Windows RT: Fortified against malware

Windows RT devices and their apps set new high-water mark for Windows security. But without support for Active Directory, their enterprise use is limited

Even Microsoft's lawyers say it: Windows RT isn't Windows. In fact, Microsoft is releasing two different operating systems: Windows 8 and Windows RT (Run Time). While the two versions look alike on the Metro layer, Windows RT stands apart for two reasons: It runs only on ARM-based systems such as Microsoft Surface, and the traditional Windows desktop is gone, which means the only non-Metro applications that work with Windows RT come with the OS.

The differences between Windows 8 and Windows RT carry over to computer security. Some Windows RT characteristics decrease security risk, but there are missing features as well.

Windows RT apps: More secure by default
With Windows RT, all nondefault apps must be downloaded from the Windows Store (similar to Apple's App Store). This has huge security implications. Windows Store applications are all Metro-style applications. They all use the Windows RT API and contain significant security improvements by default.

Windows RT apps can only be written in programming languages that contain today's expected default security settings; buggier, older programming languages need not apply. This also means that Windows RT apps contain all the Windows anti-buffer-overflow memory improvements introduced in Windows Vista and improved in each Windows version since. These include Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), SafeSEH, sacrificial canary values, and more. What is different is these memory protections are improved -- and required.

In previous versions of Windows, you could define exceptions. Not so with Metro-style apps -- the only types of applications allowed to run on Windows RT. Want to run a legacy app? You're out of luck with Windows RT.

In the same vein, in Windows 8, Windows Store applications will run only if you leave User Account Control (UAC) enabled. It's all or nothing. UAC is probably the single best feature Windows users can run to protect themselves against silently installed malware, so it makes sense to force those who wish to run Windows Store apps to keep UAC on.

Windows Store apps are also tested and certified by Microsoft to be free of thousands of common fatal bugs and security problems. As a result, millions of malicious programs that target traditional Windows desktops simply won't be able to convince end-users into running them.

In the event that a Windows store app ends up being malicious (which has occurred in Apple's App Store in the past), Microsoft can revoke the application. Which brings us to another restriction: All Windows Store applications are digitally signed, and Windows RT will refuse to load modules not signed by Microsoft. This is a huge protection.

Containment policies
Nonetheless, criminals are certain to try and install their malware on Windows RT devices with client-side buffer overflows, zero days, and other types of desktop exploits. But even if they succeed in doing so, because the malware won't be signed and won't originate from the AppContainer, Windows RT won't load it. Will the bad guys get around these protections? Perhaps, but it makes their mischief significantly harder to pull off.

1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies