How more secure is Windows 7 / Vista, really when compared to XP?

[simplezz]

Every OS has vulnerabilities.

Vulnerable to Viruses and Malware I mean. Vulnerabilities are inconsequential in the short term if nobody's exploiting them. Just look at Stuxnet - even the US government is exploiting Windows vulnerabilities.

No exceptions. If you can install software, you can install malware, to think otherwise is delusional.

While technically true, there has never been any successful malware on GNU/Linux. Now you could argue that's because of security in obscurity, and that may be true to an extent, but there are also other factors:

1. How users get their software.

2. Permission system. Specifically, how programs get executable permissions. Windows Autorun is an example of a popular infection vector.

3. The variety of Linux distributions, their configurations, and the software which they contain are the bane of malware writers. They do best in homogeneous environments with predictable file locations and installed software, and slow update cycles.

Windows gets targeted on the desktop because there's where the largest user base is

That's not the whole story though.

1. For years Windows had very lax security, which encouraged a vast malware ecosystem. Critical mass was reached long ago. The hacking tools, code, and expertise has all developed around Windows. That's not something you can transfer overnight.

2. The Win32 API is very hacker/malware writer friendly.

3. There's no central repository to get your software from (yet), which inevitably leads to the practise and habit of downloading and running random programs from the internet. This behaviour increases the risks of infection with malware.

just as *Nix has the most hacks/exploits on the server end of things.

Incorrect. The server exploits, which by the way aren't malware, are usually focused on third party applications like wordpress and sql injections, or other front facing applications (which can also run on Windows), rarely is it ever the GNU/Linux OS itself. Again, malware isn't involved. Now Windows Servers, that's a whole different kettle of fish. They are subject to the same malware threats as their desktop brethren.

Most malware gets installed because of user error; barring an unpatched zero-day exploit (every OS has them), they won't magically appear out of thin air. I can just as easily write up a bit of nasty code for OSX or Linux.

I agree that the user is the weakest link the chain, but that doesn't stop viruses and malware spreading without user intervention. There are many examples in Windows' history. And yet, not a single Virus has successfully spread on GNU/Linux.

You could try and write some bad code for Linux, but how would you deliver it? How/where would it install itself? How would it run/spread? Then you start to realise, GNU/Linux is an extremely heterogeneous environment - again, the bane of virus/malware writers.

It's all well and good pointing out buffer overflow exploits, but if nobody's using them, they don't pose a real security risk in the short term. All of the exploits are targeting Windows, the reasoning of which is unimportant, there is only the reality of the situation.

[Dot Matrix]

Now Windows Servers, that's a whole different kettle of fish. They are subject to the same malware threats as their desktop brethren.

True, but Windows Server makes it hard, and I mean real hard to go out and infect. You don't just simply go out onto the web with it.

[simplezz]

but simpy put the more software a user uses, the bigger the attack vector gets.

That's true. Even more so if the software is out of date and isn't automatically updated by the operating system.

The OS could be bullet prrof, but as long as one application remains out of date, the user is vulnerable, no matter what OS they are using, be it Windows, Mac, or Linux.

Totally agree. That's where GNU/Linux repositories and Windows 8's app store really shine. If the OS can update itself and every application installed on the system, the likelihood of exploitation is greatly diminished.

I'm a big fan of built-in OS software repositories and management tools. That's one area Windows 8 will easily best Windows 7. Now if we could only get the desktop back :whistle:

[Vice]

Just to jump off your point there Dot Matrix. I have a whole array of Windows Servers running IIS and other services. And I just wanted to say how difficult it is to get a script running inside IIS to access the system. I mean there are so many layers of security there that it can be difficult just as a server owner to get things working and functioning due to well for starters all the NTFS ACL permissions.

I know specifically you meant people don't usually use Windows Server to surf the web which is how many people get infected but I just wanted to point out how secure the server is at actually serving content and how the operating system treats seemingly everything running under one of its server roles as potentially hostile. Exploiting IIS to get to the system is in my opinion difficult.

[simplezz]

Neowin article from last year: Avast: Windows XP makes up 74% of rootkit infections

http://www.neowin.ne...tkit-infections

Clearly the usage to rootkit ratio for Windows 7 is much improved from XP and Vista.

The problem is, rookits are getting harder and harder to detect and remove. We really don't know how many are unregistered on that graph.

