Windows merge: same base, same malware?

The same code base of Windows for various devices means also that the same malware can hypothetically attack all of them.

Reflecting on a previous post, the merging of all Windows versions, as promised by new Microsoft CEO Satya Nadella, will most likely mean a unified code base for all Windows versions.

Apparently, this unification will not go beyond hardware abstractions. However, essentially all (or at least, most of) applications written for the PC version of Windows will more or less run on other devices, such as the Surface tablet family, Windows-based smartphones (whatever share they will have in the market), XBox gaming consoles and, possibly, even more obscure and exotic products such as the Razer Edge Pro, a Windows-based high-performance gaming tablet.

Among other things this means that malware exploiting hardware-independent vulnerabilities in Windows will be able to attack all of the Windows-based devices.

This concept is particularly daunting when considering banking Trojans such as the hated ZeuS and SpyEye. It is widely known that these trojans also have their mobile “symbionts”. For example, if an individual’s PC is infected with ZeuS or SpyEye, they would serve a mobile device owned by the same individual with their mobile counterparts – ZitMo or SPitMo, which will intercept all SMS, including those sent by banks as a measure of two-factor authorization. It is one of the most nefarious – and efficient – methods of robbing users of their unprotected transactions.

For now malware writers must write executables for both Windows and the mobile OS (most often it’s Android, although ZeuS attacks others too). With essentially the same operating system on all users’ devices, there is no need for any separate “mobile” malware – as soon as it is spread all over the users’ devices, it can do everything its authors need.

On the brighter side, this may also mean that the users will require just one security solution to protect all of their devices.

Apple ensured a high degree of security for its iOS devices by creating a single App Store. Here all incoming apps are checked and rechecked for their security compliance. It is extremely rare that any malware slips through there. Of course, a user may choose to jailbreak their device, but then they’re on their own: install anything at your own risk, don’t complain if anything happens.

Microsoft has its own app store now too, but frankly, it’s difficult to imagine that it may limit PC users’ possibilities to install software from other sources. What approach would it take, however, remains to be seen.

Moving forward it will be interesting to see whether the unification of Windows makes business IT staff’s life any easier: dealing with the same platform on various devices sounds simple enough, but it is clear that Windows-based mobile devices will not take ground from Android, iOS smartphones, and tablets all at once. For Android it took a few years to become as popular as it is now (for weal or for woe), so overgrowing it won’t be an easy task, even if Windows-based handhelds will be next to perfect.