- Jan 24, 2011
- 9,378
Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found.
Microsoft researchers have found that two zero-day exploits it patched against in November wouldn't have worked on systems running the Windows 10 Anniversary Update anyway.
The firm has been testing how well its latest in-built Windows 10 and Edge exploit-mitigation features such as AppContainer sandboxing and stronger validation, which shipped with the Anniversary Update in August, can block commonly used techniques.
Microsoft's Windows Defender security team tested the Anniversary Update against CVE-2016-7255, a zero-day flaw used by the Fancy Bear hackers targeting US organizations in October, and CVE-2016-7256, which was used against South Korean targets. Both kernel-level exploits resulted in elevation of privileges and were patched in November.
While systems running older versions of Windows would have been compromised, systems on the Anniversary Update would have been protected, according to Microsoft's analysis.
"We saw how exploit-mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods," Microsoft's Windows Defender ATP Research Team write.
"As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits."
As they noted, fixing a single vulnerability helps neutralize a specific bug. However, boosting exploit mitigation can take out attack techniques used across multiple exploits.
"Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact," the Defender team wrote.
For example, CVE-2016-7255, a Win32k exploit used in conjunction with a Flash Player zero-day, abused the Windows tagWND.strName. The attackers obtained read-write (RW) primitives by corrupting the tagWND.strName kernel structure, explained the team, noting that the exact same method was used by advanced malware discovered in 2015 called Duqu 2.0.
The Windows 10 Anniversary Update prevents abuse of tagWND.strName through additional validation, ensuring they can't be used for RW primitives.
Read more: Windows 10 security: 'So good, it can block zero-days without being patched' | ZDNet
Microsoft researchers have found that two zero-day exploits it patched against in November wouldn't have worked on systems running the Windows 10 Anniversary Update anyway.
The firm has been testing how well its latest in-built Windows 10 and Edge exploit-mitigation features such as AppContainer sandboxing and stronger validation, which shipped with the Anniversary Update in August, can block commonly used techniques.
Microsoft's Windows Defender security team tested the Anniversary Update against CVE-2016-7255, a zero-day flaw used by the Fancy Bear hackers targeting US organizations in October, and CVE-2016-7256, which was used against South Korean targets. Both kernel-level exploits resulted in elevation of privileges and were patched in November.
While systems running older versions of Windows would have been compromised, systems on the Anniversary Update would have been protected, according to Microsoft's analysis.
"We saw how exploit-mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods," Microsoft's Windows Defender ATP Research Team write.
"As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits."
As they noted, fixing a single vulnerability helps neutralize a specific bug. However, boosting exploit mitigation can take out attack techniques used across multiple exploits.
"Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact," the Defender team wrote.
For example, CVE-2016-7255, a Win32k exploit used in conjunction with a Flash Player zero-day, abused the Windows tagWND.strName. The attackers obtained read-write (RW) primitives by corrupting the tagWND.strName kernel structure, explained the team, noting that the exact same method was used by advanced malware discovered in 2015 called Duqu 2.0.
The Windows 10 Anniversary Update prevents abuse of tagWND.strName through additional validation, ensuring they can't be used for RW primitives.
Read more: Windows 10 security: 'So good, it can block zero-days without being patched' | ZDNet
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}