[rfirth]

This all assumes that you are currently able to run some code from a sandboxed application that has some of its permissions revoked such as writing to the file system.

I know. What I'm saying is that's easier said than done, and it's a big assumption to make. It assumes that you have already defeated ASLR and DEP to even be able to run code. But obviously once you get code running, you have a lot more options for breaking out of the sandbox. But you're not going to do either one easily.

Not necessarily. It really depends how your code is being run first of all. Perhaps you have a payload in the PDF file itself, and the PDF viewer has opened that file and read it in to memory and there is a specially crafted part of the PDF file such as an image which you know that PDF viewer can't read under certain conditions perhaps its buffer for reading the colour profile of that image is written poorly and it is possible to get some code of only a finite length stored and executed by the PDF Viewer but its privileges on the system are low enough that you can't create or store any files on the system to keep your malicious software around after a reboot of the system.

Ok, so you overwrite some section of memory. You want your to run your payload so that you can run in the sandbox and hopefully can escape the sandbox. But how do you get the section of memory (the memory you corrupted) to execute? First, you don't even know where you've just placed the payload. But perhaps you know the register ESP points to it. So you need to jump to it. So, you need to overwrite the return instruction address with an instruction that points to your payload. But you can't hardcode an address, because ASLR will change the location of the JMP ESP address that you've found. Then, even if you could reliably tell the computer to jump to your code, the PDF reader program should have read that into memory marked as data. So it's not even executable.

Definitely would need to find a reliable way to escape this.

But let's say your assumption holds. You've got code running in a sandbox and you want to escape. Yes, the computer is in a lot of trouble at this point.

[Vice]

I know. What I'm saying is that's easier said than done, and it's a big assumption to make. It assumes that you have already defeated ASLR and DEP to even be able to run code. But obviously once you get code running, you have a lot more options for breaking out of the sandbox. But you're not going to do either one easily.

Ok, so you overwrite some section of memory. You want your to run your payload so that you can run code in the sandbox that hopefully can escape the sandbox. But how do you get the section of memory to execute? First, you don't even know where you've just placed the payload. Perhaps the register ESP points to it. So you need to jump to it. So, you need to overwrite the return instruction address with an instruction that points to your payload. But you can't hardcode an address, because ASLR will change the location of the JMP ESP address that you've found. Then, even if you could reliably tell the computer to jump to your code, the PDF reader program should have read that into memory marked as data. So it's not even executable.

But let's say your assumption holds. You've got code running in a sandbox and you want to escape. Yes, the computer is in a lot of trouble at this point.

If there is one thing we know about malicious software writers it is that they go for low hanging fruit. They won't go through a lot of the steps I've outlined here to take over a computer because there are easier ways. The fact remains that the easiest way to gain control over a Windows 7 system is to target a 32-bit binary that is not opting to be protected by DEP and ASLR. Of which there are many like you described in your previous post finding a dynamic link library that fits that bill is easy.

The only time we are ever going to get first hand experience of working ASLR and DEP combined exploits is in hacker competitions. But for this discussion I'm assuming a lot to point out that ASLR isn't impossible to overcome. And of course the point of Steve in his reply to this users query about security is that whilst ASLR and DEP and all these other technologies have been included they aren't utilised in a way that affects the overall security of the system because too many things that can be exploited for system wide access aren't using them.

[Max Norris]

Vulnerable to Viruses and Malware I mean. Vulnerabilities are inconsequential in the short term if nobody's exploiting them. Just look at Stuxnet - even the US government is exploiting Windows vulnerabilities.

Inconsequential? Nobody exploiting them? Seriously? Tell that to anyone who got screwed by one of the myriad of loopholes and misconfigurations in Apache, PHP, OpenSSL and any other number of *Nix software. You can't swing a dead virtual penguin without bumping a browser window with a story about some server getting hacked. Costs quite a bit of money, time and bad customer relations. And please don't try and pass off Linux as being 100% flaw free; Secunia and other security lists will tell you otherwise. They had their fair share too... some go for quite a good deal of time before being spotted too.

1. How users get their software.

You see quite a few articles and such that tell users to add various repositories to their sources.list, download and dpkg this .deb, extract and run the script in this tarball, etc etc.. the walled garden thing doesn't hold up, especially when somebody wants to stay current with a distro that's perpetually out of date. Just need to trick that user into running something they shouldn't and that Linux security has been rendered pointless.

