Is Windows 7 safe? Sophos is ready, are you?

Windows 7 logo

October 22nd, 2009 is the official public launch of Microsoft Windows 7. Those of us in the software development, hardware, and large enterprise space have had access to it for a few months now. We have been working to put the final polish on our compatibility, look and feel, and quality assurance testing.

We officially support Windows 7 as part of Enterprise Security and Control 9, which was released to the public on October 14th. We also provide a Knowledgebase article with best practices regarding Windows 7 deployments.

In talking with the press there has been a lot of interest as to how secure Windows 7 is, what improvements there are, and what Microsoft might have missed.

One thing I have not mentioned here previously that I think Microsoft missed is the default behavior of hiding extensions in Windows Explorer and file selection dialogs. Microsoft has defended this decision as intentional and designed to simplify the Windows experience. They believe that legacy file extensions are confusing to the average customer.

I’m not sure about your users, but the PC users I know think of things as being a PDF, Doc, etc. They don’t pay much attention to things like the icon Windows presents to them. They have been taught not to open files with extensions like .exe, .scr, and .bat that are known to be potentially dangerous.

This leaves the door open for nasty malware to masquerade as .txt files in users’ email and dupes them into opening malicious files. In an enterprise environment, I would recommend using GPOs to change this setting to always show extensions.

I have posted several articles detailing changes made to security in Windows 7, which you can find listed below:

Picture of Richard Jacobs

Sophos CTO Richard Jacobs started a rather interesting debate with some representatives from Microsoft this August with his guest blog “XP mode – demonstrating security is never Microsoft’s first priority“. This prompted a response from Microsoft’s Roger Halbheer pointing out the continued need for Windows XP compatibility. In reply Richard Jacobs provides more details concerning XP mode’s manageability and resource consumption.

James Lyne and Carole Theriault put Windows 7 in the security spotlight in their podcast at the end of August. I also published a more in-depth paper on Windows 7 security issues last month titled “Windows 7 security: A great leap forward or business as usual?

In summary, I would like to remind users of Windows 7 that, as for users who have chosen OS X, Linux, or even Blackberries, much of the risk on the internet today is not OS-targeted malware. Sure, there have been outbreaks of things like Conficker, Virtumundo, and JSRedir (Gumblar) that exploit flaws in Windows, but many attacks are focused on social engineering.

Many users have already decided to move away from Microsoft based on previous bad experiences. This is leading criminals to take new approaches to compromising your data, identity, and finances.

As Graham pointed out in his video, people readily share their personal details without having been compromised by viruses. Using multiple techniques, scammers were able to steal tens of thousands of Hotmail and other online service passwords through fake websites, malware, and possibly other nefarious techniques.

Microsoft has closed and locked the windows. You must educate your users, Windows 7 or not, because your data, identity, and money are up for grabs.