Microsoft security boffins throw fresh CVEs at unpatched OS, emerge smiling
Microsoft says its Windows 10 Anniversary Update squashes more exploit delivery chains than ever.
The August updates brought in a series of operating system security improvements including boosts to Windows Defender and use of AppContainer, designed to raise the difficulty of having zero day exploits execute on patched systems.
Redmond’s security team tested its exploit mitigations against two kernel-level then zero-day exploits (CVE-2016-7255, CVE-2016-7256) used by active hacking groups that offer privilege escalation.
They find, in a technical analysis designed to stress test the resilience of Windows 10, that the bugs were neutered on Anniversary Update machines even before it issued the respective November patch thanks to the exploit mitigation controls.
“Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits,” the team says.
“While fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques.
“Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact.”
The team points to the benefits of easy and complex mitigations including simple changes against RW primitives that trigger harmless blue screens of death errors.
Pushing font-parsing code to isolated containers under improvements to AppContainer and additional validation for font file parsing significantly reduced the ability to use font bugs for privilege escalation, the team says.
That shut the door on one South Korean hacking group which used CVE-2016-7256 in small but targeted attacks in the nation.
“Windows 10 Anniversary Update introduced many other mitigation techniques in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities,” the team says.
The updates follow Microsoft’s decision to delay the axing of the lauded enhanced mitigation toolkit to 31 July next year.
That move sparked the ire of Carnegie Mellon University CERT boffin Will Dormann who says the toolkit significantly improved the exploit mitigation chops of Windows 10 and should be maintained, not dropped. ®
Sponsored: Customer Identity and Access Management