Windows 8 To Offer Better Protection Against Malware
Windows 8 has been designed to better protect users against malicious software. Microsoft has made enhancements to mitigation features, improvements to Windows Defender for real-time protection and has applied URL and application reputation features to the upcoming operating system.
With Windows XP SP2, Microsoft began creating defenses called mitigations that make it difficult to develop reliable exploits for security vulnerabilities. Each subsequent version of Windows has continued to expand and improve on these mitigations, because a single mitigation feature can break an entire class of exploits. Windows 8 includes mitigation enhancements that further reduce the likelihood of common attacks. Some of these improvements include:
- Address Space Layout Randomization (ASLR). ASLR was first introduced in Windows Vista and works by randomly shuffling the location of most code and data in memory to block assumptions that the code and data are at same address on all PCs. In Windows 8, Microsoft extended ASLR's protection to more parts of Windows and introduced enhancements such as increased randomization that will break many known techniques for circumventing ASLR.
- Windows kernel. In Windows 8, Microsoft brings many of the mitigations to the Windows kernel that previously only applied to user-mode applications. These will help improve protection against some of the most common type of threats. For example, Microsoft now prevents user-mode processes from allocating the low 64K of process memory, which prevents a whole class of kernel-mode NULL dereference vulnerabilities from being exploited. The company also added integrity checks to the kernel pool memory allocator to mitigate kernel pool corruption attacks.
- Windows heap. Applications get dynamically allocated memory from the Windows user-mode heap. Major redesign of the Windows 8 heap adds protection in the form of new integrity checks to help defend against many exploit techniques. In addition, the Windows heap now randomizes the order of allocations so that exploits cannot depend on the predictable placement of objects - the same principle that makes ASLR successful. Microsoft also added guard pages to certain types of heap allocations, which helps prevent exploits that rely on overrunning the heap.
- Internet Explorer. "Use-after-free" vulnerabilities represented nearly 75% of the vulnerabilities reported in Internet Explorer over the last two years. For Windows 8, Microsoft implemented guards in Internet Explorer to prevent an attacker from crafting an invalid virtual function table, making these attacks more difficult. Internet Explorer will also take full advantage of the ASLR improvements provided by Windows 8.
If you don't have another solution installed, Windows 8 will provide a protection with a significantly improved version of Windows Defender.
Improved protection for all types of malware. The improvements to Windows Defender will help protect users from all types of malware, including viruses, worms, bots and rootkits by using the complete set of malware signatures from the Microsoft Malware Protection Center, which Windows Update will deliver regularly along with the latest Microsoft antimalware engine. This expanded set of signatures is an improvement over previous versions, which only included signatures for spyware, adware, and potentially unwanted software.
In addition, Windows Defender will now provide you with real-time detection and protection from malware threats using a file system filter, and will interface with Windows secured boot, another new Window 8 protection feature.
When you use a PC that supports UEFI-based Secure Boot (defined in the UEFI 2.3.1 specification), Windows secured boot will help ensure that all firmware and firmware updates are secure, and that the entire Windows boot path up to the antimalware driver has not been tampered with. It does this by loading only properly signed and validated code in the boot path. This helps ensure that malicious code can?t load during boot or resume, and helps to protect you against boot sector and boot loader viruses, as well as bootkit and rootkit malware that try to load as drivers.
Microsoft has designed Windows Defender to be unobtrusive for most daily usage, and will notify you only when you need to perform an action, or critical information demands your attention. Windows Defender will also use the new Windows 8 maintenance scheduler to limit interruptions.
Traditional antimalware technologies are well known for impacting system performance. It's not uncommon that running antimalware software doubles the amount of time required for core scenarios like file copy and boot. Windows Defender dramatically improves performance on all key scenarios compared to common antimalware solutions on Windows 7, while maintaining strong protection. For example, Windows Defender with its full protection functionality enabled adds only 4% to boot time, while reducing CPU time during boot by 75%, disk I/O by around 50MB, and peak working set by around 100MB.
Traditional antimalware software plays a critical role in defending and remediating attacks. However, reputation-based technologies can help provide effective protection against social engineering attacks before traditional antimalware signatures are available, especially against malware that pretends to be legitimate software programs.
Windows 8 will help protect you with reputation-based technologies when launching applications as well as browsing with Internet Explorer.
Since its release, the SmartScreen filter has used URL reputation to help protect Internet Explorer customers from more than 1.5 billion attempted malware attacks and over 150 million attempted phishing attacks. Application reputation, a new feature added to SmartScreen in Internet Explorer 9, provides an additional layer of defense to help you make a safer decision when URL reputation and traditional antimalware aren?t enough to catch the attack.
Windows now uses SmartScreen to perform an application reputation check the first time you launch applications that come from the Internet.
