Windows 8 Defeats 85% of Malware Detected In the Past 6 Months

An anonymous reader writes "Now that Windows 8 is on sale and has already been purchased by millions, expect very close scrutiny of Microsoft's latest and greatest security features. 0-day vulnerabilities are already being claimed, but what about the malware that's already out there? When tested against the top threats, Windows 8 is immune to 85 percent of them, and gets infected by 15 percent, according to tests run by BitDefender."

So, ... some built in security?

[TaoPhoenix]

Did any of the malware get past whatever new copy of Windows Security Essentials they cooked up especially for Win 8?

How do these numbers compare ...

[baresi]

... to those other similarly received OSs, Windows ME and Vista?

Security Essentials = Windows 8 Defender

[deweyhewson]

Since Windows 8 repurposed Microsoft Security Essentials as its new Windows Defender, which is built-in to the operating system [microsoft.com], would these statistics hold true for Security Essentials on all systems, or are they unique to Windows 8?

Or is BitDefender just trying to stir up some business?

Re:No platform is 100 percent secure?

[shaitand]

"The overwhelming number of Linux servers worldwide are behind firewalls"

Sure. On the other hand there are no small number of firewalls running Linux.

Re:No platform is 100 percent secure?

[cavreader]

"openly developed with the potential for anyone to contribute and for everyone to see"

I am continually amazed that people think just because they have the source code to an OS they can just scan the code and locate security holes. The low hanging fruit is long gone in today's popular OS's. OS security holes and weaknesses are found by combining and testing multiple executable decision trees with varying environmental factors and then analyzing the captured results which usually includes sorting through binary output, assembler output, and real time memory mapping looking for anomalies. Finding OS level security holes also requires an in-depth knowledge of the various CPU processor instruction sets, memory allocation models, and memory manipulation. To many developers equate OS development with Application development when in reality they are almost entirely different animals requiring radically differing skill sets.

I think I can because I have done so

[raymorris]

It's amazing that some people insist that we can't do something which we do all the time. Look at the CVEs man, we find and fix weaknesses all the time. If you did look at the CVEs, you'd find my name. That's pretty solid proof that you're mistaken - I can find vulnerabilities because I do find vulnerabilities. When it comes to Windows, I don't know Windows. I haven't used Windows in fifteen years. When people ask me to work on their computer, I turn away all Windows work except "I forgot my password." I can't USE Windows, but I can sure CRACK Windows.

MS trying to implement *nix security model

[raymorris]

In the last couple versions of Windows, MS has been trying to implement something like the old (pre SELinux) *nix security model. This after having removed it. Why? Because they had removed the security, for good reason, and the *nix model is a good one. In the old days, there were network operating systems. Many users had terminals to one computer, which protected one user's work from other users mistakes or malice. It was designed for security and it was Unix. It was also huge and EXPENSIVE. One day a guy wanted an OS to fit on a 512k floppy disk and run with 128k RAM so people could afford computers at home. Single home computers, not corporate networks. To make Disk Operating System fit on a floppy, he removed stuff DOS didn't need, like security. (No network meant few threats.) A GUI was added. Backwards compatibilty was maintained with the "no security needed" DOS. Then the internet happened, and Bill crapped his pants. Since then, MS has been trying to design security back in, while maintaining backward compatibility. DOS programs still run on Vista, without running into problems with new security added since Disk Operating System. Linux has always been a network OS, never a disk OS, and has therefore never removed the security model.

Re:So, ... some built in security?

[AmiMoJo]

They neglected to mention how many of the 15% that got through required user stupidity to infect the system. It will be interesting to see how long it takes for the first Metro based malware to appear, and how long before some of it sneaks onto Microsoft's marketplace.

Re:No platform is 100 percent secure?

[Waccoon]

And typically takes requests for files and serves them. That has to be done fast, but it's not really that hard. Web servers and routers aren't quite up to the same par as a general-purpose desktop machine designed for ordinary people who don't even know the difference between a virus and a trojan.

Realistically, most security is at the application level these days. You don't need root access to steal peoples' information. Just look at how much havoc you can cause by hitting a web browser with one clever block of JavaScript.