Skip to main content

Windows 10 Anniversary Update protected users against pre-patched exploits

Matt Oh and Elia Florio of the Windows Defender ATP Research Team said on Friday that Windows 10 Anniversary Update not only neutralized zero-day kernel exploits used by two recent attack campaigns, but revealed how they were used. The exploits were based on the CVE-2016-7255 and CVE-2016-7256 vulnerabilities, which were patched in November. The thwarted exploits are just two examples of the work Microsoft put into Anniversary Update to reduce the number of attack avenues hackers can take through vulnerabilities.

“By delivering these [exploit] mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers,” they said. “Even the simple tactical mitigation against popular read-write primitives forces the exploit authors to spend more time and resources in finding new attack routes.”

Recommended Videos

The first attack campaign began in June by “unidentified actors” using “Hankray” against targets located in South Korea. The campaign consisted of low-level attacks and was followed up by a second campaign in November using Hankray as well. This second wave took advantage of a flaw in the Windows font library, aka CVE-2016-7256, that enabled hackers to elevate a PC’s account privileges and install the Hankray backdoor.

“The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts,” they said in Friday’s report. “This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.”

With Windows 10 Anniversary Edition, font exploits are mitigated by AppContainer, preventing them from taking place on the kernel level. AppContainer includes an isolated sandbox that blocks exploits from gaining escalated privileges of a PC. According to the duo, this walled-in space “significantly” reduces the chances of using font parsing as an angle of attack.

“Windows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code,” they added.

The second attack was a spear-phishing campaign in October. Launched by the Strontium attack group, the attack used an exploit for the CVE-2016-7255 vulnerability along with the CVE-2016-7855 vulnerability in Adobe Flash Player. The group targeted non-government organizations and think tanks in the United States. Essentially, the group used the Flash-based security hole to get access to the win32k.sys vulnerability to gain elevated privileges of the targeted PCs.

However, Anniversary Update includes security techniques that defend against the Win32k exploit along with other exploits. More specifically, Anniversary Update prevents attackers from corrupting the tagWND.strName kernel structure and using SetWindowsTextW to write arbitrary content in kernel memory. This prevention is achieved by performing additional checks for the base and length fields to verify that the virtual address ranges are correct and that they are not usable for read-write primitives.

Microsoft provides a document about the added security measures cramming into Windows 10 Anniversary Update as a PDF here. As always, Windows Defender is built into the Windows platform as a free service, automatically protecting customers against the latest threats. Microsoft also offers the Windows Defender Advanced Threat Protection subscription service for the enterprise, providing a “post-breach” layer of protection.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Microsoft is forced to halt the Windows 11 24H2 update on some PCs
The Surface Pro 11 on a white table in front of a window.

Microsoft’s recent Windows 11 24H2 update is off to a bumpy start. According to a report by Bleeping Computer, users are facing compatibility issues across various hardware and software configurations, prompting the company to temporarily block the update for some devices.

The affected systems include specific Asus laptop models and configurations involving software like Voicemeeter, Safe Exam Browser, and older versions of Easy Anti-Cheat, commonly used in gaming.

Read more
Whatever you do, don’t install the Windows 11 September update
Windows 11 logo on a laptop.

Microsoft has warned users in a post on its support blog that the September KB5043145 update, released on Thursday, is causing some Windows 11 PCs to restart multiple times, show the blue screen of death, or even freeze.

The problems in the recent update affect those on the 22H2 or 23H3 version of Windows 11. However, Microsoft said it is investigating the issue and will provide more information when it's available. Microsoft confirmed: "After installing this update, some customers have reported that their device restarts multiple times or becomes unresponsive with blue or green screens. According to the reports, some devices automatically open the Automatic Repair tool after repeated restart attempts. In some cases, BitLocker recovery can also be triggered."

Read more
A forced Windows update is coming next month
Windows 11 logo on a laptop.

Windows 11 version 22H2 will reach its end of servicing next month, and Microsoft has announced a forced update to 23H2 for October 8. This means machines running 22H2 (Home and Pro editions) will stop receiving updates after next month, leaving them vulnerable to security threats. Enterprise, Education, and Internet of Things (IoT) Enterprise editions running version 21H2 will also receive the automatic update.

In a post on the Windows Message Center, Microsoft urges users to update before October 8 or participate in the automatic update to keep themselves "protected and productive" since the monthly Patch Tuesday updates are "critical to security and ecosystem health."

Read more