Windows RT is one way of avoiding a lot of security problems; if you can’t install your own desktop software, Windows malware is going to have a hard time running as well. Windows RT will certainly come under attack, but it has the same protections as Windows 8, starting as soon as you turn it on.
New PCs with Windows 8 have UEFI Secure Boot firmware, which enables your PC to check security certificates for the boot loader, kernel, system files and drivers against a database as Windows loads. Think of it as a mini operating system that checks that your usual OS hasn’t been tampered with.
Your anti-virus software starts running while Windows is still booting (as long as it supports Early Load Anti Malware or ELAM), so it is running before any malware that’s managed to get onto your PC.
If there’s a rootkit on your PC waiting to change Windows components when you boot, Windows will find the code it changes and replace it with the original, legitimate code from the Windows ‘side by side’ store. You don’t see a warning for that during boot, but the details will show up in your anti-virus warnings in the Action Centre
Once Windows is running, it’s harder to use the way it handles memory that’s in use (called the heap) to attack the OS or the programs you’re running.
In previous versions of Windows it’s not hard to allocate too much memory, have it overflow the buffer it’s supposed to fit in and use that to run an attack. The Windows 8 kernel has much stricter limits on how much memory can be allocated, so an overflow attack would have to be exactly the right size.
The kernel can put ‘guard pages’ of memory around important code, like a moat, so that if malware tries to attack by corrupting the next chunk of memory and overflowing, it’s more likely to end up in the memory moat, and Windows will shut down the process for accessing invalid memory.
The tools for keeping track of the memory allocated to applications are smarter – they now make sure that the memory allocated starts in a random place, rather than picking it based on a value that malware could interfere with to make it point to malicious code, or using a predictable location such as the next free chunk of memory.
To make the random number really random, Windows collects a mix of data when it boots, from the clock, performance logs, power management systems and other sources, which it combines into a new random number seed every time.
Memory that’s no longer needed is less vulnerable as well. Malware used to be able to force the kernel to allocate memory to a program and then release it so that a virus could use memory that Windows thought wasn’t in use; that’s now blocked
In Windows 7, Data Execution Prevention (DEP) can already mark memory allocated to applications for storing data so it can’t be used for running code. And Address Space Layout Randomisation (ASLR) 7 means program code isn’t always loaded into the same place, which makes it harder for malware to find where to attack.
They protect Windows, but you have to rely on developers turning them on when they write their own programs. Windows 8 won’t run on CPUs that don’t have the hardware to mark memory as only for data (NX – Non executable) and the improvements to the memory heap are on by default, so they protect everything.
Windows 8 also uses the Supervisor Mode Execution Protection (SMEP, or OS Guard, as Intel calls it) in Ivy Bridge CPUs to stop the CPU running any memory pages that are marked as ‘user’ rather than ‘kernel’ (user pages are only for data).
So using NX to protect kernel memory is important, because otherwise malware would just target kernel memory to bypass SMEP.