Windows 7 may be secure, but are Windows users safe?

With the move to targeted attacks, Microsoft users have security problems ahead

Windows 7 users got a nice surprise on Tuesday when Microsoft released its first set of security patches since unveiling the new operating system last month. Of the 15 bugs patched, none affected Windows 7.

When Microsoft launched Windows 7, it was billed as the company's most secure release ever -- the culmination of a nine-year "Trustworthy Computing" effort to shore up a product line that had been riddled with major security holes.

But does stress-tested software really matter to Microsoft's customers, seemingly besieged by more online attacks than ever before?

Microsoft had years to improve Windows XP, but the Conficker worm, which began spreading last year, is now thought to have infected more than 7 million Windows machines. And for every Windows bug that gets squashed, hackers seem to find new problems in the software that runs on top of Microsoft's operating system -- Flash Player, QuickTime and Java.

"Windows 7 is definitely by far the most secure system they've shipped," said Dave Aitel, chief technology officer with Immunity, a security company that spends a lot of time finding the latest software bugs. "I guess the question that everybody is asking right now is, 'Is this enough?'"

The man behind Microsoft's Trustworthy Computing initiative, Chief Research and Strategy Officer Craig Mundie, says the industry still has work to do. “We’ve made huge progress with respect to security around the core OS technology in the Windows PC," he said in a recent interview. "But as we did that and the 'Net became more prevalent, the bad guys continued to evolve their attacks."

This is Microsoft's conundrum. Windows may be safer, but cyber-criminals still have plenty of other places to attack. And when you can hit hundreds of millions of users with a single attack, why change the game plan? So most of the worst attacks today still target PCs running Windows, whether the OS itself is secure or not.

Take spear-phishing. Attackers are getting so good at sending these highly customized e-mail messages, complete with malicious attachments, that the underlying security of Windows is almost irrelevant.

"The problem with the targeted attacks is that there's so much money that they can actually trump the security," said Alan Paller, director of research for the SANS Institute, a security training company. "The amount of money that governments and large industrial crime groups have to spend is enough to trump any of the defenses we have."

In a report released last month for a congressional advisory panel, Northrop Grumman analysts detailed exactly how this happens. Looking at known attacks, the report found that targets are carefully selected, and then sent very believable e-mails with maliciously encoded attachments that exploit bugs in a product such as Adobe Reader -- something that's outside of Microsoft's control. The victim opens the .pdf and suddenly attackers have a foothold on the network.

Microsoft customers like Paul Melson think there will be much broader enterprise adoption of Windows 7 than there was with Vista, which was largely ignored by corporate users. But while Microsoft has its own house in order, security is still a problem on the Windows platform, according to Melson, a manager of information security with Priority Health.

"As long as third-party patching continues to be a challenge, client security will continue to be at the forefront of information security defense and incident response," he said via e-mail. "Windows 7 won't significantly reduce client-side attacks that lead to compromises, but I don't think that Microsoft should bear the burden for it, either."

Microsoft thinks it can go a long way toward solving this type of problem by improving the way people identify each other on the Internet. For the past few years it has promoted an idea it calls "end-to-end" trust, saying it wants to develop better identification mechanisms for people, computers and software on the Internet.

Microsoft has taken its first step in this direction with its Windows CardSpace identity management software. It could help give people a better sense of who they're really dealing with on the Internet, but whether the rest of the industry will buy into this vision remains to be seen.

"This is the next phase in the battle for trustworthy computing and that is still getting ramped up," Mundie said. "Clearly there's always more to do."

(Nancy Gohring in Seattle contributed to this story.)

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityWindowsWindows 7

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?