Windows XP is deemed ‘good enough’ by many, but the fact is that it’s four to five times more vulnerable to malware infection than Windows 7. While this is mainly due to improved security defenses, including least privilege security implemented with the help of User Account Control (UAC), that’s not to say we should be complacent when using Windows 7.
According to Microsoft’s latest Security Intelligent Report, which gathers data from the second half of 2010, Windows 7 had an infection rate of 3.8 per 1000 computers compared to 15.9 and 7.6 for Windows XP and Vista respectively. However, the figures for Windows 7 show approximately a 30% increase in infection compared to the first half of 2010.
So does this mean that Windows 7 defenses, such as UAC, are less effective than 6 months before? It was only going to be a matter of time before malware authors changed tactics. It was the norm pre Vista for users to log in with administrative privileges, so most malware assumes that it will run with admin rights inherited from the user to compromise a device.
When UAC is enabled, users (or Protected Administrators in UAC terminology) run with a restricted security token and explicit permission must be given to elevate a process to run with admin privileges. Windows 7 attempts to reduce UAC prompts by permitting some system components to run with elevated privileges without requiring users to give permission. This leaves malware writers with several choices:
- Design malware to run without elevated privileges
- Fool the user in to permitting malware to run with elevated privileges
- Use UAC auto-elevation to gain administrative privileges
- Exploit an unpatched or zero-day vulnerability to elevate privilege
Malware that runs as a standard user can’t ‘own’ a system completely, but it can do enough damage to disrupt the normal functioning of a logon session and steal information, which is the primary goal of much of today’s malware. The last three methods are much harder to pull off.
While enterprise users are likely to have different default settings than a home user, although this is not always the case, preventing malware from running in a standard user session should be high up your list of priorities as hackers adapt their wares for least privilege environments.
All supported versions of Windows have built-in application whitelisting technology that can be used to prevent untrusted software running in a user session. As malware infection methods evolve, signature-based antivirus solutions can’t be relied on to provide protection against the thousands of new malware variants that appear every day.