Matt Oh and Elia Florio of the Windows Defender ATP Research Team said on Friday that Windows 10 Anniversary Update not only neutralized zero-day kernel exploits used by two recent attack campaigns, but revealed how they were used. The exploits were based on the CVE-2016-7255 and CVE-2016-7256 vulnerabilities, which were patched in November. The thwarted exploits are just two examples of the work Microsoft put into Anniversary Update to reduce the number of attack avenues hackers can take through vulnerabilities.
The first attack campaign began in June by “unidentified actors” using “Hankray” against targets located in South Korea. The campaign consisted of low-level attacks and was followed up by a second campaign in November using Hankray as well. This second wave took advantage of a flaw in the Windows font library, aka CVE-2016-7256, that enabled hackers to elevate a PC’s account privileges and install the Hankray backdoor.
With Windows 10 Anniversary Edition, font exploits are mitigated by AppContainer, preventing them from taking place on the kernel level. AppContainer includes an isolated sandbox that blocks exploits from gaining escalated privileges of a PC. According to the duo, this walled-in space “significantly” reduces the chances of using font parsing as an angle of attack.
The second attack was a spear-phishing campaign in October. Launched by the Strontium attack group, the attack used an exploit for the CVE-2016-7255 vulnerability along with the CVE-2016-7855 vulnerability in Adobe Flash Player. The group targeted non-government organizations and think tanks in the United States. Essentially, the group used the Flash-based security hole to get access to the win32k.sys vulnerability to gain elevated privileges of the targeted PCs.
However, Anniversary Update includes security techniques that defend against the Win32k exploit along with other exploits. More specifically, Anniversary Update prevents attackers from corrupting the tagWND.strName kernel structure and using SetWindowsTextW to write arbitrary content in kernel memory. This prevention is achieved by performing additional checks for the base and length fields to verify that the virtual address ranges are correct and that they are not usable for read-write primitives.
Microsoft provides a document about the added security measures cramming into Windows 10 Anniversary Update as a PDF here. As always, Windows Defender is built into the Windows platform as a free service, automatically protecting customers against the latest threats. Microsoft also offers the Windows Defender Advanced Threat Protection subscription service for the enterprise, providing a “post-breach” layer of protection. […]