Skip to main content

Windows 10 Anniversary Update protected users against pre-patched exploits

how to take a screenshot on a pc
Matt Oh and Elia Florio of the Windows Defender ATP Research Team said on Friday that Windows 10 Anniversary Update not only neutralized zero-day kernel exploits used by two recent attack campaigns, but revealed how they were used. The exploits were based on the CVE-2016-7255 and CVE-2016-7256 vulnerabilities, which were patched in November. The thwarted exploits are just two examples of the work Microsoft put into Anniversary Update to reduce the number of attack avenues hackers can take through vulnerabilities.

“By delivering these [exploit] mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers,” they said. “Even the simple tactical mitigation against popular read-write primitives forces the exploit authors to spend more time and resources in finding new attack routes.”

Related Videos

The first attack campaign began in June by “unidentified actors” using “Hankray” against targets located in South Korea. The campaign consisted of low-level attacks and was followed up by a second campaign in November using Hankray as well. This second wave took advantage of a flaw in the Windows font library, aka CVE-2016-7256, that enabled hackers to elevate a PC’s account privileges and install the Hankray backdoor.

“The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts,” they said in Friday’s report. “This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.”

With Windows 10 Anniversary Edition, font exploits are mitigated by AppContainer, preventing them from taking place on the kernel level. AppContainer includes an isolated sandbox that blocks exploits from gaining escalated privileges of a PC. According to the duo, this walled-in space “significantly” reduces the chances of using font parsing as an angle of attack.

“Windows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code,” they added.

The second attack was a spear-phishing campaign in October. Launched by the Strontium attack group, the attack used an exploit for the CVE-2016-7255 vulnerability along with the CVE-2016-7855 vulnerability in Adobe Flash Player. The group targeted non-government organizations and think tanks in the United States. Essentially, the group used the Flash-based security hole to get access to the win32k.sys vulnerability to gain elevated privileges of the targeted PCs.

However, Anniversary Update includes security techniques that defend against the Win32k exploit along with other exploits. More specifically, Anniversary Update prevents attackers from corrupting the tagWND.strName kernel structure and using SetWindowsTextW to write arbitrary content in kernel memory. This prevention is achieved by performing additional checks for the base and length fields to verify that the virtual address ranges are correct and that they are not usable for read-write primitives.

Microsoft provides a document about the added security measures cramming into Windows 10 Anniversary Update as a PDF here. As always, Windows Defender is built into the Windows platform as a free service, automatically protecting customers against the latest threats. Microsoft also offers the Windows Defender Advanced Threat Protection subscription service for the enterprise, providing a “post-breach” layer of protection.

Editors' Recommendations

Bing Image Creator brings DALL-E AI-generated images to your browser
Bing Image Creator being used in the Edge sidebar.

Microsoft isn't slowing down its momentum in generative AI. Just a month since it launched the ChatGPT-based Bing Chat, the company is now introducing Bing Image Creator, which brings text-to-image generation right to your browser.

Bing Image Creator lets you create images from text using DALL-E, which is OpenAI's own text-to-image AI model. Microsoft says it's using "an advanced" version of DALL-E, though the company didn't provide specifics about how it was different than the current DALL-E 2 model. This isn't dissimilar, though, to how Bing Chat was announced, which had been running on GPT-4 before the new model had even been announced.

Read more
The Windows 11 taskbar is getting an important new update
windows 11 taskbar third party app pinning

Microsoft is working on new experiences for Windows that will allow developers to enable pinning for third-party applications, as well as enable pinning to the Taskbar.

Microsoft recently announced the details of these upcoming functions in a blog post. This is the brand's attempt to universalize its pinning process across all apps used on Windows. In practice, it will be similar to how pinning works on the Edge browser, with the Windows 11 users being notified by the Action Center about a request for pinning to the Taskbar by the app in question.

Read more
If your PC is running slowly, the latest Windows 11 update may be to blame
A laptop running Windows 11.

Microsoft may have a problem on its hands -- the latest Windows 11 update doesn't seem to be working as intended. According to various user reports, the update drastically slows SSD speeds, in some cases even cutting them in half.

If you've noticed that your PC is loading slowly or programs aren't running as quickly as you'd hoped, you might be affected by this problem. Here's how to fix it.

Read more