Skip to main content

Windows 10 Anniversary Update protected users against pre-patched exploits

how to take a screenshot on a pc
Image used with permission by copyright holder
Matt Oh and Elia Florio of the Windows Defender ATP Research Team said on Friday that Windows 10 Anniversary Update not only neutralized zero-day kernel exploits used by two recent attack campaigns, but revealed how they were used. The exploits were based on the CVE-2016-7255 and CVE-2016-7256 vulnerabilities, which were patched in November. The thwarted exploits are just two examples of the work Microsoft put into Anniversary Update to reduce the number of attack avenues hackers can take through vulnerabilities.

“By delivering these [exploit] mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers,” they said. “Even the simple tactical mitigation against popular read-write primitives forces the exploit authors to spend more time and resources in finding new attack routes.”

The first attack campaign began in June by “unidentified actors” using “Hankray” against targets located in South Korea. The campaign consisted of low-level attacks and was followed up by a second campaign in November using Hankray as well. This second wave took advantage of a flaw in the Windows font library, aka CVE-2016-7256, that enabled hackers to elevate a PC’s account privileges and install the Hankray backdoor.

“The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts,” they said in Friday’s report. “This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.”

With Windows 10 Anniversary Edition, font exploits are mitigated by AppContainer, preventing them from taking place on the kernel level. AppContainer includes an isolated sandbox that blocks exploits from gaining escalated privileges of a PC. According to the duo, this walled-in space “significantly” reduces the chances of using font parsing as an angle of attack.

“Windows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code,” they added.

The second attack was a spear-phishing campaign in October. Launched by the Strontium attack group, the attack used an exploit for the CVE-2016-7255 vulnerability along with the CVE-2016-7855 vulnerability in Adobe Flash Player. The group targeted non-government organizations and think tanks in the United States. Essentially, the group used the Flash-based security hole to get access to the win32k.sys vulnerability to gain elevated privileges of the targeted PCs.

However, Anniversary Update includes security techniques that defend against the Win32k exploit along with other exploits. More specifically, Anniversary Update prevents attackers from corrupting the tagWND.strName kernel structure and using SetWindowsTextW to write arbitrary content in kernel memory. This prevention is achieved by performing additional checks for the base and length fields to verify that the virtual address ranges are correct and that they are not usable for read-write primitives.

Microsoft provides a document about the added security measures cramming into Windows 10 Anniversary Update as a PDF here. As always, Windows Defender is built into the Windows platform as a free service, automatically protecting customers against the latest threats. Microsoft also offers the Windows Defender Advanced Threat Protection subscription service for the enterprise, providing a “post-breach” layer of protection.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Microsoft may fix the most frustrating thing about Windows updates
Windows 11 updates are moving to once a year.

Most Windows users will agree that one of the most annoying things about the operating system is the updates. While Windows Updates are necessary, they often tend to come up at the worst possible time, interrupting work and gaming sessions with persistent reminders that the system needs to reboot. Microsoft might be fixing that problem in the upcoming Windows 11 24H2 build, but it's still too early to bid farewell to those ill-timed reboots.

As spotted in the latest Windows 11 Insider Preview Build 26058, Microsoft is testing "hot patching" for some Windows 11 updates. Hot patching refers to a dynamic method of updating that often doesn't change the software version and may not even need a restart. In the context of Windows 11, it's pretty straightforward -- Windows will install the update, and you won't have to reboot your system.

Read more
Microsoft plans to charge for Windows 10 updates in the future
Windows 11 and Windows 10 operating system logos are displayed on laptop screens.

Microsoft has confirmed it will offer security updates for Windows 10 after the end-of-life date for the operating system for consumer users but for a fee.

The brand recently announced plans to charge regular users for Extended Security Updates (ESU) who intend to continue using Windows 10 beyond the October 14, 2025 support date.

Read more
The latest Windows Update is reportedly causing Starfield problems
A man walking into a dusty town on another planet in starfield.

If you've installed the latest Windows 11 update and you've been experiencing all sorts of issues ever since, you're not alone And if you're still yet to install it, it's probably best hold off on it for now. Many users have been reporting problems following the recent update, including crashes, slowdowns, and blue screens of death (BSOD). Gamers appear to be affected most of all, with some reporting stuttering in Starfield and Ratchet and Clank: Rift Apart. 

Following the latest update released on Patch Tuesday, various reports of problems started pouring in across social media and Microsoft's Feedback Hub. Microsoft itself hasn't spoken up about this yet, but considering the number of reported issues, we could soon hear an official comment on the situation. If you've already installed the update and aren't experiencing problems, you have nothing to worry about. If you have installed and are encountering issues, it's best to revert to the previous version and reach out through the Feedback Hub.

Read more