Leading up to Microsoft’s launch of the new Windows 8 operating system, there has been a lot of media chatter about what the new operating system means for security. Specifically, folks want to know whether users will be more secure on this new platform. Let’s examine more closely a few of the claims we’re hearing.

In response to an increasingly sophisticated threat landscape, Windows 8, like its predecessors (Windows 7, Vista, XP, and on) raises the bar in terms of new defenses to help defend against increasingly more cunning and devious malware variants. But does this mean that systems running Windows 8 will be impervious to attack? No, I don’t think so.  An analogy I like to use when thinking about malware is water. As water runs down the side of your house or from mountain to sea, it always follows the path of least resistance. If you block its current path, it quickly moves to the next easiest path. Block that and it again quickly finds another path and so on. Malware is very similar. It naturally follows a path of least resistance. As one path become more resistant to attack e.g. due to operating system improvements, the malware simply moves on to the next easiest path.

In this four-part blog series, I briefly review some of the myths we’ve heard about Windows 8 security improvements and point out where deficiencies lie. We believe security should still very much be a concern for anyone running the new Windows 8 OS.

Myth #1: Windows 8 cannot be successfully attacked.

I hear a lot of people these days saying that Windows 8 has raised the bar to make a machine running Windows 8 impervious to attack.  The reality is that while it’s more difficult to attack, it is still vulnerable. A few points to support this opinion:

• Consider the new heap manager, an area that has often been attacked in the past. While it’s true it has been upgraded to block attacks that were previously successful against Windows 7 and earlier versions of the OS, the heap is still just one area among many where vulnerabilities might lie. The improved heap manager has no effect on vulnerabilities that do not rely on memory corruption e.g. attacks like the popular CVE-2012-1723 (Oracle Java Applet Field Bytecode Verifier Cache Remote Code Execution) and CVE-2010-0840 (Trusted Methods Chaining Remote Code Execution), both of which were actually bugs in Oracle’s Java distribution, and have been used by malware authors via Exploit Kits to infected unsuspecting users.

• A bigger nut to crack though is that of Social Engineering attacks that don’t rely on vulnerabilities, known or unknown. Even Microsoft acknowledges that, “Social-engineering attacks, like tricking a user into running a malicious program, are far more common than attacks on security vulnerabilities.” However it doesn’t appear that Windows 8 adds any real new value toward protecting against social-engineering attacks, beyond what’s already available in earlier versions of Windows. Not to mention the fact that the protection that is provided, is only available if the user is running Internet Explorer and not the other increasingly more popular browsers like Chrome and Firefox. 

So as I see it, Windows 8 is still very much susceptible to malware. Stay tuned for more thoughts on Windows 8 security leading up their general availability announcement next week.

Gerry Egan is Senior Director of Product Management, Norton by Symantec