Though its usability has received mixed reviews in the early going, security experts at several security firms are heralding Windows 8, Microsoft's new endpoint platform, as the safest operating system to date.
The software giant debuted its new OS Oct. 26, designing Windows 8 as a one-size-fits-all client computing platform for not only desktop and notebook PCs, but also as a competitive salvo in the smartphone, tablet and hybrid mobile device markets against Apple Inc.'s iOS and Google Inc.'s Android platform.
The OS represents a dramatic departure for Windows, abandoning its traditional start menu in favor of a graphic-centric user interface based on tiles. Windows 8 is intended to be more intuitive and work especially well on Microsoft's new line of Surface tablets, but early adopters and test users have been only lukewarm on it, noting that it has a steep learning curve. Still, that isn't stopping security vendors from praising its security.
"Windows 8 is the most secure operating system on the market today," said Gunter Ollmann, vice president of research at Atlanta-based Damballa Inc.
Security analysts note operating systems tend to improve with each new iteration, and Windows 8 continues that forward momentum from a security perspective. Ollmann said that while the cost of deployment and compatibility with other important software will be different for each organization, enterprise IT teams considering an update from earlier Windows versions would benefit from the security enhancements in Windows 8.
All versions of Windows 8 will include the Unified Extensible Firmware Interface (UEFI) Secure Boot feature, which replaces the standard BIOS as the firmware interface for PCs. Secure Boot will make Windows 8 resistant to low-level malware like rootkits. Paul Henry, security and forensic analyst at Lumension Security Inc., in Scottsdale, Ariz., said Secure Boot is a good antimalware measure.
Ollmann praised the updated version of Internet Explorer that comes with Windows 8, saying, "IE10 is much more advanced from a security context."
Internet Explorer 10 (IE10) now has an enhanced protection mode that ensures the browser has read/write access only when essential. When this mode is turned on, each browser tab will run in Microsoft's App Container sandbox, limiting its privileges. IE's InPrivate browsing has been expanded to prevent storing a user's browser history per-tab rather than per-session. Its ForceASLR feature helps prevent code from being injected into a running application from executing by randomizing the location of all modules loaded into memory by the browser. IE10 will also limit the use of plug-ins like Java and Adobe Flash Player.
Wolfgang Kandek, CTO at Redwood City, Calif.-based Qualys Inc., agreed that IT teams must assess the effect a change would have on productivity before switching. He also recommended an upgrade for companies still using Windows XP.
"XP is losing support in July and will become an increasing liability in terms of security soon after. The options are to migrate to Windows 7, which is by now a very well-known quantity with plenty of support, or to opt for the newer Windows 8 that has a bit more uncertainty but promises a longer lifecycle," Kandek said in an email interview with SearchSecurity.com.
Windows 8 is not invulnerable to attack. Chaouki Bekrar, CEO and head of research at Vupen Security, announced Oct. 30 that researchers at his company had developed a zero-day exploit for Windows 8 and Internet Explorer 10, after saying earlier in October they would release the Windows 8 zero-day exploit on the same day the new OS debuted. Vupen, a French company, will sell the exploit kit to its customers, mostly government agencies and corporations in finance, technology and manufacturing.
Vupen has not reached out to Microsoft with details about the vulnerability, and some in the security industry believe that Vupen's dealings are unethical. Henry said that in the security community, researchers who find vulnerabilities typically give the details to the affected software company first.
"Most security researchers do it for the greater good," Henry said. "Vupen does it for profit."
Ollmann, however, believes there are different business models in the security world, and points out that Vupen is not the only company that profits from the sale of exploit kits.
According to Ollmann, Vupen had to chain multiple vulnerabilities together to create the exploit. In the long run, that's a good sign for Microsoft because it suggests it will be difficult for the average hacker to replicate the exploit.
The security vendors agreed that it is no surprise an exploit was ready so quickly, since Microsoft made the earliest version of Windows 8 available more than a year ago. In addition, coding remains a flawed art. When a programmer writes X number of lines of code, Henry said, there will be X number of mistakes.
"No one writes bulletproof code," Henry said.