Windows 10 Anniversary Update has introduced many mitigation techniques in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities, Matt Oh and Elia Florio of Microsoft's Windows Defender ATP Research Team wrote in an online post last week.
Countering unidentified vulnerabilities -- also known as "zero day" vulnerabilities -- is particularly important because they are a powerful tool used to penetrate systems and steal data by attackers, especially those working for nation-states.
Rather than focus on a single vulnerability, Microsoft is focusing on mitigation techniques that counter classes of exploits, Oh and Florio explained.
Paying for Protection
For the most effective post-breach protection, customers should sign up for Windows Defender ATP, Oh and Florio suggested, a service that is available only to users of Windows Enterprise E5. That appears to be a departure from how Windows security was treated in the past, observed Michael Cherry, an analyst with Directions on Microsoft. When Microsoft launched its Trustworthy Computing initiative in 2002, there was a commitment to making all versions of Windows equally secure, he recalled.
"Now, what Microsoft is saying in a subtle way," Cherry told TechNewsWorld, is that "to be the most secure on Windows, you should be using Windows Defender Advanced Threat Protection -- but we're saving that for our best customers, our customers willing to pay for the enterprise edition. That's a big change that's happening in Windows security."
What Users Get
Nevertheless, the security improvements in the new Windows 10 Anniversary Update are worthwhile for consumers. "This is great news for users," said Jerome Segura, a senior security researcher for Malwarebytes. "Microsoft is addressing zero days and exploits in general by sandboxing a lot of the components in the operating system," he told TechNewsWorld.
Sandboxing is a technique used to isolate activity in a space where it can be observed without affecting its surroundings. If it behaves badly in the sandbox, then it won't be allowed to play with the other parts of a system. Sandbox techniques were used in Windows 10 to neutralize an exploit that used corrupt fonts to gain escalated privileges on a system, Microsoft's Oh and Florio explained. Escalated privileges allow an intruder greater freedom to roam and access data on a network.
Room for Improvement
While Microsoft is making good progress in hardening the Windows kernel, it could improve the operating system's security in other areas, too. One of those areas is third-party applications and components.
"While it's trying to ensure that its operating system is secure, it still depends on Flash, Java and other pieces of software. At the end of the day, the security of the system is going to depend on all the pieces, not just what Microsoft ships," Malwarebytes' Segura observed.
"You can have an OS that's safe, but if you have an outdated Flash plug-in, you can still get infected," he pointed out.
Hackers also are exploiting Microsoft Office documents.
"Microsoft needs to tighten up legacy code like macros -- either disable it or sandbox it," Segura said.
Threat to Security Vendors?
As Windows security improves, will it threaten the security ecosystem that has grown up around the OS?
"Ultimately, Microsoft's new anti-exploit features in Windows calls into question the value of legacy antivirus protections," said Simon Crosby, CTO of Bromium.
"As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future Zero-Day exploits," they wrote.