Unknown to vendors but exploited by cybercriminals, zero-day vulnerabilities are the most threatening security issues, but Microsoft's Windows 10 can block exploitation of these vulnerabilities before they are even patched, Microsoft says.
The mitigation techniques that arrived in August 2016 as part of the Windows 10 Anniversary Update make all this possible. The update was meant to harden the platform to ensure it can stop exploits of newly discovered and even undisclosed vulnerabilities before a patch is released, and Microsoft claims that it already proved to be effective against two exploits associated with well-known threat groups.
More precisely, the deployed mitigation techniques did their job and successfully blocked kernel-level exploits for the CVE-2016-7255 and CVE-2016-7256 vulnerabilities before they were patched in November 2016, the tech behemoth explains. The former is a Win32k Elevation of Privilege Exploit, while the latter is an Open Type Font Exploit.
CVE-2016-7255, a type-confusion vulnerability in win32k.sys, was exploited by the STRONTIUM attack group to gain elevated privileges on compromised systems. To get access to the targeted computers, the group used an Adobe Flash Player vulnerability (tracked as CVE-2016-7855). The two exploits were used in a small spear-phishing campaign targeting think tanks and nongovernmental organizations in the United States.
Also known as Fancy Bear, Pawn Storm, APT28, Sednit, and Sofacy, this threat group was recently officially blamed for last year’s cyber-attacks on U.S. elections, albeit the U.S. government failed to provide proper evidence on attribution.
The STRONTIUM group, Microsoft says, leveraged the Win32k exploit in attacks in October 2016, where they attempted to corrupt the tagWND.strName structure and use SetWindowTextW to write arbitrary content anywhere in kernel memory. Abusing the API call to overwrite data of current processes and copy token privileges of the SYSTEM, the exploit allowed attackers to run victim processes with elevated privileges.
The Windows 10 Anniversary Update includes techniques that prevent abusive use of tagWND.strName, thus mitigating the Win32k exploit and similar exploits. According to the software company, tests have proven that exploits abusing this method are ineffective and instead cause exceptions and subsequent blue screen errors.
The CVE-2016-7256 vulnerability in the Windows font library, on the other hand, was being abused to install a backdoor known as Hankray on targeted computers with older versions of Windows. The backdoor had been previously spotted in low-volume attacks primarily focused on targets in South Korea.
“The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration,” Microsoft says.
Designed to copy the main body of the shellcode to newly allocated memory and run it, the stage 1 shellcode is very small, the tech giant explains. The main shellcode, which runs after the copy instructions, while also small, performs a token-stealing technique, then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation.
The Windows 10 Anniversary Update can prevent the exploit because font parsing happens completely in AppContainer instead of the kernel. Because it creates an isolated sandbox, AppContainer can prevent font exploits (among other types of exploits) from achieving privilege escalation. Moreover, the platform includes additional validation for font file parsing.
According to Microsoft, the main idea behind the hardening of Windows 10 is to ensure that mitigation techniques in the platform can tackle multiple exploits instead of focusing on neutralizing a specific bug. These mitigation techniques can either break exploit methods or close entire classes of vulnerabilities, and Microsoft plans on taking this prevention to a new level in Windows 10 Creators Update, which will include generic kernel exploit detection Windows Defender ATP, expected to deliver increased visibility into targeted attacks based on zero-day exploits.
“By delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation,” Microsoft also says.