Since the Windows 7 operating system (OS) launch Microsoft Corp. has downgraded vulnerabilities it recently issued patches for.
That’s good news, say researchers at anti-virus firm Symantec Corp., as it’s a sign security features in the new OS are working.
The bad news is the recently downgraded vulnerabilities still pack a mean punch for organizations still using Windows XP.
This month, for instance, Microsoft issued two security bulletins, addressing eight vulnerabilities in its software products, none rated as critical.
Intel faces tough Windows 7 migration from XP
Upgrading to Windows 7 from XP – a comprehensive guide
“Since Windows 7, Microsoft has seemed to downgrade file-based vulnerabilities,” said Joshua Talbot, security intelligence manager, Symantec Security Response.
For instance, in a security advisory 981374 issued Tuesday, Microsoft said it was investigating reports of a vulnerability in Internet Explorer (IE) 6 and IE 7, but added its latest browser – IE 8 – wasn’t affected.
The vulnerability can result in remote code execution.
Affected products included: Microsoft Windows 2000 Service Pack (SP) 4; Microsoft XP SP 2 and Windows XP SP 3; Windows XP Professional x64 Edition SP2; Windows Server 2003 SP2; and, Windows Server 2003 x64 Edition SP2.
Products not affected included: Windows 7 for 32-bit systems Windows 7 for x64-based systems; Windows Server 2008 R2 for x63 based systems; Windows Server 2008 R2 for Itanium-based systems; IE 5.01 SP4 on Windows 2000 SP4; IE 8 for Windows XP SP 2, XP SP3 and XP Professional x64 SP2,
In the past, these vulnerabilities could have been rated as critical, Talbot said.
He says companies that haven’t yet deployed Windows 7 have cause for concern.
In many organizations, Windows XP is still common, and “these vulnerabilities are more serious on XP and older systems,” the Symantec exec said.
But a Toronto-based security specialist argues that Redmond’s rating system is appropriate.
“Microsoft’s interest in supporting XP is understandably waning,” said Claudiu Popa, principal of Informatica Corp. a risk management and security consultancy.
He said Microsoft’s threat analysis rating system has to be aligned with the overall risk to current systems and not the theoretical risk to a completely vulnerable machine.
Older operating systems do not benefit from the same out-of-the-box security controls afforded to current Windows versions.
However, protection is still available for legacy OS users if their systems are properly configured and hardened, Popa said.
Don’t open strange files
File-based vulnerabilities enable hackers to insert into the system a file containing malicious code designed to attack the targeted software product.
The file can be an e-mail attachment or a link, according to Ben Greenbaum, senior research manager for Symantec Security Response.
“When a user opens the file, he or she opens the door that allows the attacker to grab control of the computer or entire network.”
“However, with beefed up protections such as DEP and ASLR, these types of vulnerabilities are less of an issue for Windows 7,” said Greenbaum.
Data Execution Prevention is a security feature included in newer Microsoft Windows OS. It prevents an application or service from executing code from a non-executable memory region.
For instance, it prevents certain exploits that store code via a buffer overflow.
Address Space Layout Randomization or ASLR makes it more difficult for an attacker to predict target addresses.
“Not opening strange or suspect files and e-mails is still one of the best deterrents,” said Greenbaum.
Popa’s top security tips
Talbot also pointed out that Microsoft failed to patch an IE vulnerability, which was made public last week.
“We’ve seen proof-of-concept exploit code for this vulnerability, but we haven’t seen any attacks using it in the wild.”
He said a unique user interaction is required to make the vulnerability work though an attacker could engineer an exploit that may entice a user to carry out the action.
“One example could be causing a pop-up window to appear repeatedly until the user hits the necessary key to make it stop, which would subsequently also cause the machine to become infected,” he said.
Popa of Informatica said this issue is currently being investigated by Microsoft.
“Microsoft has confirmed this to be a VBScript issue affecting legacy systems predating Vista,” he said.
Popa urges companies to adopt a layered approach to security.
“Most of these techniques are simple and do not require a significant degree of technical know-how,” he said.
Here are his top four security tips:
1. Keep Windows patched up to the current version and ensure the latest Service pack is installed
2. Use a firewall that filters incoming and outgoing transmissions
3. Ensure you use a lean anti-virus program. Malware suites are not recommended because they can slow your system
4. Always make sure you back up your data. Do this nightly and on different devices (USB, network drive, Internet files)