- Oct 23, 2012
- 12,527
Windows 10 Anniversary Update managed to protect users against two critical zero-day vulnerabilities even without official patches, Microsoft revealed recently.
In a pretty long and technical post, Matt Oh and Elia Florio, Windows Defender ATP Research Team, reveal that the zero-day exploit mitigation systems integrated into the Anniversary Update helped block attacks trying to take advantage of two vulnerabilities that were only patched by the company in November.
The first one is CVE-2016-7255, and according to Microsoft, was used by the Strontium attack group in October against a series of US targets. Using a secondary Flash Player security hole, attackers attempted to access vulnerable systems and then with the Microsoft vulnerability, to gain elevated privileges.
In a pretty long and technical post, Matt Oh and Elia Florio, Windows Defender ATP Research Team, reveal that the zero-day exploit mitigation systems integrated into the Anniversary Update helped block attacks trying to take advantage of two vulnerabilities that were only patched by the company in November.
The first one is CVE-2016-7255, and according to Microsoft, was used by the Strontium attack group in October against a series of US targets. Using a secondary Flash Player security hole, attackers attempted to access vulnerable systems and then with the Microsoft vulnerability, to gain elevated privileges.
But as it turns out, even though it was a zero-day not yet patched in Windows 10, users running the Anniversary Update were fully secure thanks to the technologies integrated into the operating system. In the worst case, users only received a BSOD when attackers attempted to compromise their systems.
“To mitigate the Win32k exploit and similar exploits, the Windows Offensive Security Research Team (OSR) introduced techniques in the Windows 10 Anniversary Update that prevent abusive use of tagWND.strName,” Microsoft explains.
“This mitigation performs additional checks for the base and length fields, making sure that they are in the expected virtual address ranges and are not usable for RW primitives. In our tests on Anniversary Update, exploits using this method to create an RW primitive in the kernel are ineffective. These exploits instead cause exceptions and subsequent blue screen errors.”
Second vulnerability
The second zero-day exploit that the Windows 10 Anniversary Update blocked without a patch was aimed at CVE-2016-7256, which used compromised font files to gain elevation of privilege.
Microsoft says the first attacks were seen in June 2016 against targets in South Korea. The final goal was to be able to install the the Hankray backdoor, which in turn provided cybercriminals with full control of the systems.
In this case, the exploit was blocked with AppContainer, as the malicious font sample that was supposed to help attackers get access to the system was not launched at kernel level, but in an isolated sandbox that neutralizes exploits.
Microsoft says the upcoming Windows 10 Creators Update will come with several security improvements to help zero-day exploit mitigation. The Creators Update is due in April.