Posted by: Barracuda Labs
With the release of Windows 7 only months away, it is worthwhile to begin considering its expected impact on security. This post reasons about a few of the changes the new operating system's (eventual) widespread adoption will bring.
Application vulnerabilities will be harder to weaponize into working exploits. While Windows memory protections such as DEP and ASLR have been around for several years, ubiquitous applications (IE8, Firefox 3) and their corresponding plugins (Flash, Acrobat Reader, and QuickTime) are now using them. When these protections are combined with recent fixes by Microsoft that address the few corner cases in which they were disabled, the result is that often, even if a vulnerability exists, successfully exploiting it may not be possible. As an example, the Firefox 3.5 just-in-time compiler vulnerability has been reported to not to work under Windows Vista or Windows 7. In the long term, the adoption of these technologies may cause criminals to shift their focus from attacks that are technical in nature (i.e., attacking the browser or its plugins) to those that are social in nature (as used by Rogue AV).
Hardware-assisted rootkits such as Blue Pill will be difficult to deploy. Rootkits that use hardware virtualization operate outside of the host operating system by first assuming a special privilege level, called VMX root mode. Given that Windows 7 implements Windows XP Mode (XPM) using hardware virtualization extensions (and therefore runs in VMX root mode), hardware-assisted rootkit installation becomes considerably more complex. Such a rootkit would need to overcome significant technical hurdles to avoid crashing the OS or alerting the user, which include bypassing OS protection mechanisms, saving XPM guest state, cleanly disabling VMX root mode in the host, and providing emulation services so that XPM applications will continue functioning.
Malware will face significant challenges in evading modern forms of dynamic analysis. Next-generation malware analysis approaches (e.g., Ether) introspect the behavior of malicious software through the use of hardware virtualization extensions. As it is very difficult to reliably detect the presence of an external malware analyzer that resides inside a such hypervisor, some criminals have instead responded by creating malware that refuses to run if it detects the presence of hardware-assisted virtualization. However, given Windows 7's use of hardware-assisted virtualization in the implementation of XPM, malware that employs this crude form of detection will preclude itself from the very end users it intended to target.
In summary, the release of Windows 7 looks to be an all-around win for security; its adoption will benefit both end users and security professionals.