In Windows 8, SmartScreen will only notify you when you run an application that has not yet established a reputation and therefore is a higher risk.
SmartScreen uses a marker placed on files at download time to trigger a reputation check. All major web browsers and many mail clients, and IM services already add this marker, known as the "mark of the web," to downloaded files.
- Address Space Layout Randomization (ASLR). ASLR was first introduced in Windows Vista and works by randomly shuffling the location of most code and data in memory to block assumptions that the code and data are at same address on all PCs. In Windows 8, Microsoft extended ASLR's protection to more parts of Windows and introduced enhancements such as increased randomization that will break many known techniques for circumventing ASLR.
- Windows kernel. In Windows 8, Microsoft brings many of the mitigations to the Windows kernel that previously only applied to user-mode applications. These will help improve protection against some of the most common type of threats. For example, Microsoft now prevents user-mode processes from allocating the low 64K of process memory, which prevents a whole class of kernel-mode NULL dereference vulnerabilities from being exploited. The company also added integrity checks to the kernel pool memory allocator to mitigate kernel pool corruption attacks.
- Windows heap. Applications get dynamically allocated memory from the Windows user-mode heap. Major redesign of the Windows 8 heap adds protection in the form of new integrity checks to help defend against many exploit techniques. In addition, the Windows heap now randomizes the order of allocations so that exploits cannot depend on the predictable placement of objects - the same principle that makes ASLR successful. Microsoft also added guard pages to certain types of heap allocations, which helps prevent exploits that rely on overrunning the heap.
- Internet Explorer. "Use-after-free" vulnerabilities represented nearly 75% of the vulnerabilities reported in Internet Explorer over the last two years. For Windows 8, Microsoft implemented guards in Internet Explorer to prevent an attacker from crafting an invalid virtual function table, making these attacks more difficult. Internet Explorer will also take full advantage of the ASLR improvements provided by Windows 8.
If you don't have another solution installed, Windows 8 will provide a protection with a significantly improved version of Windows Defender.
Improved protection for all types of malware. The improvements to Windows Defender will help protect users from all types of malware, including viruses, worms, bots and rootkits by using the complete set of malware signatures from the Microsoft Malware Protection Center, which Windows Update will deliver regularly along with the latest Microsoft antimalware engine. This expanded set of signatures is an improvement over previous versions, which only included signatures for spyware, adware, and potentially unwanted software.
In addition, Windows Defender will now provide you with real-time detection and protection from malware threats using a file system filter, and will interface with Windows secured boot, another new Window 8 protection feature.
When you use a PC that supports UEFI-based Secure Boot (defined in the UEFI 2.3.1 specification), Windows secured boot will help ensure that all firmware and firmware updates are secure, and that the entire Windows boot path up to the antimalware driver has not been tampered with. It does this by loading only properly signed and validated code in the boot path. This helps ensure that malicious code can?t load during boot or resume, and helps to protect you against boot sector and boot loader viruses, as well as bootkit and rootkit malware that try to load as drivers.
Microsoft has designed Windows Defender to be unobtrusive for most daily usage, and will notify you only when you need to perform an action, or critical information demands your attention. Windows Defender will also use the new Windows 8 maintenance scheduler to limit interruptions.
Traditional antimalware technologies are well known for impacting system performance. It's not uncommon that running antimalware software doubles the amount of time required for core scenarios like file copy and boot. Windows Defender dramatically improves performance on all key scenarios compared to common antimalware solutions on Windows 7, while maintaining strong protection. For example, Windows Defender with its full protection functionality enabled adds only 4% to boot time, while reducing CPU time during boot by 75%, disk I/O by around 50MB, and peak working set by around 100MB.
Traditional antimalware software plays a critical role in defending and remediating attacks. However, reputation-based technologies can help provide effective protection against social engineering attacks before traditional antimalware signatures are available, especially against malware that pretends to be legitimate software programs.
Windows 8 will help protect you with reputation-based technologies when launching applications as well as browsing with Internet Explorer.
Since its release, the SmartScreen filter has used URL reputation to help protect Internet Explorer customers from more than 1.5 billion attempted malware attacks and over 150 million attempted phishing attacks. Application reputation, a new feature added to SmartScreen in Internet Explorer 9, provides an additional layer of defense to help you make a safer decision when URL reputation and traditional antimalware aren?t enough to catch the attack.
Windows now uses SmartScreen to perform an application reputation check the first time you launch applications that come from the Internet.
In Windows 8, SmartScreen will only notify you when you run an application that has not yet established a reputation and therefore is a higher risk.
SmartScreen uses a marker placed on files at download time to trigger a reputation check. All major web browsers and many mail clients, and IM services already add this marker, known as the "mark of the web," to downloaded files.