enxz

Read the previous PDF on /GS improvements as well as http://j00ru.vexillium.org/?p=690 Pre-8 /GS used 1bit of entropy. Pre VS 2012 /GS was used on fewer functions. The new toolchain applied on 8 improves the heuristic application of it, protecting more function returns. /GS and ASLR improvements are just two examples. I use them because they're the easiest to point to. There are many others, many of which are detailed in the links provided.

@The Finder, Yes, a vulnerability in XP code that's used in vista, 7, and 8, would work on all of them potentially. So they all have to be patched. But exploiting that vulnerability is a whole other story on newer operating systems thanks to the mitigation techniques I've mentioned. So while all of them could have the same number of vulnerabilities (or newer ones could even have more) exploitation of those vulnerabilities can range from significantly more difficult to impossible - stack overflows, for example, are going to be much more difficult to exploit on 8. @CharlotteTheHarlotte, I wasn't clear, I'm not saying that a driveby attack was used. I'm saying that a legitimate website was compromised and an attacker had control of the website for 6 days. In that time the attacker could easily have put up an exploit page, and any person who visited would have been subjected to it - router or not. That is how typical attacks work, they don't care about routers. I'm sayin this because the router isn't relevant to security anymore. If you're running a browser that's all the attack surface necessary. In terms of performance stuff, I'm not really interested in discussing it. It's not what I came here to talk about, and it's not important to security. Except I've posted multiple times now about mitigation techniques that make attacks harder. https://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx?Redirected=true http://j00ru.vexillium.org/?p=690 You can google for more information on the effectiveness of these techniques. It's very simple. I'm an attacker. I want into a system. I see two XP boxes. One of them has an unpatched service running, the other has a patched service running. I can attack the patched service, but it requires a 0day attack. Or, I can just modify the latest Metasploit for the unpatched service and cut my work by 90%. That's why patching is important. Of course, if I see a Windows 8 box on there, I know I need a 0day, and I need an information leak, and I potentially need a local kernel exploit that itself will potentially require an information leak. It's just math. Vuln + Vuln + Vuln + Vuln > Vuln In the case of Windows update, there are exposed services, media players, linkers, etc. The entire operating system is attack surface, especially the kernel. If you have a local kernel vulnerability and you don't patch it it becomes a matter of googling to get into your system. MSIE is nothing. It's not important - it's a couple million lines of code and you've got hundreds more within the operating system. You can run Google Chrome and it will make little difference, because it's just one kernel exploit to get out of the sandbox. You can look at the latest MWR Labs attack on Chrome to see evidence of this (and that the attack had to be modified for 8 to become reliable). What I'm concerned with is principals of security, operating system security, network security, how attacks work, and how we defend against them. It's what I do at school as a computer science and security major, it's what I've been hired to do by defense contractors, it's what I do at competitions where we hack into systems for points, and defend from actual hackers to win. I'm not going to try arguing from authority on the internet, no one has to take me at my word, but if you think that a systems security is defined by menial details of a router I think your perception is way off.

Any logical view of operating system security should show that Windows XP is less secure than 8.

Right, but in that test you're defining security as whether a machine will get attacked, and then stating that there's a correlation between the operating system and whether it will be attacked. That's a faulty premise. What if I leave a vulnerable XP box directly connected to the internet, running a vulnerable Apache service that would take 5 seconds to exlpoit and it never gets exploited. IS that machine secure? Well, it was never attacked... so is that what security is? You're also not exposing the system. Again, users don't just get attacked by connecting to the internet. Your test would make more sense if those systems connected to various exploit pages as well as sitting on the internet. But... By that logic you can just run the oldest operating system with the least market share and you'll be "secure" because no one will care to attack you. So essentially you're defining security by an attackers will to attack you and not by their ability to attack you. I Think that's a faulty definition of security. Like I said, there is no objective measure, and people don't even agree on what security means. But with a technical understanding of how machines are compromised, how attacks work (both from a business standpoint and the actual creation of exploits), and how defenses work, it becomes very clear which systems are secure and which aren't.

