Windows 7 Raises Security Bar, Experts Say
So far, Windows 7 has left the gate with a strong start. Microsoft CEO Steve Ballmer told analysts, partners and media attending the Windows 7 release party in New York that, so far, 45,000 retailers are currently selling the new operating system, and he said he expected 300 million Windows-based PCs to be sold this year.
Despite the promising launch, Microsoft still faces a slew of hurdles with Windows 7, not the least of which were the poor performance and dwindling adoption rates of its predecessor, Vista, released in 2007, which critics disparaged as clunky, slow and overburdened with unnecessary features.
However, the Windows 7 release has given security experts some reason to hope. While Windows 7 is still subject to vulnerabilities and exploits, its simplicity and ease of use might mean that users will be generally more secure on their PCs, allowing security vendors to further shift their security strategies from OS exploits to social engineering and Web-based attacks.
"All of the extra stuff that people didn't like about Vista is culled out of [Windows 7]," said Sean Sullivan, security adviser for North American Labs at F-Secure. "We see it as a very good improvement."
Picking Up Where Vista Left Off
Above all else, Microsoft's new OS differentiates itself by touting ease of use and increased compatibility that was sorely lacking in its predecessor. Like Vista, Windows 7 touts beefed-up security features, but most agree that reasons for its eventual adoption will boil down to usability and simplicity, as opposed to security.
"It's less resource-intensive, [it's] quick starting, things take less time, it's light and clean -- that ultimately is where the buzz of a good release is coming from," said Eric Voskuil, CTO of Beyond Trust. "People don't dig too deep into the security issues."
But ease of use coupled with increased security could make Windows 7 an easier transition for many users than the migration from XP to Vista, said Voskuil, adding that he favors the Windows 7 over Snow Leopard, Apple's most recent Mac OS X upgrade.
Sullivan said that while Vista might have raised the bar by enhancing security features and hardening the operating system against a maelstrom of new threats, its numerous, unnecessary admin-level features left it bloated and riddled with compatibility issues. Plus, Vista's backward compatibility with XP also enabled users to run XP apps on the new operating system. As a result, developers had little incentive to write for XP and subsequently many users never made the transition, he said. "There was no need to upgrade to Vista because they never cut that cord. Why develop for Vista when you can develop for XP on Vista?"
Sullivan added that the Windows 7 upgrade should ultimately compel Microsoft to cut ties with legacy support to protect the new OS against old attacks exploiting old security vulnerabilities.
"Microsoft has provided backward compatibility for legacy programs, but with backward compatibility comes backward vulnerabilities," he said. "Microsoft probably wants to phase out and reduce legacy support as much as possible."
Meanwhile, Windows 7 does retain much of the same security enhancements as Vista due to the fact that both operating systems share much of the same code.
But where Vista went wrong was with what experts call "visible security" -- providing admin-level security to ordinary end users, which resulted in security prompts that came too frequently, in duplicate and at odd intervals. Those prompts ultimately compelled users to turn off security mechanisms altogether.
"There were not clear boundaries between admin and non-admin stuff," Voskuil said. "Windows 7 had an objective to reduce the number of prompts, but maintain the security model at the same time."
Windows 7 addressed that concern by adding a control model in which users can select the level of prompting -- the highest level would result in high level of security prompts as in Vista, while lower levels mitigate OS interference but reduce overall security.
"It's a reduction in the security model. You have the lowest level and for all intents and purposes, you have a secure model," he said. "Now they have two options in between."
Security Is Still An Issue
Even before its launch, Microsoft already released a total of three patches, plugging an array of Windows 7 security holes. Among the security glitches, Microsoft repaired two zero-day vulnerabilities affecting both Vista and the upcoming Windows 7 platform in the Server Message Block service, which occurred in the way that version 2 of the protocol parses SMB requests.
And other vulnerabilities exist. Voskuil said that the security slider on the lower levels creates a hole in which attackers can inject a rootkit or other types of malicious code on a user's machine.
"This is a critical vulnerability," he said. "The only way to patch it is to move that slider up to the [highest security] bar. It's an interesting position to be in."
But experts say that they don't expect to see lots more exploits coming down the pike in the near future. And despite Windows 7 enhanced security, experts predict that security sales won't necessarily decline as the new OS becomes more widely adopted.
So far, major security vendors, such as McAfee and Kaspersky Lab, have already released security products that are fully compatible with Windows 7, while experts maintain that users still are required to install a third-party security product to protect their system against threats.
Sullivan said that attackers could turn to phishing and Web attacks, as Microsoft continually hardens its operating system -- a trend which security experts contend has been reaching a crescendo. And as OS vulnerability exploits continue their downward trend, security vendors will likely focus their efforts on preventing attacks such as drive-by downloads, phishing attacks and other social engineering, as well as securing data from both external and internal threats.
But it's just a matter of time before attackers rise to the occasion and find weaknesses in Windows 7 too.
"[Windows 7] will force the guys that we're fighting against to work harder. They're still going to find vulnerabilities and still do social engineering, but it will limit their toolbox," Sullivan said."From that point of view, it will make our lives easier."