SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Windows OS is still full of holes, but Microsoft's making serious efforts to fix it
Wed, 11th Jan 2017
FYI, this story is more than a year old

ESET's latest annual report on the state of the widely-used Windows operating system shows that it's continuing to be a breeding ground for vulnerabilities such as Remote Code Execution (RCE) and Local Privilege Escalation (LPE), but patches are never far behind.

The report, titled Windows Exploitation in 2016, shows that the number of Windows vulnerabilities has increased in all segments except in Internet Explorer (IE).

While previous versions of IE have been plagued with security holes, this report found that there has been a ‘steep' decrease from 242 to 109 zero-day vulnerabilities over the last 12 months.

It also found that the Edge browser had 111 vulnerabilities, but it has held strong so far as it has not become an exploited target.

“It is worth noting that in the last year no vulnerabilities have been found for the Edge web browser that are known to have been exploited in the wild. From our point of view this situation with Edge was predictable, because, unlike IE11, Edge keeps modern security features turned on by default, including the AppContainer full sandbox and 64-bit processes for tabs,” the report said.

Windows OS and applications processing hub Windows User-Mode Components is still a hotbed for cybercrime activity, as the report found 116 patched vulnerabilities. These vulnerabilities are an avenue for zero-day attacks through remote code execution and hijacking privileges for malicious components.

Microsoft Office had 68 patched vulnerabilities, kernel mode drivers had 66 patched, while Win32K had 41 patches and .net came in with seven patches.

The Windows Exploitation Report 2016 contains detailed statistics about vulnerabilities fixed in Microsoft-supported versions of Windows, its components, web browsers, as well as the Office suite, and also provides information about issued updates. The report's author also took a detailed look at exploit mitigations in recent Windows versions and the security effectiveness of major web browsers, as they represent very attractive targets for attackers.

The report also said of the new model of cumulative updates for Windows 7 and 8.1 devices, in addition to the defaults in Windows 10, that “cumulative updates mean users and IT specialists will update their copies of Windows without being required to take so many actions”, simplifying the process for IT administrators.

The report acknowledges that Microsoft is doing its best to keep its systems patched through an incremental method.

“Obviously, the use of a modern up-to-date Windows version, e.g. Windows 10 with the latest updates, is the best approach to being protected from cyberattacks exploiting vulnerabilities. As we have shown above and in previous versions of this report, its components contain useful security features for mitigating RCE and LPE exploits. We can say that actions taken by Microsoft to make modern versions of Internet Explorer more secure were insufficient, because so-called advanced security settings that are built into Edge are still optional in IE,” the report concludes.