Skip to main content

Windows 10 Anniversary Update protected users against pre-patched exploits

how to take a screenshot on a pc
Image used with permission by copyright holder
Matt Oh and Elia Florio of the Windows Defender ATP Research Team said on Friday that Windows 10 Anniversary Update not only neutralized zero-day kernel exploits used by two recent attack campaigns, but revealed how they were used. The exploits were based on the CVE-2016-7255 and CVE-2016-7256 vulnerabilities, which were patched in November. The thwarted exploits are just two examples of the work Microsoft put into Anniversary Update to reduce the number of attack avenues hackers can take through vulnerabilities.

“By delivering these [exploit] mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers,” they said. “Even the simple tactical mitigation against popular read-write primitives forces the exploit authors to spend more time and resources in finding new attack routes.”

The first attack campaign began in June by “unidentified actors” using “Hankray” against targets located in South Korea. The campaign consisted of low-level attacks and was followed up by a second campaign in November using Hankray as well. This second wave took advantage of a flaw in the Windows font library, aka CVE-2016-7256, that enabled hackers to elevate a PC’s account privileges and install the Hankray backdoor.

“The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts,” they said in Friday’s report. “This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.”

With Windows 10 Anniversary Edition, font exploits are mitigated by AppContainer, preventing them from taking place on the kernel level. AppContainer includes an isolated sandbox that blocks exploits from gaining escalated privileges of a PC. According to the duo, this walled-in space “significantly” reduces the chances of using font parsing as an angle of attack.

“Windows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code,” they added.

The second attack was a spear-phishing campaign in October. Launched by the Strontium attack group, the attack used an exploit for the CVE-2016-7255 vulnerability along with the CVE-2016-7855 vulnerability in Adobe Flash Player. The group targeted non-government organizations and think tanks in the United States. Essentially, the group used the Flash-based security hole to get access to the win32k.sys vulnerability to gain elevated privileges of the targeted PCs.

However, Anniversary Update includes security techniques that defend against the Win32k exploit along with other exploits. More specifically, Anniversary Update prevents attackers from corrupting the tagWND.strName kernel structure and using SetWindowsTextW to write arbitrary content in kernel memory. This prevention is achieved by performing additional checks for the base and length fields to verify that the virtual address ranges are correct and that they are not usable for read-write primitives.

Microsoft provides a document about the added security measures cramming into Windows 10 Anniversary Update as a PDF here. As always, Windows Defender is built into the Windows platform as a free service, automatically protecting customers against the latest threats. Microsoft also offers the Windows Defender Advanced Threat Protection subscription service for the enterprise, providing a “post-breach” layer of protection.

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
The Windows 11 2022 Update could slow down file transfers by 40%
Two windows laptops sit on a wooden table.

Microsoft has acknowledged a new issue regarding computers running the Windows 11 2022 Update (or version 22H2). The problem may cause performance degradation when copying large multi-GB files by up to 40%.

“There is a performance regression in 22H2 when copying larger files from a remote computer down to a Windows 11 computer," explained a blog post by Ned Pyle, the Principal Program Manager from the Windows Server engineering group. "A large (multi-GB file) might see as much as 40% less throughput over SMB when copying down (reading). Copying that same file to a non-22H2 machine (writing) won’t see this problem."

Read more
Why gamers should avoid the Windows 11 2022 update
A man sits, using a laptop running the Windows 11 operating system.

Update: Nvidia contacted us to confirm that it has fixed the problem that was causing issues between its graphics cards and the Windows 11 22H2 update. According to the statement, Nvidia users should update GeForce Experience to version 3.26 BETA, instructions for which can be found on Nvidia's website.

When you update Windows, there’s always a chance something will happen to throw a wrench in the works. This time, though, it seems like the Windows 11 22H2 update is causing major issues for gamers equipped with Nvidia graphics cards.

Read more
Windows 11 2022 Update: the best new features to try out today
Android Apps on Windows 11.

Microsoft has announced its first big update to Windows 11, officially named the "Windows 11 2022 Update." It's packed full of features, many of which have been highly anticipated since the initial launch of Windows 11 in 2021.

The annual update touches on a little bit of everything, including user interface, customization, security, accessibility, and even new applications.
Customizable Start Menu

Read more