News

Sophos Flags Security Weaknesses in Windows 7, Mac OS

• By Stephen Swoyer
• February 23, 2010

The most recent Security Threat Report (PDF) from Sophos addresses a wide range of security issues: spam, malware, social networking, data loss, data encryption and Mac exploits -- and every combination thereof.

It also has a mostly promising take on Windows 7 and what it might mean for the future of Windows security. Sophos researchers concluded that Windows 7 could achieve in practice what Windows Vista hoped to achieve in theory.

Case in point, according to Sophos researchers, is Windows 7's streamlined User Account Control (UAC) implementation. Microsoft made much of Windows 7's revamped UAC, claiming that it achieves a less onerous UAC experience. In practice, Sophos concluded, that's largely the case -- although UAC still isn't quite the home run Microsoft made it out to be.

This isn't necessarily a problem with UAC, either. Rather, it's a function of Microsoft promising more than it can realistically deliver. "Microsoft hopes that this will reduce users' reflex response to simply click on anything to make pop-ups go away. Although a clear improvement, the UAC still places a great deal of responsibility for securing systems on untrained end users," the Sophos report said.

Sophos also flags Windows 7's disk-level encryption feature, BitLocker, which is still a premium-only option. For this reason, the bulk of Windows 7 systems are still at risk for data loss.

Sophos says Windows 7's improved firewall is almost certainly a winner, but its scope (or usefulness) is largely confined to home users who typically lack "the gumption to source and manage their own firewall." In the enterprise, which is one environment in which Microsoft hopes that Windows 7 will vastly improve upon the performance of its predecessor, the firewall has in some cases proven to be a drawback. "Corporate security admins may find the learning curve of a new style of group management a little steep compared to tried-and-trusted third-party methods applicable across multiplatform networks," the report said.

Nor has Microsoft tackled a long-standing compliant of the Windows security community: its decision to hide file extensions (.EXE, .DOC or .AVI, for example) by default. For this reason, Sophos researchers point out, even users who have a basic grasp of system security best practices -- such as not blindly double-clicking on unknown or untrusted .EXE files -- can fall prey to not-so-clever malware attacks.

"This has been a problem for many years, and many security experts have called on Microsoft to fix it. The default behavior allows malware writers to disguise executables as files such as FriendlyPicture.jpeg.exe -- with the .EXE part invisible to most users," the researchers wrote.

That said, Sophos mostly gives Windows 7 a passing grade.

Mac Minefield
Its take on Apple's Mac platform is slightly less positive. This isn't necessarily (or even mostly) Apple's fault, however.

The problem, Sophos suggested, lies with Mac users, who may derive a false sense of security from a Mac platform that, with only about 10 percent of the desktop market, comprises a far smaller target than its higher-profile Windows competitor.

The ugly truth, Sophos researchers said, is that Mac exploits can and do happen. More to the point, events in 2009 -- and the release of Snow Leopard, in particular -- highlighted several of the vectors by means of which Macs can fall prey to malware attacks.

The Sophos team highlighted a total of nine prominent attacks, including the emergence of an e-mail worm (OSX/Tored) that last year frustrated Mac users which aimed to create the Internet's first (or most visible) botnet. Another prominent attack vector was a non-Mac OS vulnerability in Adobe's Flash Player software.

"With the release of Snow Leopard, the need for patching software and keeping up to date with the latest vulnerabilities emerged. The Snow Leopard build included a version of Adobe's Flash Player software that contained a known vulnerability, and one that had been previously patched by Adobe," the Sophos report said.

Sophos claimed that the use of anti-virus and malware technology could contain, if not eliminate, a good number of Mac OS exploits. It's something of a tendentious claim, however, given the company's line of Mac-based malware and anti-virus software offerings.

Nevertheless, it cited the results of a mid-2009 survey, conducted by Sophos itself, that paint a dismal picture of security preparedness among Mac users. According to Sophos, almost 70 percent of Mac systems aren't running anti-virus software. While Snow Leopard ships with a new anti-Trojan/anti-malware feature (which Sophos and other researchers dub, per its file name, XProtect), this feature relies on the use of the com.apple.quarantine extended attribute, which invokes a facility (Launch Services) that scans a file before it can be executed.

The rub, of course, is that not all applications use the com.apple.quarantine extended attribute. In other words, wrote Paul Baccas on his Sophos security blog, it's possible -- even trivial -- to execute an application without invoking XProtect.

"All of this [Mac OS] malware relies heavily on social engineering and hammers home the message to Mac users that they cannot afford to depend on their operating system's reputation for safety. Anyone can be tricked by subtle scams, and running quality, up-to-date anti-malware software is by far the safest option," the Sophos report said.