities in browsers.

Security is a huge problem and will remain so for a very long time. You can't have both a completely open platform that lets users install any application and also have bullet proof security.

[Growled Member]

What about this from back in 2010 as an example

"A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to "system," and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed."

http://nakedsecurity...s-uac/#comments

You see a lot of this. Windows isn't really any more secure now than it was a few years, really.

[Noir Angel]

I simply don't agree with that. Vice is right, no security is perfect but it's still been improved.

[Raa]

I see less infections on Windows 7 systems than XP systems. 64 bit definately helps.

I wouldn't say it's "a lot more secure!!oneoneone", but it definately is "better".

[rfirth]

I'll give you one example, lets say you want to find out where a PDF viewer is storing the PDF's it has open so that you can inject some code to make that piece of address space executable.

Ok... Although injecting code isn't going to make it executable. You're going to have to defeat DEP first. Anyway...

Basically you want to bypass the processors protections that allow software to declare parts of its memory use as data only which means the CPU to try and increase security won't allow anything in that address space to execute. But you can't find it because of ASLR right?

No, you can't because of DEP. First, you don't know where the data is stored (ASLR), and then even if you could inject code, it's marked as data and therefore isn't executable... So all you've done is create a useless memory corruption. This will crash the program, but not lead to arbitrary code execution.

Well you can just start reading the memory address space at random 16 bit lengths until you find a string that matches your planned injection point.

How are you going to read memory addresses at random? You need code to do that. You assume that you have already injected code and are running that code. You can have code that does this, but how are you going to run it?

If you have code running, you're already done. But this assumes you've already defeated ASLR and DEP. Kind of a chicken and the egg situation.

It may take a while like a few minutes but many people have only 4GB or less memory and you can already gauge the size of the in-use address range before you begin checking.

There is a difference between the virtual and physical address space. Just because a system has less than 4GB of memory - maybe only 16MB! - you still have to look through the virtual address space. Stuff can be placed arbitrarily anywhere in virtual address space. And if it's a 64 bit operating system, the virtual address space you would have to search is absolutely huge. It's completely impractical.

Besides, why would you want to write code to search for an injection point? If you're already running arbitrary code, you've already succeeded.

Now, if you're doing this on your system and expecting that the offset you find by doing the search (perhaps with a debugger) will work on another system, you're wrong. Just restart the computer and the offsets change. But you can do this on Windows XP and exploit buffer overflows very very easily.

A good way to exploit ASLR is to find a DLL that wasn't compiled to support ASLR (I know, you said this). That works. Find the location of JMP $ESP or something. There are ways, it just doesn't seem like your example is a good one.

[Vice]

I think a lot of the security discrepencies we see between the two operating systems can be explained away by a few things.

1. Windows 7 now comes with a free Antivirus from Microsoft in Windows Update that a staggeringly high number of consumers are taking advantage of.

2. People who are buying new computers are automatically receiving some Antivirus. Be it Norton, Nod32 or Kaspersky as an OEM software bundle.

3. People who upgrade their own PC to Windows 7 by purchasing a copy are also very likely to buy an Antivirus

All these things combined result in a much higher use of Antivirus software on Windows 7 by consumers which will result in lower infections in general. Then there is another point, a lot of the Viruses, Worms and Trojans still floating around and infecting people were authored many many years ago and may rely on very specific parts of the Windows XP operating system just due to their age and how the programmer wished to mask its presence by perhaps bundling a dynamic link library in to the software that the OS would load at boot.

With Windows 7 there is a major change in that regard and all those hundreds of thousands of pieces of malicious software that was authored years ago for XP can't work on Windows 7 because they aren't generalised enough.

These are just my thoughts on it anyway.

Ok... Although injecting code isn't going to make it executable. You're going to have to defeat DEP first. Anyway...

This is the whole point of finding where the program is storing it so that you can then change that address space to become executable by using another vulnerability in DEP. That is if DEP is even activated for applications.

No, you can't because of DEP. First, you don't know where the data is stored (ASLR), and then even if you could inject code, it's marked as data and therefore isn't executable...

Well that isn't accurate as by simply printing the address spaces and then doing a simple search on the data you can determine where the space you want is and then inject there. ASLR is not bullet proof and doesn't hide things well enough and it doesn't stop programs from probing address space to find out where things are.

How are you going to read memory addresses at random? You need code to do that. You assume that you have already injected code and are running that code. You can have code that does this, but how are you going to run it?

This all assumes that you are currently able to run some code from a sandboxed application that has some of its permissions revoked such as writing to the file system.

There is a difference between the virtual and physical address space. Just because a system has less than 4GB of memory - maybe only 16MB! - you still have to look through the virtual address space. Stuff can be placed arbitrarily anywhere. And if it's a 64 bit operating system, the virtual address space you would have to search is absolutely huge.

Not exactly, there are ways to determine these things

Besides, why would you want to write code to search for an injection point? If you're already running arbitrary code, you've already succeeded.

Not necessarily. It really depends how your code is being run first of all. Perhaps you have a payload in the PDF file itself, and the PDF viewer has opened that file and read it in to memory and there is a specially crafted part of the PDF file such as an image which you know that PDF viewer can't read under certain conditions perhaps its buffer for reading the colour profile of that image is written poorly and it is possible to get some code of only a finite length stored and executed by the PDF Viewer but its privileges on the system are low enough that you can't create or store any files on the system to keep your malicious software around after a reboot of the system.

There are a lot of reasons as to why you would want to exploit a vulnerability like this. Another example would be if you have a PDF file that opens on a website and Chrome for example has a built in PDF viewer. Chrome sandboxes its PDF Viewer so it can't do anything even if you were able to gain control over it, but maybe you found an exploit in this that lets you get out of that sandbox and in to the overall chrome process or up on to the operating system.

It isn't uncommon to need several different exploits just to get from the browser to the OS without the user ever accepting anything.

Now, if you're doing this on your system and expecting that the offset you find by doing the search (perhaps with a debugger) will work on another system, you're wrong. Just restart the computer and the offsets change. But you can do this on Windows XP and exploit buffer overflows very very easily.

A good way to exploit ASLR is to find a DLL that wasn't compiled to support ASLR. That works. Find the location of JMP $ESP or something. There are ways, it just doesn't seem like your example is a good one.

My example if fine if you understand it. And I already mentioned how a lot of stuff in the system isn't even affected by ASLR in my first post. My example was one for if ASLR was activated on the executable you want to mess with.

[Dot Matrix]

Windows Vista fixed alot of XP's security holes, and Windows 7 did Vista's, but simpy put the more software a user uses, the bigger the attack vector gets. The OS could be bullet prrof, but as long as one application remains out of date, the user is vulnerable, no matter what OS they are using, be it Windows, Mac, or Linux.