Corporate IT departments should be pleased with new security measures in Windows 7, but consumers are still at risk of getting hit by malware despite changes in the User Account Control (UAC) feature designed to help people be smarter when using applications, security experts say.
Probably the most talked about security change in Windows 7, scheduled for public release on Thursday, are modifications to the UAC, which was introduced in Vista. The UAC was designed to prevent unauthorized execution of code by displaying a pop-up warning every time a change was being made to the system, whether by the operating system or a third-party application.
Vista users complained that they were bombarded with the warnings and security experts speculated that as a result, many people were just ignoring them or turning them off.
With Windows 7, users can choose how often they want to be notified and the default is set to notify only when a third-party application is making a change, as well as itself.
However, an attacker could use code injection and exploit several components in Windows 7 that auto-elevate to bypass UAC and get full access to the machine, experts have warned.
A Sophos white paper from September says: "Another issue with these default (UAC) settings is that malware could bypass the system by injecting itself into a trusted application and running from there. Indeed, some malware has been observed spoofing UAC-style prompts to obtain user permission to operate unimpeded."
Chester Wisniewski, a senior security adviser at Sophos, reiterated points made in the white paper and said Microsoft should also drop its practice of hiding file extensions by default, which makes it easy for users to be duped by malware.
"The changes to Windows 7 UAC have made it easy for malware writers to turn UAC off entirely without the user's knowledge. Microsoft recommends keeping UAC turned on and yet allows malware to turn it off without the user's knowledge," writes Ray Dickenson, chief technology officer at Authentium, in a recent blog post.
"If malware is on the computer, hasn't the game already been lost? Why worry about UAC if a password-stealing Trojan is on your computer?" Dickenson writes. "The answer lies in the difficulties inherent in identifying a program as goodware or malware."
Jon DeVaan, senior vice president of the Windows Core Operating System Division, attempted to address the concerns in a blog post from February: "We know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system. We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines... and we know that UAC is not 100 percent effective at stopping malware once it is running."
In a study of two groups of "regular people" testers, one group using the default setting and the other using the "Always Notify" setting, there was "no meaningful difference in malware infestation rates between the two groups," DeVaan wrote.
However, that was a limited test and it doesn't rule out the possibility that malware will find its way onto systems and try to elevate privileges.
David Sancho, a senior antivirus researcher at Trend Micro, noted that while the UAC changes in Windows 7 will improve the user experience by cutting back on the number of alerts, the operating system will be responsible for making more decisions about system changes, which won't always be good for the user.
Going forward, the real test of security in the near future is the browser because so many attacks and malware infections are now coming from the Web, he added.
"Internet Explorer 8 is lagging behind the rest of the browser vendors," Sancho said. "I see that as a pain point in the future...that can hold up the security of the overall system."
Asked to comment on the concerns, a Microsoft spokesman said in an e-mail: "Windows 7 is not designed to be a security boundary that prevents malware already on the system from making changes to a user's system. What it is designed to do is make users running with administrative rights, and software developers, more aware when software is attempting to perform an operation that requires full administrative rights...UAC is a security feature only in so far as it helps an increasing number of home and corporate users run in standard user accounts."
For enterprises, Windows 7 offers several interesting security boosts, experts said.
First off, the new operating system addresses an issue that has created headaches for administrators at corporations affected by Conficker and even the --viruses that spread via USB drive. With Windows 7, most USB drives will not be able to automatically launch a program using a Windows , also known as AutoPlay.
However, some specialized USB flash drives present themselves as CD or DVD drives to the operating system and will still be able to use AutoRun. Because of that, Patrik Runald, senior manager of security research at Websense, said Microsoft should disable the feature entirely. "I don't think they went far enough," he wrote in an e-mail.
And Windows 7 offers BitLocker to Go encryption support for USB drives for the Ultimate and Enterprise editions. It protects the data in case the USB drive is lost or stolen.
The operating system also features an enhanced security controls interface called Windows Action Center that provides more "actionable advice around how to work with firewalls" and other security issues, Wisniewski said.
To see screen shots from Windows Action Center visit this.
Meanwhile, several security vendors said that working with Microsoft on product support went well for Windows 7.
For example, developers at Kaspersky Lab found it easier to provide support for Windows 7 than for previous versions of Windows because of the early availability of the beta version and the fact that there were relatively minor changes made in the operating system functionality during the beta testing process. "Microsoft did everything to help developers optimize their products for Windows 7," Kaspersky said in a statement.
Correction at 9:02 a.m. PDT: Patrik Runald's name was initially spelled incorrectly in this post.