Microsoft’s latest desktop operating system release has been applauded as the most secure Windows ever – incorporating features including anti-malware out of the box, boot protection against rootkits and support for self-encrypting drives. So, does this mean we no longer need to think about Windows desktop security?
That the answer is (of course) “no” should not be taken as a comment on the strides Microsoft has made. Rather, it is more an indicator of where the boundaries now lie. To state the most obvious point first, no operating system can ever be 100% secure – indeed, security company Vupen claims to already have done just that.
Even if an operating system proves resistant to attack, the bad guys know that the weakest link is the ‘human layer’ – that is to say, the people that use computers, rather than the computers themselves. Not all technology users are technology-savvy, and many of us are easily duped – as PT Barnum is reputed to have said, “There’s a sucker born every minute.”
This factor works in combination with the increasingly interactive Web, as illustrated by the increase in social networking exploits (which can be as simple, for example, as “Look at what people are saying about you” as a Twitter message associated with a link to a malicious Web site).
A third but no less important complication concerns the sheer volume of applications, utilities and device drivers already written for Windows, which nobody will want to simply throw away. While Windows 8 incorporates a set of ‘sandbox’ APIs for new software (including that written for ARM-based devices), desktop versions of the OS also offer backwards compatibility for legacy licenses. Microsoft is between a rock and hard place on this one – Windows has to be able to support older software, but this also leaves the door open for exploits.
All of which means, while the occasional smaller organisation may have the luxury of starting with a clean slate and reducing the potential for security breaches, the rest of us will not be so lucky. And even if we could dispense with our older programs, the potential for all-too-human error means that nobody should be letting their guard down any time soon.