Security concerns raised at Windows 10 roll-out

News by Tom Reeve

Windows 10 launched today, but there were immediately security questions raised within the industry about some aspects and features on the new operating system.

The much anticipated launch of Windows 10 today has set the IT security community buzzing with predictions, warnings and plaudits for the operating system to end all operating systems.

Microsoft has said that Windows 10 will mark a new approach to the production of operating systems. Continuous updates will mean that consumers will no longer have a choice in whether they update their operating system or not.

It is, as David Chismon, security researcher at MWR Infosecurity, said, a great step forward since Bill Gates penned his famous trustworthy computing memo in 2002.

Sporting a new start menu and a raft of security features, it seems to address many of the beefs that people have had with Windows XP, Windows 7 and the often loathed Windows 8.

Notably, Windows 10 is the first operating system that will work across PC, laptops, tablets and mobile phones, with the hope that software will work equally well in all environments without the need to write different versions.

Andrew Avanessian, VP at Avecto said: "With the disappointment of Windows 8 now pushed to the back of the mind, the international roll out of Windows 10 has many in the enterprise community very excited. With its aim to usher in a new generation of end-user computing, Microsoft has developed a very sophisticated OS. However, it's important that we don't get distracted by the shiny new features and slick design, and focus our attention on the security aspect. After all, end-user protection is a necessity.”

Avanessian said that as with previous versions of Windows, 98 percent of user vulnerabilities can be locked down by removing admin rights alone.

Jes Breslaw, director of marketing and strategy at Delphix, said: "Microsoft's move to continuous updates is a fundamental change. Most significantly, those components traditionally shipped as part of a major release will now be available as independent apps. This means innovations within these apps can be made available  when they are ready, not held up for the next big operating systems (OS) update.”

One of the most significant developments is dropping Internet Explorer which was seen as excessively buggy. The new Edge browser will hopefully present a smaller attack surface.

Steven Allen, senior security consultant at Capgemini, commented: “Perhaps the most significant security improvement is Microsoft replacing Internet Explorer with a new browser, Edge – this is good news for the user community as IE has unfortunately been quite buggy and a target for exploitation by criminals to attack users as they shop or bank online.”

HEAT senior product manager, Andreas Fuchs, said: “Windows 7 is planned to go end of life in 2020, which means organisations that do not make the switch immediately will need to deal with Windows 10 in the next five years regardless… [and] introduces a number of changes to security and application management that will require careful planning to implement.”

Windows 10 will introduce advanced user authentication features, said Matthew Aldridge, solutions architect at Webroot. “The Identity Protection and Access Control feature is likely to make a big difference to all users as it brings two-factor authentication to the masses,” he said.

“Microsoft has clearly considered the rise in BYOD by introducing the Data Loss Prevention (DLP) feature. Through enabling the containerisation of applications and encryption of corporate data as soon as it arrives on the device, it is far harder for sensitive company information to fall into the wrong hands, whether this is by accident or through a targeted attack,” he said.

And he praised whitelisting features which, although not new to Windows, have been implemented better in Windows 10. “Microsoft is finally embracing this and are giving IT administrators the tools they need to achieve a real-world corporate application whitelisting deployment. This single step could almost eradicate the risk of infection through standalone malware executables, leaving only highly advanced attack vectors remaining for exploitation,” he said.

However, security experts were quick to criticise Microsoft for its choices in the implementation of Wi-Fi Sense and automatic updates.

Wi-Fi sense is a feature which you will be automatically opted into if you use express set up when installing Windows 10. It will share your Wi-Fi credentials, in encrypted form, with everyone in your social media network.

“It is clear that this type of feature allows our contacts (which we don't always actually know) connect to the same network we're connected to and at the same time it can probably allow someone in our contacts list to force our device into connecting to an unsecure WiFi network,” said Amichai Shulman, CTO of Imperva.

Mark James, security specialist at ESET, added: “According to Microsoft the Wi-Fi password is sent over an encrypted connection and only provides internet access and no network access. However, how secure this is remains to be seen. In theory if the password is being sent then its capable of being compromised, the idea behind this is great for family and friends but not so great for most business environments.”

Gavin Millard, technical director of Tenable Network Security is cautious about the advantages of automatic updates. “Whilst auto-updating can dramatically reduce the risk of old vulnerabilities being leveraged to attack a system, if Microsoft releases a bad fix as we saw in the beta with Nvidia driver updates, headlines like ‘Windows 10 PatchGate' could be coming,” he said.

He also said that the inclusion of Defender anti-virus was a good concept but unfortunately questions are being raised about this anti-malware package as it comes out poorly in benchmarks.

And MWR's David Chismon said the inclusion of the digital assistant, Cortana, will not be broadly welcomed by corporate IT managers. “Cortana, the ‘virtual assistant' is likely to be disabled by many organisations through privacy fears from audio recordings or data being sent to Microsoft servers,” he said. 

Topics:
Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events