2. Permission system. Specifically, how programs get executable permissions. Windows Autorun is an example of a popular infection vector.

True with the legacy OS's. Current versions ask first before doing anything. If they still run it, well that's on them.

3. The variety of Linux distributions, their configurations, and the software which they contain are the bane of malware writers. They do best in homogeneous environments with predictable file locations and installed software, and slow update cycles.

Not sure how this is a benefit... /usr/lib versus Windows/System32? Both are a bit predictable..

1. For years Windows had very lax security, which encouraged a vast malware ecosystem. Critical mass was reached long ago. The hacking tools, code, and expertise has all developed around Windows. That's not something you can transfer overnight.

No arguments there. XP made quite a few mistakes when it came to security. Whoever thought giving users admin access by default was a good idea should be shot.

2. The Win32 API is very hacker/malware writer friendly.

Erm any API can be hacker/malware friendly. Shoot probably easier in Linux thanks to the myriad of tools at your disposal that's typically already installed.

3. There's no central repository to get your software from (yet), which inevitably leads to the practise and habit of downloading and running random programs from the internet. This behaviour increases the risks of infection with malware.

Agreed to a point, as it's not 100% solid in Linux either, see above about working with external repositories.

There are many examples in Windows' history. And yet, not a single Virus has successfully spread on GNU/Linux.

And again, it's because the malware writers just don't care. 99% of the time, malware is oriented around money. Stealing passwords, sending you advertisements, encryption/ransomware, ripping off your virtual crap in World of Warcraft, things like that. Who's going to spend the time and trouble to write up a bit of malware and think to themselves, "Gee this is great, now how can I release it to the smallest amount of users possible?" Or to be a bit melodramatic, Linux presents quite the perfect delivery mechanism.. the central repository. All it takes is just takes one good hack or a cheesed off coder. Worked great by accident, would be quite devastating if intentional. Bumblebee proved how well that could work. The software worked great until you uninstalled it. Then it literally nuked your entire /usr directory, rendering the system unusable. Oopsie.

You could try and write some bad code for Linux, but how would you deliver it? How/where would it install itself? How would it run/spread? Then you start to realise, GNU/Linux is an extremely heterogeneous environment - again, the bane of virus/malware writers.

Again, user stupidity. Attachments, tricks, misdirection.. how a majority of this stuff starts.

It's all well and good pointing out buffer overflow exploits, but if nobody's using them, they don't pose a real security risk in the short term. All of the exploits are targeting Windows, the reasoning of which is unimportant, there is only the reality of the situation.

Again, that's where the money is, on the desktop side of things. OSX used to be able to claim similar, but as their market share is growing, so is their number of malware cases. Or, look at Android, it's quite popular, and "malware cesspool" has been thrown around quite a bit. The reasoning is only unimportant if you're wanting to dodge the issue, namely they're going where the money is, and the Linux desktop isn't it, not that it's magically immune from malware.

[rfirth]

I'd say that Windows 8, 7, Vista are all much more secure than Windows XP, but not proportionally more safe. And as Windows XP loses market share, later versions of Windows will become less safe because malware writers will be forced to target them.

And as computer security improves, malware writers rely more and more on social engineering. It's much easier and you can't engineer a solution to it.

"my stupid anti-virus won't let me run this program... what's wrong with my windows! stoopid MSft!"

"my computer seemed slow, so I installed this program that said it would make it faster..." <=== Too many people tell me this

[sc302 Veteran]

You can't fix the problem. Well you could if you were a perfect being. A flawed being cannot make anything perfect or impenetrable, it is only as good as the person that can crack it can fix against his own cracking capabilities. Not everyone thinks the same, therefore, holes unknown to the designer will exist. Even if you get 1000 people to provide security fixes, 1,000,000 more will find ways around it. Windows 7 and vista are much more secure than xp, it took malware designers a whole month to figure out how to break its security. Windows 8 isn't rtm yet and I am sure that there are programmers ready to deploy the next malware to infect that os. Security, in any os, is a facade. Idiot users can claim that a particular os is much more secure than another, however, understanding the payload from that os vs a very popular os is very small and not profitable to malware programmers. Any malware is money driven, in most cases, so attack the majority. Programming anything is os specific, as a tech or programmer you should know that...learn the language that will give you the most benefit.

