Security company Sophos has tested Windows 7 RTM and found that the latest iteration of the Windows client from Microsoft is vulnerable to no less than 8 out of 10 viruses currently spreading in the wild. The security outfit put a clean install of the gold edition of Windows 7, which hit store shelves worldwide on October 22nd, in the same arena with 10 samples of malicious code, and found the operating system lacking when it came down to offering protection to end users by itself. In addition, Sophos pointed out that Windows 7’s User Account Control, either turned off completely or was running with default settings, was not an impediment for the infections to run wild.
“We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7,” noted Chester Wisniewski, Senior Security Advisor.
We will not comment on the legitimacy of the claims coming from Sophos, or of the initiative, but we will say that their testing methodology is far from, well, an actual testing methodology. The fact that a specific group of 10, and no more than 10, malware samples resulted in a high rate of infections for Windows 7 does not justify the generalization implying that Windows 7 is vulnerable to 80% of the malicious code currently active. Sophos should have tested a consistent portion of all its malware samples for various types of malicious code, and only thereafter draw conclusions.
“User Account Control did block one sample; however, its failure to block anything else just reinforces my warning prior to the Windows 7 launch that UAC's default configuration is not effective at protecting a PC from modern malware. Lesson learned? You still need to run anti-virus on Windows 7,” Wisniewski stated.
Malicious code that infected Windows 7
Just to be clear, Microsoft never said that Windows 7 didn’t need anti-virus products. In fact, much to the contrary, the Redmond company has always made sure to stress the necessity of running security solutions for its end users. Actually, it even proceeded to offering Microsoft Security Essentials 1.0, a basic but free anti-virus, designed to protect users that cannot afford, or simply don’t want to buy a complex security suite.
Early adopters that followed the development process of Windows Vista’s successor know that the software giant has made sure to have security solutions supporting the OS even as early as the Beta stage in January 2009.
“Windows 7 is no cure for the virus blues, so be sure to bring your protection when you boot up,” Wisniewski concludes. Yes, Windows 7 is not a panacea for security. But on the other hand, the threat environment continues to expand, evolve, and thrive, even with all the antivirus products offered by security companies, some of which are multi-million businesses built on the back of the Windows operating system.
And Wisniewski should know that UAC is not a security barrier; namely, the User Account Control, whether in Vista or in Windows 7, does not offer impenetrable protection. The UAC is simply an added mitigation. Given sufficient time and effort, UAC, like any other security mitigation, can be bypassed. Still, it is specifically on the time and effort factors that Microsoft is betting on. Building a perfect operating system is a pipe dream. Creating and setting in place sufficient mitigations to deter attackers, by making it simply not worth their time and money to exploit Windows, is not only a realistic scenario, but also the strategy that made Windows Vista more secure compared to Windows XP.
UAC by itself is insufficient to stop attacks, but the User Account Control is designed to work in concert with additional security mitigation. Windows 7 does not rely on UAC as the first and only line of defense; it also offers users Internet Explorer Protect Mode, Kernel Patch Protection, DEP, Address space layout randomization (ASLR) etc.
This is not the first time that Sophos takes aim at a recently released Window client. Back in 2006, even before Windows Vista was finalized, the security company revealed: "Sophos experts note that on the launch date of Microsoft's Windows Vista operating system, three of the top ten - including Stratio-Zip - are capable of bypassing the product's security defences and infecting users' PCs. The Vista-resistant malware - W32/Stratio-Zip, W32/Netsky-P and W32/MyDoom-O - comprise 39.7% of all malware currently circulating."
Windows Vista is indeed more secure than Windows XP, and the statistics provided by SIRv7, and previous releases of the report are a clear indication of this fact. However, Microsoft always advised end users to run security solutions with Vista. The same is valid for Windows 7.
One problem that we have with Sophos’ test is that Wisniewski does not mention anywhere how it was actually performed. Was the Windows 7 computer simply connected to the Internet and the viruses infected the OS without any sort of user interaction? Because we really doubt this.
Or did Sophos researchers simply put the viruses on the Windows 7 machine and executed the malicious code samples? If this is the case, such a test only shows that the vulnerability sits behind the chair and the computer monitor, but certainly cannot be found in Windows 7. There’s no security barrier or patch for preventing users from installing malware on their own computers.
Microsoft Security Essentials 1.0 is available for download here.
Windows 7 RTM Infected by 8 Out of 10 Viruses, Claims Security Outfit