Story image

Windows OS is still full of holes, but Microsoft's making serious efforts to fix it

11 Jan 17

ESET’s latest annual report on the state of the widely-used Windows operating system shows that it’s continuing to be a breeding ground for vulnerabilities such as Remote Code Execution (RCE) and Local Privilege Escalation (LPE), but patches are never far behind.

The report, titled Windows Exploitation in 2016, shows that the number of Windows vulnerabilities has increased in all segments except in Internet Explorer (IE).

While previous versions of IE have been plagued with security holes, this report found that there has been a ‘steep’ decrease from 242 to 109 zero-day vulnerabilities over the last 12 months.

It also found that the Edge browser had 111 vulnerabilities, but it has held strong so far as it has not become an exploited target.

“It is worth noting that in the last year no vulnerabilities have been found for the Edge web browser that are known to have been exploited in the wild. From our point of view this situation with Edge was predictable, because, unlike IE11, Edge keeps modern security features turned on by default, including the AppContainer full sandbox and 64-bit processes for tabs,” the report said.

Windows OS and applications processing hub Windows User-Mode Components is still a hotbed for cybercrime activity, as the report found 116 patched vulnerabilities. These vulnerabilities are an avenue for zero-day attacks through remote code execution and hijacking privileges for malicious components.

Microsoft Office had 68 patched vulnerabilities, kernel mode drivers had 66 patched, while Win32K had 41 patches and .net came in with seven patches.

The Windows Exploitation Report 2016 contains detailed statistics about vulnerabilities fixed in Microsoft-supported versions of Windows, its components, web browsers, as well as the Office suite, and also provides information about issued updates. The report’s author also took a detailed look at exploit mitigations in recent Windows versions and the security effectiveness of major web browsers, as they represent very attractive targets for attackers.

The report also said of the new model of cumulative updates for Windows 7 and 8.1 devices, in addition to the defaults in Windows 10, that “cumulative updates mean users and IT specialists will update their copies of Windows without being required to take so many actions”, simplifying the process for IT administrators.

The report acknowledges that Microsoft is doing its best to keep its systems patched through an incremental method.

“Obviously, the use of a modern up-to-date Windows version, e.g. Windows 10 with the latest updates, is the best approach to being protected from cyberattacks exploiting vulnerabilities. As we have shown above and in previous versions of this report, its components contain useful security features for mitigating RCE and LPE exploits. We can say that actions taken by Microsoft to make modern versions of Internet Explorer more secure were insufficient, because so-called advanced security settings that are built into Edge are still optional in IE,” the report concludes.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.