If I wanted to get my name out there in security I might be tempted to write software against windows in hopes of getting into a security firm like Symantec or eset. Maybe I want to write something that will constantly go to a website that would give me $.10 for every visit. Maybe I would want to write something that would get me valid email addresses to sell. Maybe I would want to write something that would do a lot of SETI calculations from what ever pc is connected to. Maybe I want to steal keystrokes so that I can get into your bank accounts. Maybe I want to infect you with a fake av to sell you a service so i can get you cc info....maybe I want to do all of that..who would be my most likely target audience based on payload...which would bring me the most hits? Unix, no....Ubuntu, no....red hat, no......sco unix, no.....apple, might be worth looking at but, no......windows, this would be best for now so, yes, infecting this base will bring me the most in the shortest amount of time before getting caught.

[J_R_G]

I'm not understanding the argument against ASLR. Of course if not all .DLLs are compiled with it, then it doesn't work, but at least that is fixable, XP which has no ASLR is not fixable at all. Secondly, Windows 8 fixes some significant things related to this, IE (and other programs that opt in) enables 'mandatory ASLR' so that all .DLLs that IE uses are forced to use ASLR, and it also can run in the enhanced protected mode sandbox as someone mentioned earlier which is much more hardened than the sandbox in Vista and 7. Windows 8 also has High Entropy ASLR, basically giving ASLR much more randomness on x64 binaries (where as Vista and 7 give the same amount of randomness to x64 and 32-bit programs), exactly how much is not known yet but there is nothing stopping microsoft from using the full 16 Exabytes of address space available to x64 programs. Trying to out guess that would be impractical for hundreds of years at current CPU speeds, assuming you don't tip off the user right away by crashing their program.

According to MS' Security Intelligence Report, XP has over 10x the infection rate of Windows 7 x64 as tallied by MSRT. And IMO it is fud to say Windows Vista and 7 have many 'unknown' rootkits, while they may have some, XP almost certainly has many more and additionally a hidden rootkit is pretty useless, it usually has to do something for the author to make it worth it which will make it noticeable, such as draining bank accounts or displaying pop-ups or DDoS'ing web sites. Some users don't notice some of this, but it's extremely unlikely there is a significant amount of these things going completely undetected, there are too many people that will recognize any of these behaviors.

Vista and 7 are much more secure, the stats prove it, but of course if you work in a shop you are still going to see a ton of infected machines from the newer versions of Windows because of incompetent users ignoring warnings and elevating programs they obviously should not.

[rfirth]

I'm not understanding the argument against ASLR. Of course if not all .DLLs are compiled with it, then it doesn't work, but at least that is fixable, XP which has no ASLR is not fixable at all. Secondly, Windows 8 fixes some significant things related to this, IE (and other programs that opt in) enables 'mandatory ASLR' so that all .DLLs that IE uses are forced to use ASLR, and it also can run in the enhanced protected mode sandbox as someone mentioned earlier which is much more hardened than the sandbox in Vista and 7. Windows 8 also has High Entropy ASLR, basically giving ASLR much more randomness on x64 binaries (where as Vista and 7 give the same amount of randomness to x64 and 32-bit programs), exactly how much is not known yet but there is nothing stopping microsoft from using the full 16 Exabytes of address space available to x64 programs. Trying to out guess that would be impractical for hundreds of years at current CPU speeds, assuming you don't tip off the user right away by crashing their program.

This.

And web browser attacks that employ heap spraying... you'll crash the computer by making it run out of memory long before you get the smallest fraction of memory space filled, if the user is using Internet Explorer 10 with Enhanced Protected Mode.

And then, even if you do manage to get around that, you then have to deal with the Enhanced Protected Mode sandbox.

[redvamp128]

I think a lot of the security discrepencies we see between the two operating systems can be explained away by a few things.

1. Windows 7 now comes with a free Antivirus from Microsoft in Windows Update that a staggeringly high number of consumers are taking advantage of.

I would have to agree with that point...

One should also mention that by default- certain features are turned on.

Windows Firewall (unless one is provided for by the OEM) {yes I know it was turned on in XP SP3 but Vista and up did not need a service pack to turn it on}

I do love the way they compare it to Windows 98 -- on a side note-- It took me about 3 years to get my folks to migrate to Windows 98 from Windows 3.1 mainly because all their programs were for it and they were used to it.

