A Desktop Operating System Security Report Card

A prominent security firm says that the security features of both Windows 7 and Mac OS aren't quite up to snuff.

The most recent Security Threat Report from Sophos Inc. addresses a wide range of security issues: spam, malware, social networking, data loss, data encryption, and Mac exploits -- and every combination thereof.

It also has a mostly promising take on Windows 7 and what it might mean for the future of Windows security. Sophos researchers conclude that Windows 7 could achieve in practice what Windows Vista hoped to achieve in theory.

Exhibit A, according to Sophos researchers, is Windows 7's streamlined User Account Control (UAC) implementation. Microsoft Corp. made much of Windows 7's revamped UAC, claiming that it achieves a less-onerous UAC experience. In practice, Sophos concludes, that's largely the case -- although UAC still isn't quite the home run Microsoft made it out to be.

This isn't necessarily a problem with UAC, either: it's rather a function of Microsoft's promising more than it can realistically deliver. "Microsoft hopes that this will reduce users' reflex response to simply click on anything to make popups go away. Although a clear improvement, the UAC still places a great deal of responsibility for securing systems on untrained end users," the Sophos report concludes.

Sophos also flags Windows 7's disk-level encryption feature ("BitLocker"), which is still a premium-only option. For this reason, the bulk of Windows 7 systems are still at risk for data loss.

Sophos says Windows 7's improved firewall is almost certainly a winner, but its scope (or usefulness) is largely confined to home users who typically lack "the gumption to source and manage their own firewall." In the enterprise, which is one environment in which Microsoft hopes that Windows 7 will vastly improve upon the performance of its predecessor (see http://redmondmag.com/articles/2009/11/03/windows-7-enterprise-game-changer.aspx), the firewall has in some cases proven to be a drawback. "Corporate security admins may find the learning curve of a new style of group management a little steep compared to tried-and-trusted third-party methods applicable across multi-platform networks," the Sophos report concludes.

Nor has Microsoft tackled a long-standing complaint of the Windows security community: its decision to hide file extensions -- .EXE, .DOC, or .AVI, for example -- by default. For this reason, Sophos researchers point out, even users who have a basic grasp of system security best practices -- such as, for example, not blindly double-clicking on unknown or untrusted .EXE files -- can fall prey to not-so-clever malware attacks.

"This has been a problem for many years, and many security experts have called on Microsoft to fix it. The default behavior allows malware writers to disguise executables as files such as FriendlyPicture.jpeg.exe -- with the .EXE part invisible to most users," they write.

That being said, Sophos mostly gives Windows 7 a passing grade.

A Mac Minefield

Its take on Apple Inc.'s Mac platform is slightly less positive. This isn't necessarily (or even mostly) Apple's fault, however.

The problem, Sophos suggests, lies with Mac users, who derive a false -- perhaps even naïve -- sense of security from a Mac platform that (with only about 10 percent of the desktop market) comprises a far smaller target than its higher-profile Windows competitor.

The ugly truth, Sophos researchers stress, is that Mac exploits can and do happen; more to the point, the events of 2009 -- and the release of Snow Leopard, in particular -- highlighted several of the vectors by means of which Macs can and will fall prey to malware attacks.

The Sophos team highlighted a total of nine prominent attacks -- including the emergence of an e-mail worm (OSX/Tored) that aimed to create the Internet's first (or most visible) botnet -- that last year frustrated Mac users. Chief among these was a non-Mac-OS vulnerability in Adobe Inc.'s Flash Player software.

"With the release of Snow Leopard, the need for patching software and keeping up to date with the latest vulnerabilities emerged. The Snow Leopard build included a version of Adobe's Flash Player software that contained a known vulnerability, and one that had been previously patched by Adobe," the Sophos report indicates.

Sophos claims that the use of anti-virus and malware technology could contain (if not eliminate) a good number of Mac OS exploits. It's something of a tendentious claim, of course, given the company's line of Mac-based malware and anti-virus software offerings.

Nevertheless, it cites the results of a mid-2009 survey (conducted by Sophos itself) that paint a dismal picture of security preparedness among Mac users. According to Sophos, almost 70 percent of Mac systems aren't running anti-virus software. Yes, Snow Leopard ships with a new anti-Trojan/anti-malware feature (which Sophos and other researchers dub, per its file name, XProtect), but this feature relies on the use of the com.apple.quarantine extended attribute, which invokes a facility (Launch Services) that scans a file before it can be executed.

The rub, of course, is that not all applications use the com.apple.quarantine extended attribute. In other words, writes Paul Baccas on his Sophos security blog, it's possible -- even trivial -- to execute an application without invoking XProtect.

"All of this [Mac OS] malware relies heavily on social engineering and hammers home the message to Mac users that they cannot afford to depend on their operating system's reputation for safety. Anyone can be tricked by subtle scams, and running quality, up-to-date anti-malware software is by far the safest option," the Sophos report points out.

comments powered by Disqus