I've actually mentioned ASLR and /GS already. ASLR is Address Space Layout Randomization. It randomizes the address space of a process so that an attacker has a more difficult time creating ROP gadgets, which are used for Return Oriented Programming. These gadgets allow attackers to bypass Data Execution Prevention (DEP). DEP is in Windows XP SP1. ASLR is not on any Windows XP box. ROP has been around for well over a decade now, and creating your gadgets is easy, and an automated task. Without ASLR an attacker gets initial shell and they control the process. With ASLR an attacker requires an information leak, which Windows 8 has made more difficult (removing Shared_User_Data, for example). Windows 8 is the first windows operating system that allows a process to force all mappings to use at least 8 bits of entropy, and allows processes to make use of far more entropy, making bruteforce attacks much less reliable. /GS is a stack canary that is heuristically attached to functions on compile time. Stack overflows that corrupt the canary will fail if the attacker does not use their one chance to guess the canary value. On XP there was 1 bit of entropy for this value, and I'm not sure if they ever fixed that. Regardless, /GS has been improved and included in the new toolchain for Windows 8. SEHOP is Secure Exception Handling Overwrite Protection. It is not included in XP (without EMET) and it mitigates a significant number of vulnerabilities that have been exploited (especially in IE) in the past on Windows XP. Vista+ use it. Multiple areas of the kernel have been moved to userland. One component is part of the graphics stack, which, for performance reasons is partially handled by the kernel. But an attack on the userland components, the areas exposed to attackers, will no longer lead to an instant kernel level attack on the system. MIAC, Mandatory Integrity Access Control is the basis for high level sandboxing on Windows. It goes far past ACLs to allow processes to restrict their own file access, among other things. Separation between User and Admin is native to Vista+, whereas on XP it's not nearly as clearly defined, leading to a class of attacks known as shatter attacks. Here's the PDF I mentioned: http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf It brings up Guard Pages, local kernel mitigation techniques (more areas of the kernel have been marked as nonexecutable, KASLR has imiproved entropy, SMEP, soon SMAP), and multiple other mitigation techniques. There is no objective measure of security. People don't even agree on how to define whether a system is secure or not, or if it's even possible. But if you know how attacks work, and how defense works, it should be very obvious that Windows 8 is more secure. If you think anyone in this world is going to post a meaningful benchmark for security, I don't know what to tell you. It will never happen. What you'll get is every person with experience hacking into systems telling you this though. A double blind test wouldn't really make sense. This isn't a pill. It's attacking an operating system. The fact is that on Windows 8 you need to expose more vulnerabilities for RCE.

It's not mutually exclusive. XP is both an insecure operating system and less secure than Windows 8.

@Thomasz, CPU scheduling has changed a lot, because while old Windows versions could absolutely handle multiple cores and threads, we didn't have mainstream hardware that did it. Try a browser benchmark. But I'm not really hear to convince anyone of performance improvements, only that XP is not a secure operating system. @uid0, /GS is a stack canary feature that heuristically determines which functions should have one (to avoid the 3% performance hit for function returns). I'll find you the PDF a bit later, for some reason it's not coming up in a quick search. @5eraph Maybe so. But it doesn't matter at all, since, as I've said, no attacker is going to be going directly at a service - attacks these days work by hijacking some website users visit and putting up an exploit page. Exploit pages are already on your system, they don't care about the firewall/NAT.

Tomasz, I have no benchmarks on me. Benchmarks aren't always reliable either, as in terms of pure FLOPS CPU cycles will matter most, and an older OS will have more to spare. But for more complex applications, like a browser, CPU scheduling, memory management, superfetch, etc will be very important. So on a single core system with 512MB-1GB of RAM XP may be faster. But on a dual core/ quad core system with 4GB+ of RAM, 8 should be considerably faster, as it will make use of those resources much better. One really simple example of where a benchmark won't see any performance improvement is Superfetch. HDD's are very slow, RAM is very fast. Your operating system (after XP) realizes this, and caches a lot of your file system into RAM. But it only has a little RAM, and a ton of file system, so it has to decide what goes into it. A benchmark, which you only run a single time, and which is specifically looking for HDD performance, will show really slow performance for disk access. But a normal program will end up benefiting significantly from Superfetch. @5eraph, uPnP is not necessary for browsing, nor torrenting. If you want to host a server, then ti is, because servers take in unsolicited information, but any program that creates an outbound connection will allow for inbound. The IPTables rules would look something like: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state NEW,INVALID -j REJECT That's why your browser can work. It creates the connection (RELATED, ESTABLISHED) which then allows for inbound access. New connections are not allowed for inbound access. So your system is not completely blocked form the internet, otherwise your router would kill internet completely. This means that, if you're running behind NAT, an attacker can still access your system. It's harder, to the extent that they can't just send packets straight at services, but it's really not difficult.

