Windows 7 Known Security Flaws

Windows 7 is the most recent operating system to come out of the world of Microsoft. Sure, it is always great to get a new piece of software. The question is; how soon should you get into Windows 7? One of the major factors that will play into that decision is how secure your new operating system will be.

Security is one of those features that many users do not even consider until it is too late. Security mostly becomes an issue when it fails to keep you safe.

Despite its sometimes subliminal nature, it is important to consider it before making any upgrades. After all, if the new operating system has any serious security flaws, you do not want to find out the hard way. If a new operating system has flaws that you deem to be too risky, then you can always wait for the first service pack to come out. Recovering from a breach will be much harder.

That is why we are going to look at some of the known flaws in Windows 7’s security. That way you can make an educated and informed decision about your upgrade. Maybe you will decide to leap in head first and be a Windows 7 early adopter. Or maybe you will play it safe for a while and upgrade after others have tested the waters for you. Either way, this piece will help you to make a decision about your upgrade.

One special note: there are some things that are in the grey area. While some people may consider certain items to represent a flaw, others would argue it is a feature. Which is the truth?

Honestly, that depends on how you use the system. A certain feature may be to your benefit if you happen to be a system admin. If, however, you are not willing (or able) to put in the time to properly manage that feature, it may become a liability.

{mospagebreak title=Reduced User Warnings}

One of the least popular features in the Windows-based operating systems were the constant security pop-ups. As it turns out, the majority of end users did not enjoy having an endless parade of bubbles pop up to inform them of events that were relatively routine. Sure, it is nice to know when someone is trying to access your system illegally, but you really do not need to know each and every time one of your legally installed programs needs to make a connection.

In an attempt to pacify those unhappy consumers, Microsoft has made some changes to the end user warning system. In the classic damned if you do, damned if you don’t fickle world of technology, the changes are now making security pundits unhappy. The real complaint is not with the reduced notifications, but with the potential for real security threats to fly under the radar.

The theory behind this new objection occurs when a user sets their controls to medium. On the medium setting a user can allow certain programs to run automatically without setting a warning. That’s a great way to reduce pop-ups, if the programs running are ones that you know should be in your system. If the program, however, is malicious, or malicious code happens to be lurking inside valid software, this medium setting becomes a conundrum.

On the medium setting, a malicious piece of software can go about its business without the end-user ever getting a warning. In fact, there’s a malicious bit of code that could be used to turn off the user warnings altogether when the user isn’t looking. That means that it is possible for a piece of software to get administrator level rights to a system without notification.

Granted, this is much more likely if the user is already running as an administrator on the system. Nonetheless since many home-based users do actually run the computer on one account, which is by default the administrator account, it leaves a potential gap in the security, of which users should be made aware before they choose a security level.

While the new warning system is not perfect, it is still a step up from the one on the previous operating system, Windows Vista. Many users found the original incarnation of these pop-ups to be so incredibly annoying that they turned off the security altogether. This meant that, while with Windows Seven you may have some shot at being notified, if you turn off the annoying alerts in Vista, you have no chance of being notified.

Since the initial beta run, Microsoft has made some changes to the user account controls in Windows 7 that will help to keep notifications for privileged operations intact. While this may help to reduce the risk associated with using medium level, and lower levels account notification settings, it is by no means a panacea.

Then again, one must also consider the possibility that secure personal information can be taken off the system without involving any privileged operations. As a matter of fact, there are several ways that you can gain access to a system, or to the personal information of the user, without entering that privileged operations area, which means that you’d fall right back into the no notification zone.

The options are relatively obvious. Either when you use Windows 7 you keep the user account controls set to high notification, or you do regular checks to ensure that your system is not compromised. If you’re not doing anything that you know you shouldn’t be, and you are running regular virus scans on your system, then setting your controls to medium may not be much of a detriment. The real issue here seems to be if you’re relying solely on Microsoft, and the operating system’s built-in controls, to protect your system.

{mospagebreak title=Problems with Virus Scan Software}

Beta users of Windows 7 have found that they are having a bit of a problem running their virus scan software. Software like McAfee and Norton have been showing little to no functionality when used on Windows 7. While this may simply be a beta problem, with few software vendors willing to make distributions for software that may change radically at the end of the beta test, there may still be some initial issues in the first few months of the commercial release of Windows 7.

While software compatibility is just one of those things that has to catch up with a new operating system, having your security software off-line can be a very big problem. Until you are sure that you security software of choice runs well on Windows 7, you may want to hold off.

That being said, if you just can’t wait to update, you could just use a piece of software that you know will be compatible with Windows 7. Over at InfoWorld they were kind enough to let users know that security software known as Spyware Doctor is running well with Windows 7, even in its beta days. This means that in theory, you could just put on your Spyware Doctor software, or any other piece of security software known to work well with Windows 7.

If, however, you are attached to your security software, either as a personal preference or a long-term licensing contract, you may want to wait it out until you have compatibility. You probably won’t have to wait that long after the commercial version is released. Don’t be surprised if stable commercial versions are out as quickly as one month after the release.

If you really want to be sure before you buy, or upgrade, head over to your user forums for the security software. Look for the compatibility complaints, and responses from the techs. It may be that the solution is a simple as a small patch. Just be sure to check the date on those complaints and solutions, so you do not end up with a fix or patch that was intended for beta users. Operating systems do change from the beta version to the final release, and the patch may not function well with the final release version of the operating system.

{mospagebreak title=Hidden File Extensions}

At the first glance, a hidden file extension may not seem like a really big deal. After all, one can generally assume that an Adobe file will be a PDF, or that an office file will be a .doc. Those assumptions are not even incorrect, in most cases.

Security analysts, however, has to deal with the 1 in 1,000 (or 1 in 100,000) case that a malicious developer would look to exploit. Granted, anyone who is not new to the world of Windows will know that this feature is not new. Since it is included in the system it is worth mentioning.

You may be wondering what the problem with the icon (and no extensions) system is that a malicious developer could take advantage of this system. Think about what can happen if one file type is masquerading as another file type, and users assume that the imposter file is really what it says it is. After all, your typical user has no reason to think otherwise, right?

To give you an example: if a .txt or a .pdf were added to a file name (before its true extension), the file would come up as that icon. This means that you could end up opening a virus file because you think that it is a status update from your boss…with results you can easily imagine.

Now, you know. The decision is up to you.

One thought on “Windows 7 Known Security Flaws

  1. Hi,

    Great read and good info for newbies to windows but for those that have used windows from say xp its just commonsense if you ask me :)

    Still some good reading and like I said it should be a good start to the basics for new users of windows but all these things that have been in windows in the past so no new security flaws really I guess.

    Thanks for the article :)

[gp-comments width="770" linklove="off" ]