2015 Microsoft Windows vulnerability report

2015 Microsoft Windows vulnerability report

 

 

 

This article mainly analyzes the new security protection mechanisms or functions of Microsoft, Google, and other companies in 2015.

In fact, in the previous year, Windows exploitation in 2014, we also mentioned a major trend of current network attacks-0-day attacks, it comprehensively analyzes the intrusion technologies used by attackers, such as concealed forced download attacks (also known as illegal download attacks, drive-by downloads) and local permission escalation (LPE) attacks.

In this new version of the report, we will not repeat the previous descriptions. More importantly, we will focus on the new security protection technologies in 2015, such as the new security features of Google Chrome and Microsoft Edge, related information about Hacking Team exp and the new security function of Microsoft's vulnerability emergency enhancement toolkit EMET.

Statistics

From the following table, we can see the number of vulnerabilities that have been fixed and reinforced by IE and Edge browsers in the past 12 months. The vulnerability marked as red is a known vulnerability circulating EXP in the black market.

 

At present, Microsoft has stopped its support for IE6, IE7, IE8, IE9, and IE10. This will prompt users to switch to IE11 with higher security. Of course, Microsoft also supports earlier IE versions in other Windows systems (such as IE9 in Windows Vista SP2 or IE10 in Windows Server 2012 ).

 

In the middle, we saw that Microsoft fixed many Windows user mode components (Windows UMC) vulnerabilities in 2015. These vulnerabilities can be exploited by attackers, such as executing malicious code (RCE) through remote code execution, and using local privilege escalation to obtain the highest system privilege. The second vulnerability is generally used in combination with the remote code execution vulnerability to obtain all system access permissions.

For Windows UMC, we can see that the number of Windows UMC vulnerabilities repaired in 2015 is about four times that in 2014. Orange represents the data of 2015, and blue represents the data of 2014.

 

We have learned about vulnerabilities in the user mode. What is the situation in the kernel mode? Kernel Mode (KM) drivers and win32k (Windows GUI kernel components) are often exploited by attackers to obtain privileges of the system privileged account. If these components can execute code remotely, it is very dangerous. Attackers can directly run malicious code in kernel mode. Next, attackers can gain control of all the resources on the computer and part of the memory used mainly for the system. Is a vulnerability in the kernel and. net framework.

 

From the following table, we can see that in 2015, the most patches for Windows components were IE and UMC ).

 

In order to analyze the weak points of Windows products, we can further look at the specific vulnerability situation for UMC. In the following table, we can see that in the RCE and LPE vulnerability patches for each component, windows UMC has the most vulnerability patches.

 

Vulnerabilities

In 2014, we mainly focused on two types of attacks: concealed forced download attacks (also known as illegal download attacks, drive-by downloads) and local permission escalation (LPE ). As mentioned in the beginning of this article, the second type of attack can embed malicious code to achieve system Elevation of Privilege. It is also used to exploit remote code execution vulnerabilities to bypass browser sandbox, and run payload or run malicious code directly in kernel mode.

The following table shows the EXP Vulnerability Detected by the ESET in the black market.

 

Among them, one of the impressive LPE vulnerabilities in 2015 was the CVE-2015-1769 about the Elevation of Privilege Vulnerability in the Mount management subsystem. The vulnerability was fixed in Microsoft's patch MS15-085. The detailed description shows a privilege escalation vulnerability found in the Windows Mount management subsystem, which affects both the client and the server. It allows attackers to run arbitrary code by using a specially defined symbolic link file in the root folder using the system permission of a removable USB driver. This vulnerability is also called Stuxnet-like, but it is actually less dangerous than the original one, the original worm has been fixed in the patch MS10-046. Because the CVE-2015-1769 does not exist in Windows Shell, it is triggered only when the USB is inserted into the computer interface. In other words, attackers must physically access the PC to launch attacks. The MS15-085 upgrade patch fixes the mountmgr. sys driver and the vulnerabilities in two kernel files (ntdll. dll and ntoskrnl.exe.

Another vulnerability is CVE-2015-1635. This vulnerability exists in the system driver file http in Windows 7 and later versions. sys, which allows attackers to remotely execute malicious code with Local System privileges, and can be used to launch DoS attacks or attack target machines to cause blue screen crashes. This vulnerability is related to Windows Server. During http sessions, it can be easily exploited to set a specific value for the HTTP header parameter to trigger the integer overflow vulnerability. The vulnerability exp is as follows:

 

GET /%7Bwelcome.png HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Accept: */*

Host: [server-ip]

Connection: Keep-Alive

Range: bytes=18-18446744073709551615

Hacking Team

A large number of Hacking Team code and tools leaked last year, which has a significant impact on the security situation last year and later. In fact, Hacking Team's intrusion attacks started several years ago (or even earlier. From a legal and ethical point of view, the Hacking Team's sale of cyberattack tools to other countries actually violates the relevant requirements in the VA agreement. According to leaked documents, the countries where HT is sold externally include the countries prohibited in the Wa-shing agreement.

FreeBuf encyclopedia

The Wa-Renewal Agreement, also known as the wa-Renewal Arrangement Mechanism, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Good and Technologies ), currently, there are 40 Member States, including the United States, Japan, Britain, and Russia. The "WAF Arrangement" requires the Member States to determine whether to issue export licenses for sensitive products and technologies on their own, and to notify other Member States of the "arrangement" on a voluntary basis. Its fundamental purpose is to improve transparency in the transfer of conventional weapons and double-purpose goods and technology through information intelligence systems among Member States, to monitor and control the transfer of conventional weapons and dual-purpose items and related technologies.

