Windows 11 is out. Is it any good for security?

[RV_]

Lots of new security features in Windows 11 thus the hardware requirements. I'll do a review later as I am still debating which system to try it on and am recovering from medical issues with less stamina to do research/testing if something goes wrong. But this article which I'll excerpt longer really has some interesting insight as to why it may be very good as far as security improvements are concerned.

Excerpt:

"Windows 11, the latest operating system (OS) from Microsoft, launches today, and organizations have begun asking themselves when and if they should upgrade from Windows 10 or older versions. The requirements and considerations of each organization will be different, and many things will inform the decisions they make about whether to stick or twist. One of those things will be whether or not Windows 11 makes them safer and more secure.

I spoke to Malwarebytes’ Windows experts Alex Smith and Charles Oppermann to understand what’s changed in Windows 11 and what impact it could have on security.

A higher bar for hardware

If you’ve read anything about Windows 11 it’s probably that it will only run on “new” computers. Microsoft’s latest OS sets a high bar for hardware, with the aim of creating a secure platform for all that’s layered on top of it. In effect, Microsoft is making its existing Secured-core PC standards the new baseline, so that a range of technologies that are optional in Windows 10 are mandatory, or on by default, in Windows 11.

In reality the hardware requirements will only seem exacting for a short period. Moore’s Law and the enormous Windows install base mean that yesterday’s stringent hardware requirements will rapidly turn into today’s minimum spec.

Three of the new OS’s hardware requirements play major, interlocking roles in security:

All hail the hypervisor

At a minimum, Windows 11 requires a 64-bit, 1 GHz processor with virtualization extensions and at least two cores, and HVCI-compatible drivers. In practice that means it requires an 8th generation Intel processor, an AMD Zen 2, or a Qualcomm Snapdragon 8180.

This is because Virtualization Based Security (VBS) has become a keystone concept in Microsoft’s approach to security. VBS runs Windows on top of a hypervisor, which can then use the same techniques that keep guest operating systems apart to create secure spaces that are isolated from the main OS. Doing that requires hardware-based virtualization features, and enough horsepower that you won’t notice the drag on performance.

Noteworthy security features that rely on VBS include:

• Kernel Data Protection, which uses VBS to mark some kernel memory as read only, to protect the Windows kernel and its drivers from being tampered with.
• Memory Integrity (a more digestible name for HVCI), which runs code integrity checks in an isolated environment, which should provide stronger protection against kernel viruses and malware.
• Application Guard, a protective sandbox for Edge and Microsoft Office that uses virtualization to isolate untrusted websites and office documents, limiting the damage they can cause.
• Credential Guard runs the Local Security Authority Subsystem Service in a virtual container, which stops attackers dumping credentials and using them in pass-the-hash attacks.
• Windows Hello Enhanced Sign-In uses VBS to isolate biometric software, and to create secure pathways to external components like the camera and TPM.

United Extensible Firmware Interface (UEFI)

UEFI is a specification for the firmware that controls the first stages of booting up a computer, before the operating system is loaded. (It’s a replacement for the more widely-known BIOS.) From a security standpoint, UEFI’s key feature is Secure Boot, which checks the digital signatures of the software used in the boot process. It protects against bootkits that load before the operating system, and rootkits that modify the operating system.

Trusted Platform Module 2.0 (TPM 2.0)

TMP is tamper-resistant technology that performs cryptographic operations, such as creating and storing cryptographic keys, where they can’t be interfered with. It’s probably best known for its role in Secure Boot, that ensures computers only load trusted boot loaders, and in BitLocker disk encryption. In Windows 11 it forms the secure underpinning for a host of security features, including Secure Boot’s big brother, Measured Boot; BitLocker (Device Encryption on Windows Home); Windows Defender System Guard; Device Health Attestation; Windows Hello; and more.

New in Windows 11

Windows 11 has some new tricks up its sleeve too.

Hardware-enforced Stack Protection

Windows 11 extends the Hardware-enforced Stack Protection introduced in Windows 10 so that it protects code running in kernel mode as well as in user mode. It’s designed to prevent control-flow hijacking by creating a “shadow stack” that mirrors the call stack’s list of return addresses. When control is transferred to a return address on the call stack it’s checked against the shadow stack to ensure it hasn’t changed. If it has, something untoward has happened and an error is raised.

Pluton

Windows 11 comes ready to embrace the impressively-named Pluton TPM architecture. It’s been a feature of the Xbox One gaming console since 2013, but doesn’t exit in PCs… yet.

Pluton sees the security chip built directly into the CPU, which prevents physical attacks that target the communication channel between the CPU and the TPM. And while Pluton is backwards-compatible with existing TPMs, it’ll do more if you let it. According to Microsoft, “Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself”.

Microsoft Azure Attestation (MAA)

No discussion about security in 2021 would be complete without somebody mentioning Zero Trust, so here it is. Windows 11 comes with out-of-the-box support for MAA, which can verify the integrity of a system’s hardware and software remotely. Microsoft says this will allow organizations to “enforce Zero Trust policies when accessing sensitive resources in the cloud”.

