Windows 8 Metro Brings New Security Risks

With the upcoming Windows 8, Microsoft hopes to finally make Windows a serious contender in the tablet market and to offer a consistent user experience across all Windows devices. Our examination of prerelease software suggests that Microsoft has achieved much of that ambition. However, the company has also created challenges for users that in some ways may increase their security risks.

In a series of blogs, we will highlight for security professionals and IT administrators the security-related changes to Windows 8 and provide a comparison with industry standards. These blogs will offer our analysis of the prerelease version of Windows 8. With new features added and problems fixed with every build of Windows, this current information may not necessarily represent the final version of Windows 8.

This incarnation of Windows scales from 32- and 64-bit devices (such as desktops) down to ARM-based devices (in tablets, for example). Applications developed with Microsoft’s Metro design language, the Windows Store, and the Microsoft Account will comprise Microsoft’s unified ecosystem. This environment caters to the wide range of platforms that Windows supports without the need for platform-specific code and development experience–while also providing a seamless interface and user experience, in Microsoft’s view.

Enhancements in Windows 8 that are clearly visible to users include Windows Defender, Smart Screen, and a more secure environment for Metro applications. The improvements can be divided into four areas: improvements to Windows antimalware components, declarative resource access, application vetting via the Microsoft Store, and restrictive resource access for applications. All of these will make the Metro environment significantly safer. At the same time, however, security risks from rogue applications and vulnerabilities in applications that interact with the web and handle user data leave lots of room for exploitation—not to mention ever-present malware on the desktop.

Technically the attack surface in Windows 8 is bigger than in Windows 7 because of various new components and changed processes, especially the Metro interface. Offsetting this are the significant checks and measures put in place as described in this paper.

Windows 8 brings together years of mature and revamped Microsoft technology. The Microsoft Account is essentially the Windows Live ID, the Metro interface supports Windows Phone 7 and the Xbox, and with the Windows Store Microsoft hopes to create an Apple Store-like market to complete the Windows 8 ecosystem.

The Interface

Metro offers a tile-style surface that supports both touch and traditional keyboard and mouse interfaces. The start screen of almost two decades of the Windows desktop has now been given a back seat in favor of the Metro start screen, which provides, among other things, “live tiles” that applications can update to show fresh status and an always connected experience for the users.

The Windows Metro interface uses tiles and supports both touch and keyboard and mouse.

The Windows Metro interface uses tiles and supports both touch and keyboard and mouse.

One significant change for the corporate environment is that there is no official way to disable the Metro interface from Windows 8. Another important change for users is that the new interface focuses on an immersive user experience. This means that operating system shell artifacts such as the taskbar or application menus are no longer visible. When a user opens an application, it uses the entire screen, allowing much more space and providing a fully involved experience.

Although it is possible to use the Metro interface with a keyboard and mouse or touchpad, the interface is clearly awkward. The latest releases of the Windows preview show various tweaks that make the usability of this interface more mouse/keyboard friendly, but the advantage of touch over traditional input interfaces in this interface is very apparent. This can possibly open a market for devices that will bridge this gap or create a completely new market for interface devices.

Metro’s weather application uses the entire screen.

Metro’s weather application uses the entire screen.

Internet Explorer 10

Another big change is that Internet Explorer (IE) 10 is now available in both Metro and desktop modes. This duality has advantages for backward compatibility.

Internet Explorer 10 in Metro mode takes over the screen.

Internet Explorer 10 in Metro mode takes over the screen.

In the Metro interface, IE runs in an immersion mode that provides full use of the screen space. The URL bar also becomes invisible. Here is what this looks like:

Windoes 8 Metro Internet Explorer 10 without address bar

Windows 8 Metro Internet Explorer 10 without the address bar.

This is quite different from the regular desktop interface, which looks not much different from the traditional IE:

Internet Explorer 10 in desktop mode looks like a traditional Windows application.

Internet Explorer 10 in desktop mode looks like a traditional Windows application.

With this immersive interface, users need to to expose the address bar before entering any credentials to avoid scams. The next two screens show a live phishing site in the Metro interface followed by the legitimate site:


 

Hard to tell them apart, isn’t it? Now compare both sites with the address bar visible, and you can spot the legitimate one. It has the green address bar and a lock icon indicating a secured SSL connection. We can also see that the fake site is not actually hosted on paypal.com or paypal.de but has paypal.de as a subdomain to a nonpaypal domain.


 

A browser’s address bar has been a fundamental part of the user experience over the years, and it is still available with Windows 8. But in Metro the address bar will not always be visible; that can lead to trouble. We think the address bar should be visible when you are entering credentials.

Within the Metro interface, IE 10 will have no custom plug-in support; the desktop version will still work with plug-ins. The lack of Metro support is intended to improve performance, reliability, and security; those who need specialized plug-ins can use the desktop version to maintain compatibility.

With IE 10 in Metro mode, Microsoft has, with support from Adobe, introduced a limited version of the Flash player, removing many Flash functions but adding support for touch gestures. These tactile features should make using Flash more friendly with Metro. There might be a catch though: Within Metro, Flash doesn’t appear to work for all websites. Flash support will be enabled for a certain list of sites chosen by Microsoft. Flash games on the gaming site miniclip.com, for example, work in Metro, but a Flash file uploaded to one of our test sites that works with IE 10 in desktop mode did not work with IE 10 Metro.

IE 10 also introduces additional support for many new features, including HTML5, WebSockets, cross-domain messaging, postMessage, and support for Web Workers within JavaScript applications, to name a few. However, this support will unfortunately create an entirely new attack surface. Malware may require only active browser instances to start and propagate instead of executable control over the entire system. Proactive measures from antimalware solutions would be the most effective defense in this case because JavaScript is notoriously mutable, and executing JavaScript in a browser is more common for users than running downloaded applications on the desktop.

In future blogs we’ll examine the new interface, enhancements and risks in Windows 8, and securing applications. Stay tuned.

 

I’d like to thank my colleague Igor Muttik for his assistance with this analysis.