Well first of all a remote kernel exploit, like one in the TCP/IP stack will compromise a system, even if all ports are closed. Vulnerabilities exist in Firewalls (we've seen this on Windows, even) that allow an attacker to exploit a closed port as well. But generally a box that has all closed ports is relatively safe. But as I've said, attacks don't rely on open ports anymore. I disagree. The majority of attacks against users go through hacked legitimate websites. One really good example of this is the recent hack of Ubuntuforums.org. That's a "good" website, but for 6 days it was controlled by an attacker. In that time he could have easily put up an exploit page, and no "common sense" would have saved anyone - I'm a security professional and I visit that website, so do many others. So I don't think the user being knowledgeable is so critical, because that fails very quickly. Not really, trickery is not always necessary. Though it's easy. But as I stated above, Ubuntuforums.org was compromised - no one had to be tricked into executing code, or visiting a site, they went to it believing it was legitimate when an attacker controlled the content. This happens often. There's no social engineering involved. Of course - the NAT did exactly what it's supposed to do. It's just completely useless in modern attacks. I doubt anyone invites malware onto their systems. They are either tricked into clicking on a link, tricked into downloading an executing a file, or they hit an unlucky webpage that's been compromised. No, not really. Users aren't critical to security, but that's not really the point I want to make, since it'll just lead to a whoel other discussion. Yes, actually. Appcontainer (MAC) and ASLR are both unique to 8.x. 7 implements ASLR (as did Vista) but 8 is the first implementation that's done properly. /GS improvements on Windows services are unique to 8 services AFAIK. There are actually a large number of significant improvements to 8.x over 7. I can link you to a PDF that lists them in much greater detail if you'd like. Well first of all your router must be screwed up, becuase you should definitely be able to torrent without opening ports on the router. Packets are definitely not just tossed. You're reading this webpage right now, aren't you? That means that, somehow, someone is sending you data to your computer. That's all an attacker needs. They can MITM your connection, hack the website, send you a link, etc. Once you get to an area where they control the content (like opening an email from them) they can attack you. That's all it takes. Your malware doesn't need to mess around at all with your router ports. I'm not sure why you think that a router has to do something special when your web browser doesn't. Do you open ports on your router for your browser? No? Then why would malware need to? It's nto doing anything special. Like I said, Windows 8 is better off. Although your 8 services are exposed more directly, getting into the XP box is not going to be hindered much. Of course, I wouldn't recommend either - you should be behind NAT, becuase you don't want to be exposed. But NAT isn't going to make up for an operating system full of holes. MSE isn't relevant, AV is stupid and anyone can bypass it completely. In terms of performance there's a lot more to it than services running. On modern hardware 7/8 will run faster than XP depending on the task. But the reason I'm avoiding discussing performance is because it changes depending on the hardware - an old system will run XP faster than 7, a new one will run 7 faster than XP. That's just how it is. The point is, as it has been, that given the same network setup, given the same user, given all things being the same, it is much easier to get into an XP box than 8.x. And it is trivial when the user doesn't patch.

I would like to see that study. My guess is that a large number of updates led to a lot of disk space bein gused by update packages, and removing them and subsequently defragging would solve it. But, of course, performance is not the question here. Security is.