Evolution, not revolution

For several years, Microsoft’s approach to Windows security has been to create a chain of trust that ensures the integrity of the entire hardware and software stack, from the ground up. The latest version of Windows seeks to make that approach the default, and demands the hardware necessary to make it work. With Windows 11, Microsoft is making an aggressive attempt to raise the security floor of the PC platform, and that’s a good thing for everyone’s security.

Make no mistake that threat actors will adapt, as they have done before. Advanced Persistent Threat (APT) groups are well-funded enough to find a way through tough defences, ransomware gangs are notoriously good at finding the lowest-hanging fruit, and lucrative forms of social engineering like BEC are notoriously resistant to technology solutions.

And you can add to that the interlocking problems of increasing complexity, backwards compatibility, and technical debt. Operating systems and the applications they must support are a behemoth, and while Microsoft pursues its laudable aim of eliminating entire classes of vulnerabilities, new bugs will appear and a lot of legacy code will inevitably come along for the ride.

Decisions about whether to adopt Windows 11 will doubtless be impacted by the fact it won’t run on a lot of otherwise perfectly good computers. We expect this to have a chilling effect on organizations’ willingness to migrate away from Windows 10.

And there are other headwinds too. These days, new Windows operating systems are rarely greeted with great enthusiasm unless they’re putting right the wrongs of a particularly disliked predecessor. The bottom line is that Windows 10 works and OS upgrades are painful, so it is difficult to imagine that anyone will conclude they need Windows 11.

Migration away from older versions of Windows is inevitable eventually, and by the time mainstream support for Windows 10 ends in October 2025, users will undoubtedly be more secure. But we expect organizations to move away from Windows 10 slowly, which will delay the undoubted security benefits that will follow from wide-scale adoption of Windows 11."

[RV_]

More security news:

Malwarebytes research shows an unequal, unsafe Internet

https://blog.malwarebytes.com/reports/2021/09/malwarebytes-research-shows-an-unequal-unsafe-internet/?utm_medium=email-internal-B2C&utm_campaign=EM-B2C-2021-October-newsletter-Issue1-TestB&utm_content=malwarebytes-research-shows-an-unequal-unsafe-internet

Neiman Marcus data breach affects millions

https://blog.malwarebytes.com/reports/2021/10/neiman-marcus-data-breach-affects-millions/?utm_source=double-opt-in&utm_medium=email-internal-b2c&utm_campaign=EM-B2C-2021-October-newsletter-Issue1-TestB&utm_content=neiman-marcus-data-breach-affects-millions

 

Apple Pay vulnerable to wireless pickpockets

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/apple-pay-vulnerable-to-wireless-pickpockets/?utm_source=double-opt-in&utm_medium=email-internal-b2c&utm_campaign=EM-B2C-2021-October-newsletter-Issue1-TestB&utm_content=apple-pay-vulnerable-to-wireless-pickpockets

 

Safe Travels! (and computing)

 

Edited October 9, 2021 by RV_

[Kirk W]

58 minutes ago, RV_ said:

Apple Pay vulnerable to wireless pickpockets

It looks to only be with Express Pay.  I don't use that but it does get my attention. 

[RV_]

Kirk perhaps you might want to go to the article and post that in the original post on Malwarebytes security company's blog.

For those that use it, knowing can avoid losses. I do have friends who use Apple systems and are glad to have any heads up, as I am about any systems I have. I refuse to use Android NFC paying systems. But if I did having it "only" affect Android pay would be very important to me. I know we will see someone come in objecting and trying to say it does not.

The link is provided assuming anyone who does use it will read the link. Did you read why use Express mode?

From the article:

"The vulnerability identified by the researchers is only present when Visa cards are set up using Express mode in an iPhone’s wallet. Express mode allows iPhone owners to use transit or payment cards, passes, a student ID, a car key, and more, without waking or unlocking their device, or authenticating with Face ID, Touch ID, or a passcode. The user may even be able to use their card, pass, or key when their device needs to be charged."

I do use my phone to unlock my Tesla and remotely turn on HVAC and check on it from afar in my Tesla App. As well I have Sentry mode which anyone can look up if they are interested.

I have Visa cards and recently lost one and found I could block it temporarily until I found it. One option among several to still use express mode like removing Visa cards from your phone. So if I had an iPhone I would have to have it in Express mode or have to take out my wallet and get my key card out to swipe against the pillar post or fumble with turning it on and manually unlocking in the App.  PITA when proximity works by locking it when I walk away and get ten feet or so away with no action from but having my phone in my pocket without me doing a thing. It also unlocks it when I get close to it on my return with the phone in my pocket.

If I or any other Tesla owner had an iPhone we would use it to unlock and lock our cars too. Thus Express mode.

It has also only been demonstrated in the lab but Apple is pointing fingers at Visa and Visa at Apple.

However, it is now in the public domain and attackers will now be trying to exploit it.

Researchers warn the companies with undiscovered yet vulnerabilities silently when these kinds of new exploits are discovered, to give them time to fix them. When the companies do not fix them they go public. That way the folks with the vulnerable systems can turn off the offending app or service until it is fixed.

Or not.

When it is my money or systems/identity, I want to know and track it to the conclusion to know when it is safe to go back. An informed decision.

Others may not.

But it isn't an Apple slam. Just a vulnerability.

Now that it is public it is in Apple/Visa's court but they have to take it seriously now.

What's in your wallet?

Edited October 12, 2021 by RV_