ESET’s annual report on Windows Exploitation is interesting – while Windows (all versions) by sheer virtue of numbers of machines in use remains the target, strategies taken in Windows 10 and its new components including Edge Browser have seen zero vulnerabilities that have been exploited in the wild.
ESETs report says that by comparison, the ageing Internet Explorer (that Microsoft does not want you to use) had 109 vulnerabilities. That is not to say vulnerabilities have not been found – any new operating system that is the product of such an extensive ground up rewrite will have them – but Windows 10 was written for the conditions of today recognising the use of the Internet and email as prime attack vectors and has completely removed vulnerabilities that plagued its earlier versions with code written from the mid 90’s when the internet was an infant.
For example, Microsoft’s introduction of the Windows 10 Enhanced Mitigation Experience Toolkit (EMET), features Attack Surface Reduction (ASR). It stops the use of specific, known-vulnerable components in a system by removing a range of interrelated vulnerabilities found in earlier versions of Windows.
The two most common types of exploit attacks in the Windows world are Remote Code Execution (RCE) and Local Privilege Escalation (LPE). The first is used by attackers to penetrate a system and the second to obtain maximum privileges on that system. In fact, RCE exploits are commonly used to target vulnerabilities in web browsers with the intention of downloading and running malicious executables – such attacks are called drive-by downloads.
{loadposition ray}
Because Windows 10 is so much more secure and not so much affected by zero-day or unpatched vulnerabilities of previous Windows versions hackers have turned their attention to gaining access via other methods – Adobe’s Flash Player, other third party programs and drivers, poisoned firmware (not just on the computer but peripherals including printers and routers), and more.
Drivers remain a way into most systems – these are written by a hardware vendor and pushed to a system (either automatically or via notification). Microsoft has again quarantined Windows 10 from the rest by stating that there are to be no multi-version drivers - all Windows 10 drivers must be digitally signed by Microsoft submitted to and approved by the Windows Hardware Developer Centre and distributed via this mechanism. This measure raises the security bar and increases stability. On the other hand, older peripherals may only run on older Windows hardware.
Firmware poisoning is no longer a Windows 10 issue. On older hardware, malicious code independent from the OS can be installed on a machine that can run multiple operating systems. In other words, it can survive not only Windows reinstallation but also low-level formatting on hard drives, because the firmware is stored on a special SPI flash chip on the motherboard (NVRAM, NVS). Windows 10 includes a Secure Boot as part of its UEFI boot system and manufacturers now understand how access to the SPI chip can compromise the system – measures are in place from most hardware manufacturers to prevent this.
Network devices and IoT are targets and more have been hijacked over the past year including some very high-profile devices from enterprise suppliers like Cisco, Fortinet, Juniper and more. Again, proof that as Microsoft tightens Windows 10 security hackers will go for other targets.
ESET summarises
Obviously, the use of a modern up-to-date Windows version, e.g. Windows 10 with the latest updates, is the best approach to being protected from cyber attacks exploiting vulnerabilities. As we have shown above and in previous versions of this report, its components contain useful security features for mitigating RCE and LPE exploits. We can say that actions taken by Microsoft to make modern versions of Internet Explorer more secure were insufficient because so-called advanced security settings that are built into Edge are still optional in IE.
Comment
Windows bashers have long cited its vulnerability and they would have been right – 64% of the installed base uses Window’s 8.1 or earlier – all of which are based on the original NT code of the mid-90’s. For reference Windows 7 has 641 vulnerabilities, Windows XP has 726 and since its inception 4664 have been found. Unpatched Windows 8.1 or earlier, as seen on too many consumer devices, is not secure.
Windows 10 is now at 24.36% market share and these machines are too hard to crack – that is not to say that enterprising hackers will not find ways but of the 225 CVE vulnerabilities discovered to date none have been exploited in the wild.
For interest Apple’s macOS has a total of 3493 vulnerabilities peaking with the discovery of 708 in 2015 and a further 324 in 2016. Apple’s iOS has had 984 vulnerabilities again peaking with 387 in 2015 and 161 in 2016. That’s not to say macOS or iOS is any less secure – it simply shows that cyber criminals have made Apple a target and its long OS heritage is ripe for exploit.
Android has 691 vulnerabilities (all versions) and 125 were discovered in 2015 and 523 in 2016. It is the prime target as it runs about 90% of the world’s smartphones. Google is taking drastic steps with Android 7 Nougat to take control of security updates and increase its enterprise take-up. Samsung’s Knox and Blackberry’s PRIV handset (and later) have proven beyond doubt that Android can be secured.
My advice as a security writer for iTWire is two-fold. Windows 10 is the most secure version of Windows so use it (and yes turn off all the snooping features not dissimilar to you what you will find in Apple and Google environments) and use a paid Antivirus/malware/email/ID theft/password/web safety solution. While the free versions are all good at spotting virus and malware packages like those from ESET, Norton, Trend Micro, Kaspersky and more are very wise investments.