I could get specific, I suppose. But specific CVE's aren't important. Any remote kernel exploit will quite obviously bypass everything other than hardware based security. Any local kernel exploit combined with RCE in a program such as a browser will bypass your NAT/ network Firewalls, and provide full system control regardless of sandboxing. I can name quite a number of things, though it may get somewhat technical, and I don't know what level you'd understand. MSE makes no difference to me, since bypassing AV isn't difficult, and it also isn't a technology that makes 8 any harder to hack than XP. One major difference over XP is a proper implementation of ASLR. XP lacks all ASLR, making remote code execution trivial. Windows 8 ASLR is the first proper implementation on Windows, with multiple information leaks removed, and the ability to have all memory maps randomized. There is significantly more entropy as well. Vista+ are immune to shatter attacks. On XP the difference between Admin and restricted user is not enforced properly, making escalation attacks incredibly easy. Microsoft released a patch to solve this, and it does somewhat, but it's not as well implemented. Privileges in general are improved, as system services run with lower rights on Vista+, and areas of the kernel have been moved to userland, where an exploit won't be so critical. /GS is used further in 8+ for system services. I could go on. These changes are considerable. No one attacks a users laptop anymore in any way that a network Firewall will matter much. Worms like conficker are remnants of the past, anyone on a modern system is far more likely to be attacked through a service that already is taking in input. MSIE has little to do with it, as other browsers will be just as useless on XP, especially without patches. Do you think Chrome's sandbox will save you? It won't. NoScript? Nope. We've already seen in this topic an attack that would bypass both of those things, attacking font rendering in the kernel via truetype. In terms of money, you're missing the point. All attacks, virtually, are about money. If I hack you it's not to trick you into giving me money, it's to hook you up to my botnet so I can sell your system off to someoen for a couple hundred thousand dollars a year. And I'll likely sell off whatever accounts I access as well just for a couple hundred dollars extra. Microsoft has stated that they consider 8 to be the most secure Windows operating system. They are correct. Again, NAT isn't important or relevant to modern attacks for desktop users. 8/8.1 are not magic. You can get far more secure using Linux, and MS has more work to do. But attacking 8/8.1 is considerably more difficult than attacking XP. Windows 8 would be far far far more secure in this case. But I'm not sure why you can't just... you know... have Windows 8 behind a router. I guarantee that if anyone here is running an unpatched XP system it would take very little time to get into their systems, given that they're willing to click just one link. One known RCE in their browser, one known local kernel vulnerability - access to a single syscall, if even.

That's very common, even Linux does that. If there's a critical vulnerability you make sure that companies/ governments can patch it ASAP. The issue is that, sometimes, the patch can be reversed and exploit code can be developed before they release the patch to the mainstream. It's dangerous but not outright malicious. These also aren't backdoors as they're not intentional vulnerabilities, they're discovered vulnerabilities. But if you consider backdoors to be a threat you should consider all Windows systems invalid, don't think that the NSA and Microsoft have only been working together recently. They've had a relationship for years.

Like I had said, it depends on how you define security. There is no '100%' secure, if you're dealing with the NSA directly targeting you you can make things hard for them, but they will get in if they really want to. That doesn't mean a system is unsecure, it just means that 100% security does not exist. I would say you have to define security by threats, and when the threat is any skiddy with metasploit, the box is not secure. But we're talking about a massive difference of skill required. To hack an XP box requires little work, any RCE vulnerability in any browser, and a local kernel vulnerability. On Windows 8 you need RCE, an information leak, a kernel vulnerability, and another information leak. Not only do you need more vulnerabilities total, exploitation of them is more difficult.

That really depends how you define security. In my case I know that most hackers are incapable of getting into my system, whether they want to or not. Can you say that about an unpatched XP box? Not really. 8/8.1 are considerably more secure, not sure why you would believe XP is more secure. Hardware firewalls are fine, but they're not really relevant. Your end system, the one taking in untrusted data (regardless of firewalls) is still vulnerable. Malware targeting 7 will still work on XP. And attackers will certainly still attack XP users if the market share holds where it is, there's still a ton of money to be made, especially when it's such easy pickings. If I'm an attacker I can go after the majority, 7 users. But that's sorta difficult. I could still attack XP boxes, take over a massive number of systems, and expend far less effort.

How? If you want to run XP after 2014 accept that you won't be secure. If you run XP you're already not secure, but without patches any skiddy with metasploit will be able to tear your machine apart. You can fend of the most basic attacks with EMET, and you can force an attacker to use local escalation attacks with sandboxing, but neither of those raise the bar significantly on XP.

You could disable the "webclient" service, but that would mean never using your browser (or anything else that allows for text). As all an attacker has to do is get you to visit a webpage where they control the text, so an XSS, or other attack on a website you visit is enough. They then control your systems core component, the kernel. That means they control your Firewall too (this only requires administrative access) so they can open, close, bind ports however they want. A firewall will do nothing here. In fact any security at or above ring 0 will be completely bypassed. The best solution here is a patch.