Security is Microsoft’s main selling point for the latest version of its desktop operating system. The software giant is now reiterating that it is serious with that goal by exemplifying how, at some point in 2016, it thwarted some zero-day exploits before patches became available.
The Microsoft Malware Protection Center team illustrated how the latest Windows 10 security features defeated two zero-day vulnerabilities in November 2016 even before Microsoft patched those flaws. Those security features were part of the Anniversary Update that Microsoft rolled out last summer.
Microsoft said that it was testing the exploits that targeted mitigation strategies released in August 2016. The goal was to demonstrate how those techniques might mitigate future zero-day exploits that have the same traits. The Redmond company said in a blog post:
“A key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be — how mitigation techniques and additional defensive layers can keep cyberattacks at bay, while vulnerabilities are being fixed and patches are being deployed. Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits.”
Microsoft also said it demonstrated how exploit mitigation techniques in Windows 10 Anniversary Update neutralized exploit methods on top of the specific exploits themselves. This led to the reduction of the attack surfaces that would have paved the way for future zero-day exploits.
More specifically, the team examined two kernel-level exploits that advanced persistent threat group STRONTIUM used to attempt to attack Windows 10 users. The team logged the exploit as CVE-2016-7255, which Microsoft detected in October 2016 as part of a spear-phishing campaign that targeted think tanks and nongovernmental organizations in the U.S. The APT group combined the bug with an Adobe Flash Player flaw, a common ingredient in many attacks.
The second exploit is codenamed CVE-2016-7256, an OpenType font elevation-of-privilege exploit that surfaced as part of the attacks against South Korean victims in June 2016. The two exploits escalated privileges. The Windows 10 security techniques that came with the Anniversary Update blocked both threats.