WavebreakmediaMicro - Fotolia
Microsoft says Windows 10 security is so good, it is now able to thwart at least some zero-day exploits before patches are available. But the software giant also warned customers that Windows 7 is so bad, they face "enormous dangers" moving forward.
The Microsoft Malware Protection Center (MMPC) team looked at two zero-day vulnerabilities, both patched in November 2016, to see how well the latest Windows 10 security features incorporated into last summer's Anniversary Update would respond to exploits that had not yet been patched.
"We are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics," the MMPC team wrote in a blog post. They said Microsoft is "hardening the Windows platform with mitigation techniques that can stop exploits of newly discovered and even undisclosed vulnerabilities."
"A key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be -- how mitigation techniques and additional defensive layers can keep cyberattacks at bay, while vulnerabilities are being fixed and patches are being deployed," the blog post read. "Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits."
Microsoft demonstrated "exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits, but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits."
Microsoft looked at two kernel-level exploits, one of which was most infamously used by the advanced persistent threat group Microsoft calls STRONTIUM, but also known as Fancy Bear, an elevation-of-privilege exploit logged as CVE-2016-7255. This bug, used together with the Adobe Flash Player vulnerability, tracked under CVE-2016-7855, was detected last October as part of a spear-phishing campaign waged by STRONTIUM targeting think tanks and nongovernmental organizations in the United States.
The second flaw, tracked under CVE-2016-7256, is an OpenType font elevation-of-privilege exploit that was first detected in attacks against South Korean targets as early as June 2016.
Both of these vulnerabilities enable elevation of privileges, and both were patched by Microsoft in November 2016 -- and both were defeated by Windows 10 security techniques added to the Anniversary Update.
Microsoft slams Windows 7 security
Meanwhile, Microsoft Germany warned companies and users who continue to rely on Windows 7 over the next three years will face "enormous dangers" because of the operating system's "long-outdated security architectures."
Milad Aslaner, senior product manager at Microsoft Germany, warned in a blog post (in German) that in less than three years, on Jan. 14, 2020, all Windows 7 support will come to an end, with no more security updates and no more technical support from Microsoft after that date.
"Today, Windows 7 can no longer keep up with the increased security requirements," Aslaner wrote , citing higher operating costs due to increased maintenance and time lost due to cyberattacks. Other issues that will increasingly vex Windows 7 users will be the increasing unavailability of new peripherals and systems that provide backward compatibility with Windows 7.
Quoted in the post was Markus Nitschke, Windows marketing and business lead at Microsoft Germany, who said Windows 7 "does not meet the requirements of modern technology, nor the high security requirements of IT departments."
The answer, according to Microsoft, is for all customers, especially in the enterprise, to start planning to upgrade to Windows 10 as soon as possible. Microsoft ended basic support for Windows 7 two years ago; security updates and technical support for the OS will officially end on Jan. 14, 2020.
Find out more about how Windows 10 virtualization-based security works
Learn about how the latest new Windows 10 security features fix longtime vulnerabilities
Read about how the Windows 10 Anniversary Update added headaches for antivirus vendors