Zero-day vulnerabilities, the software security holes that malicious hackers can exploit to control your computer and steal your data before a patch has been created, have been one of the key weapons in the arsenal of online criminals for years.
When a zero-day flaw that is being actively exploited is uncovered or publicly disclosed the software’s manufacturer is literally left with “zero days” to come up with a fix or mitigation advice.
Wouldn’t it be great if modern operating systems hardened their defences, and did a better job in the first place at protecting against these types of security issues even when they are unknown?
Well, Microsoft is claiming that that’s precisely what it has done with the Windows 10 Anniversary Update it issued in August 2016.
In a blog post, the company revealed how the security hardening it had built into every major build of Windows 10 stopped kernel and browser zero-day attacks that worked in earlier versions of Windows.
Specifically Microsoft’s researchers looked at two zero-day exploits – CVE-2016-7255 and CVE-2016-7256.
CVE-2016-7255 (a vulnerability used in targeted attacks by the Russian hacker group known variously as Fancy Bear, APT28, Sednit, Strontium or Pawn Storm) was the subject of controversy last year when Google researchers decided it would be would be in the best interests of the public to make details of the vulnerability public, having given Microsoft only 10 days to fix the flaw. Microsoft felt that Google had put customers at risk through its actions.
CVE-2016-7256 was an Open Type Font exploit that allowed attackers to hijack users’ computers if they viewed a boobytrapped webpage.
We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.
What Microsoft is saying is that if it had *only* deployed exploit mitigation features, without a patch, the exploit would have been stopped. Users who had already switched to Windows 10 Anniversary Update would have been protected because they already had those mitigations in place, and did not want to wait for a patch to be released.
Microsoft argues that its actions are forcing the creators of exploits to “spend more time and resources in finding new attack routes” – effectively increasing their costs, and forcing attackers to find new ways around the new defensive layers.
By delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation.
In the coming months Microsoft will be releasing its Windows 10 Creators Update which it is hoped will include more exploit mitigation features to boost protection even further.
Of course, the story doesn’t end there. There are a number of ways of further reducing your attack surface – such as not installing the likes of Adobe PDF Reader and Flash on your PCs.
And don’t forget the human being sitting in front of the computer – they are probably the biggest security risk of all, capable of making endangering your network security with one poor decision.
Microsoft should be applauded for putting considerable energy and resource into its Windows security team, with the goal of making Windows 10 the most secure version of their operating system yet.
From the security point of view, if you’re going to use Windows it seems to make sense to use Windows 10.
Of course, security isn’t the only consideration when choosing an operating system. Privacy, for instance, also matters. And when it comes to Windows 10 and privacy – well, that’s a whole different discussion…