Experts agree that Windows 7 has enhanced security to ward off attacks on vulnerabilities in old software. But what if a money-minded online scammer can persuade you to download malware onto your PC?
"Windows 7 is more secure, and upgrading to it is a big improvement," says Chester Wisniewski, a senior security advisor with software-maker Sophos. "But it's not going to stop malware in its tracks."
Exploits take a hit
Digital crooks generally use two tactics to install malware on a PC. Exploits often take the form of a snippet of attack code hidden on a web page, often a hacked-but-otherwise-benign site. When you browse the page, the exploit hunts for software flaws in Windows or in third party programs such as Adobe Flash or QuickTime. If it finds one, the exploit may surreptitiously install malware without any hint of the attack.
In contrast, social engineering attacks try to trick you into downloading and installing bot malware that poses as a useful program or video. Some attacks combine tactics, as when a scammer sends an email message encouraging you to open an attached PDF file, only to trigger an exploit buried in the file that then hunts for a flaw in Adobe Reader.
Security upgrades in Windows 7 could help prevent many attacks that target software flaws. ActiveX attacks, once the bane of Internet Explorer users, may "pretty much disappear" due to IE 8's Protected Mode, says HD Moore, chief security officer at Rapid7 and creator of the Metasploit testing tool.
The arcane sounding Address Space Layer Randomisation makes it harder for crooks to find a vulnerability for a running program in your computer's memory. The related Data Execution Prevention feature attempts to prohibit an attack from taking advantage of any flaw that it may discover.
"These two, in particular, could have a very large impact," says Wisniewski. Still, though ASLR and DEP were expanded to protect more programs in Windows 7 than in Vista, they don't cover all applications.
Vista safer than XP?
For a sense of what that impact might be, we can look at how Vista fared against malware. Microsoft's latest Security Intelligence Report covers the first half of 2009, prior to Windows 7's release. It's based on data from the Malicious Software Removal Tool, which Microsoft distributes via Automatic Updates to fight common malware infections. According to that data, the infection rate for an up to date Vista computer was 62 percent lower than that for an up to date XP system.
It's possible, of course, that Vista users are technologically savvier on average, and so less likely to fall victim to malware. The sample sizes for XP and Vista, which Microsoft didn't include in the report, might skew the statistics, as well.
But Sophos's Wisniewski thinks that ASLR and DEP are factors, too. And since those features are expanded in Windows 7, there's reason to hope they'll continue to be effective.
"I don't see this going away anytime soon," says Moore. He notes that there are plenty of ways crooks can and likely will continue to ply their evil trade against the new OS. But "it does raise the bar," Moore says.
Hacking people, not programs
Exploit-based attacks may be harder to pull off against Windows 7, but social engineering attacks may be as dangerous as ever. And the theoretically less annoying User Account Control does little to disable poisoned downloads.
In October, Sophos ran a test to see how Windows 7 and UAC would handle malware. First, the testers grabbed the first ten samples of malicious software that came into their lab. They then ran those samples on a fresh Windows 7 machine with UAC at its default settings, and with no antivirus installed.
Two samples couldn't run on Windows 7 at all. But at its default setting, UAC blocked only one sample, leaving seven pieces of malware that loaded right up.
Sophos's test highlights two points. First, Wisniewski and others say, UAC isn't designed to block malware as much as it is to encourage programmers to write software that doesn't require special privileges, so you shouldn't count on it for protection.
Second, if a bad guy tricks you into downloading a Trojan horse, ASLR and DEP don't matter. IE 8's SmartScreen filter and similar features in other browsers might block known nasties, but the malware universe is bigger than that.
Social engineering ruses include using a hijacked social network account to send malware lures to friends of the owner, sending a link to a supposed video taken of a friend, and hiding a poisoned URL in a shortened link of the type commonly used on Twitter.
Toss in other tried-and-true scams such as videos that instruct you to install a codec file (but instead lead you to a malware download), and phony documents attached to e-mail messages that appear to come from coworkers, and it becomes clear why Windows 7 users can't let their guard down.