At the summer hacker conferences, researchers have been talking up Windows 8 and its improved security. They talk a good game, but here’s the end run around it.
During a casual search of file sharing services looking for material with my byline, I found something. Intrigued, I clicked on the link to see what would happen. What didn’t happen was what I expected, which was my browser asking me if I wanted to open or download a PDF file. Instead, the site wanted to send me an executable file that would in turn download the requested PDF.
I didn’t run it.
I’m approximately 50% certain the executable would in fact download the file for me. The trouble is, what else was that executable file going to do? I had no way of knowing. So I cancelled the download. I’m absolutely positive that if I’d scanned the file for viruses, it would have come up clean. But all the program has to do is download the malicious code, instead of carrying it onboard.
The problem with trying to secure an operating system is that when there are web sites out there willing to entice users with free, desirable content, some segment of the population is going to eagerly click on anything and everything they have to click on in order to get it. Some won’t even care if their computers get infected along the way. Most of those who remain will just believe that the antivirus program they’re running will protect them. (Want to place a bet on whether that antivirus program is itself pirated, or expired?)
Whatever else you want to say about Windows 8, I don’t see it causing much of a change in my workload. All it takes is a few people willing to click through whatever the machine says, and in my experience, there’s no shortage of those.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.