Connect with us

Hi, what are you looking for?


Endpoint Security

Windows 10 Blocks Zero-Days Before Patches Arrive: Microsoft

Unknown to vendors but exploited by cybercriminals, zero-day vulnerabilities are the most threatening security issues, but Microsoft’s Windows 10 can block exploitation of these vulnerabilities before they are even patched, Microsoft says.

Unknown to vendors but exploited by cybercriminals, zero-day vulnerabilities are the most threatening security issues, but Microsoft’s Windows 10 can block exploitation of these vulnerabilities before they are even patched, Microsoft says.

The mitigation techniques that arrived in August 2016 as part of the Windows 10 Anniversary Update make all this possible. The update was meant to harden the platform to ensure it can stop exploits of newly discovered and even undisclosed vulnerabilities before a patch is released, and Microsoft claims that it already proved to be effective against two exploits associated with well-known threat groups.

More precisely, the deployed mitigation techniques did their job and successfully blocked kernel-level exploits for the CVE-2016-7255 and CVE-2016-7256 vulnerabilities before they were patched in November 2016, the tech behemoth explains. The former is a Win32k Elevation of Privilege Exploit, while the latter is an Open Type Font Exploit.

CVE-2016-7255, a type-confusion vulnerability in win32k.sys, was exploited by the STRONTIUM attack group to gain elevated privileges on compromised systems. To get access to the targeted computers, the group used an Adobe Flash Player vulnerability (tracked as CVE-2016-7855). The two exploits were used in a small spear-phishing campaign targeting think tanks and nongovernmental organizations in the United States.

Also known as Fancy Bear, Pawn Storm, APT28, Sednit, and Sofacy, this threat group was recently officially blamed for last year’s cyber-attacks on U.S. elections, albeit the U.S. government failed to provide proper evidence on attribution.

The STRONTIUM group, Microsoft says, leveraged the Win32k exploit in attacks in October 2016, where they attempted to corrupt the tagWND.strName structure and use SetWindowTextW to write arbitrary content anywhere in kernel memory. Abusing the API call to overwrite data of current processes and copy token privileges of the SYSTEM, the exploit allowed attackers to run victim processes with elevated privileges.

The Windows 10 Anniversary Update includes techniques that prevent abusive use of tagWND.strName, thus mitigating the Win32k exploit and similar exploits. According to the software company, tests have proven that exploits abusing this method are ineffective and instead cause exceptions and subsequent blue screen errors.

Advertisement. Scroll to continue reading.

The CVE-2016-7256 vulnerability in the Windows font library, on the other hand, was being abused to install a backdoor known as Hankray on targeted computers with older versions of Windows. The backdoor had been previously spotted in low-volume attacks primarily focused on targets in South Korea.

“The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration,” Microsoft says.

Designed to copy the main body of the shellcode to newly allocated memory and run it, the stage 1 shellcode is very small, the tech giant explains. The main shellcode, which runs after the copy instructions, while also small, performs a token-stealing technique, then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation.

The Windows 10 Anniversary Update can prevent the exploit because font parsing happens completely in AppContainer instead of the kernel. Because it creates an isolated sandbox, AppContainer can prevent font exploits (among other types of exploits) from achieving privilege escalation. Moreover, the platform includes additional validation for font file parsing.

According to Microsoft, the main idea behind the hardening of Windows 10 is to ensure that mitigation techniques in the platform can tackle multiple exploits instead of focusing on neutralizing a specific bug. These mitigation techniques can either break exploit methods or close entire classes of vulnerabilities, and Microsoft plans on taking this prevention to a new level in Windows 10 Creators Update, which will include generic kernel exploit detection Windows Defender ATP, expected to deliver increased visibility into targeted attacks based on zero-day exploits.

“By delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation,” Microsoft also says.

Related: Windows 10 Creators Update Brings New Security Capabilities

Related: Microsoft Adds Virtualization-based Security to Edge Browser

Related: Microsoft Expands Multi-Factor Authentication Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.