3 min read

If you're going to use Windows, it makes security sense to use Windows 10

Graham CLULEY

January 18, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
If you're going to use Windows, it makes security sense to use Windows 10

Zero-day vulnerabilities, the software security holes that malicious hackers can exploit to control your computer and steal your data before a patch has been created, have been one of the key weapons in the arsenal of online criminals for years.

When a zero-day flaw that is being actively exploited is uncovered or publicly disclosed the software’s manufacturer is literally left with “zero days” to come up with a fix or mitigation advice.

Wouldn’t it be great if modern operating systems hardened their defences, and did a better job in the first place at protecting against these types of security issues even when they are unknown?

Well, Microsoft is claiming that that’s precisely what it has done with the Windows 10 Anniversary Update it issued in August 2016.

In a blog post, the company revealed how the security hardening it had built into every major build of Windows 10 stopped kernel and browser zero-day attacks that worked in earlier versions of Windows.

Specifically Microsoft’s researchers looked at two zero-day exploits – CVE-2016-7255 and CVE-2016-7256.

CVE-2016-7255 (a vulnerability used in targeted attacks by the Russian hacker group known variously as Fancy Bear, APT28, Sednit, Strontium or Pawn Storm) was the subject of controversy last year when Google researchers decided it would be would be in the best interests of the public to make details of the vulnerability public, having given Microsoft only 10 days to fix the flaw. Microsoft felt that Google had put customers at risk through its actions.

CVE-2016-7256 was an Open Type Font exploit that allowed attackers to hijack users’ computers if they viewed a boobytrapped webpage.

We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.

What Microsoft is saying is that if it had *only* deployed exploit mitigation features, without a patch, the exploit would have been stopped. Users who had already switched to Windows 10 Anniversary Update would have been protected because they already had those mitigations in place, and did not want to wait for a patch to be released.

Microsoft argues that its actions are forcing the creators of exploits to “spend more time and resources in finding new attack routes” – effectively increasing their costs, and forcing attackers to find new ways around the new defensive layers.

By delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation.

In the coming months Microsoft will be releasing its Windows 10 Creators Update which it is hoped will include more exploit mitigation features to boost protection even further.

Of course, the story doesn’t end there. There are a number of ways of further reducing your attack surface – such as not installing the likes of Adobe PDF Reader and Flash on your PCs.

And don’t forget the human being sitting in front of the computer – they are probably the biggest security risk of all, capable of making endangering your network security with one poor decision.

Microsoft should be applauded for putting considerable energy and resource into its Windows security team, with the goal of making Windows 10 the most secure version of their operating system yet.

From the security point of view, if you’re going to use Windows it seems to make sense to use Windows 10.

Of course, security isn’t the only consideration when choosing an operating system. Privacy, for instance, also matters. And when it comes to Windows 10 and privacy – well, that’s a whole different discussion…

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read