The problem is, rookits are getting harder and harder to detect and remove. We really don't know how many are unregistered on that graph.

I can see your point on that one -

You never know a root kit exists until someone "Discovers it" or the maker lets it be known...

[J_R_G]

I can see your point on that one -

You never know a root kit exists until someone "Discovers it" or the maker lets it be known...

While that statement may seem to have some truth in it, it's really not accurate. Many security researchers, AV companies, and MS themselves, run honey-pot systems that they connect to the net and try to have infected by new unknown malware, then they do thorough (probably off-line) analysis of the systems. I'm still in the 'mass of unknown rootkits' is a myth camp. There may be examples of in-the-wild but undetected for years malware like Flame, but I think they are the exception not the rule.

[Detection]

How can you air a program called "Security Now" where the main guy still runs XP and FF3.6

I listen to that show quite a lot and learned a few useful things from it, such as how to hack WPS routers :laugh:

Its more like an RSS News Feed than much else

[Skyfrog]

How can you air a program called "Security Now" where the main guy still runs XP and FF3.6

I listen to that show quite a lot and learned a few useful things from it, such as how to hack WPS routers :laugh:

Its more like an RSS News Feed than much else

I'm going to start a show called "Today in Programming" but I'm only going to talk about Fortran and QBasic.

Yeah this guy is talking nonsense though. Doesn't sound like much of a show.

[+Warwagon MVC]

I'm going to start a show called "Today in Programming" but I'm only going to talk about Fortran and QBasic.

Yeah this guy is talking nonsense though. Doesn't sound like much of a show.

Get a clue you guys. It's one of the best security podcasts on the internet. Who cares if he is running XP and Firefox 3.6 (By the way he did upgrade firefox). They are all still receiving security updates. It's just his choice. Just because he chooses to do so doesn't make him any less of a security expert.

[Skyfrog]

Get a clue you guys. It's one of the best security podcasts on the internet. Who cares if he is running XP and Firefox 3.6 (By the way he did upgrade firefox). They are all still receiving security updates. It's just his choice. Just because he chooses to do so doesn't make any less of a security expert.

There have been a number of security issues lately that only affected XP, not Vista or 7. Yes XP is still getting updates but that doesn't it make it more secure than Vista/7, it just isn't. To say otherwise is absurd, especially for someone calling themselves a security expert.

[+Warwagon MVC]

There have been a number of security issues lately that only affected XP, not Vista or 7. Yes XP is still getting updates but that doesn't it make it more secure than Vista/7, it just isn't. To say otherwise is absurd, especially for someone calling themselves a security expert.

he never said it was more secure than Vista or 7

[Skyfrog]

he never said it was more secure than Vista or 7

It's not just as secure either.

[Dot Matrix]

Get a clue you guys. It's one of the best security podcasts on the internet. Who cares if he is running XP and Firefox 3.6 (By the way he did upgrade firefox). They are all still receiving security updates. It's just his choice. Just because he chooses to do so doesn't make him any less of a security expert.

No. Firefox 3.6 went extinct back in April.

[+Warwagon MVC]

No. Firefox 3.6 went extinct back in April.

Which is why he has moved to a newer version.

[Fraud OS 11]

Wrong place to ask the question. The fanboys will tell you unbelievable stories. :p

[Dot Matrix]

Wrong place to ask the question. The fanboys will tell you unbelievable stories. :p

We all know you love XP, but it's time to take off those XP-colored glasses, even the most hardened Windows users will tell you that XP was a security nightmare, and in some ways, still is.

[gawicks]

But they can't really change much without breaking all of the legacy stuff. So they're limited in what they're able to do. And you could argue that they're sort of running out of things to do at this point. So first of all, looking back at all the patches we've discussed in the last year, nothing is XP only. I can't think of anything that only affected XP.

I disagree most of the security features added to Vista such as DEP / UAC broke a lot of software ; mostly the badly written software which made assumptions about things like Admin access and executing out of the data region . and Microsoft had to do a lot of plumbing to get these older software to work . Compatibility headaches were a major issue in Vista surely this guy is ignoring the fact that Microsoft was indeed willing to break compatibility over security .