The leaked 0-day exp of Windows, Flash Player, and Internet Explorer is also spread.

As HT customers, they can use the tools they provide to launch various potential attacks against the target. For example, drive-by downloads. EXP of the drive-by downloads vulnerability was found from the leaked source code. exp of Flash Player can be attacked by multiple browsers, including IE, Edge, Chrome, Firefox, and Opera. In addition, some exp not only work on Windows systems, but also support Linux and Apple OS X. The following lists the vulnerability statistics of the Hacking Team leaked tools.

 

Hacking Team provides support for all major desktop and mobile terminal platforms, including system deployment monitoring tools (Backdoors) such as Windows, Linux, Android, OS X, and iOS) capabilities. In, we have made statistics on the backdoor program of the monitored HT. The details are as follows,

 

Google Chrome

In the past year, Google has also released several useful methods to mitigate vulnerabilities. First, we can consider that the LPE exp protection method is based on disabling win32k. the use of the sys driver, and we also know that it is actually win32k. like other Windows Kernel vulnerabilities, sys also has many vulnerabilities. The method for this protection restriction is called "win32k process lock", which is applied in the sandbox label and also known as "process buffer ". This feature allows you to use SetProcessMitigationPolicy in Windows 8 and later versions. The main purpose of this security rule is to reduce the probability that attackers bypass the Chrome sandbox and run malicious code with the highest permissions.

For Chrome sandbox, we have learned from previous studies that it relies mainly on Windows security mechanisms, such as low integrity level, SID (Security Identifier) rejection, and job object permission restriction, security mechanisms such as permission removal of process tokens running in sandbox. However, these rules are applicable to the RCE vulnerability and the exploitation of user mode code vulnerabilities. Attackers often attempt to use RCE-exp Combined with LPE-exp through a full penetration (usually used for win32k. to run the defined code in kernel mode to obtain the highest system permissions.

FreeBuf encyclopedia

Here, we can focus a little on the low-Integrity-level security mechanisms. For example, when the Code tries to access a kernel object, the system will compare the integrity level of the master process with the integrity level of the kernel object. If the latter is higher than the former, the modification and deletion operations are rejected. This comparison is completed before the ACL is checked. Therefore, even if a process has the permission to access resources, the access is denied because the integrity level used during running is lower than the integrity level required by the resource. This design is especially important if an application needs to run code or scripts downloaded from the Internet. Internet Explorer 7 running on Windows Vista uses this mechanism to run at a "low" integrity level. In this way, the downloaded code cannot change the status of any other application, because the processes of those applications run at the medium integrity level by default.

In fact, starting with Chrome 47, all browser users can enable a feature called "PPAPI win32k lock", which can be found in chrome: // flags, you can also enable the win32k lock mode to protect all Renderer processes or Flash or PDF plug-in processes.

Another vulnerability Protection Mechanism of Chrome (mainly for Flash Player) is called ". vector vulnerability solidification" (vector. exploit hardening ). This security mechanism introduces a special check method and a new heap allocation method to protect Flash Player processes and reduce the risk of exploiting vulnerabilities such as buffer overflow.

In Chrome M48 beta, Google developers introduced the application container sandbox for the Renderer process. This security mechanism is somewhat similar to the Enhanced protection Mode (Enhanced Protected Mode) of the IE11 sandbox ). This feature is disabled by default in Chrome M48 beta: to enable this feature, you need to enable application container lock in chrome: // flags.

 

Edge

Edge is a browser developed by Microsoft for Windows 10. Compared with IE11, it includes a wide range of security options, and these security options are enabled by default. By default, Edge labels run 64-bit processes in application containers. In terms of its mechanism, Edge is a brand new browser, which is not compatible with the old additional components and plug-ins. Moreover, it does not support previous browser versions, such as ActiveX, BHO, and VBScript. These technologies (such as vulnerabilities in VBScript. dll files of vbscript engine) are often exploited by malicious programs and vulnerability exploitation tools and penetrated into local systems through browsers.

With the first major upgrade of Windows 10, Microsoft mainly added a new security mechanism for Edge, a function mechanism to protect the browser from binary file injection. For example, the library file needs to obtain a Microsoft Digital Certificate Signature or be approved, and also requires a digital signature certificate with Microsoft Windows Hardware Quality Lab to successfully load a dll file into the Edge browser. Under this security mechanism, other library files to be loaded into the browser process will also be temporarily locked. However, to achieve 3D acceleration, video drivers are still allowed to be loaded synchronously, which may also become the path for attackers to access the system in the future.

EMET

The important role of EMET products is to prevent various unknown zero-day vulnerabilities. It is also regarded by Microsoft as the final security line of the Win7, Win8, and Win8.1 systems. EMET has been used to protect the most important security areas of Windows systems. You can define security rules or use default EMET rules to enhance the security factor of the current system. It should be said that Microsoft is increasing its vulnerability emergency enhancement Toolkit (EMET) year by year ). This tool covers a wide range of RCE vulnerability exploitation and technologies. The latest EMET 5.5 beta version introduces a new security mechanism, mainly for the use of LPE vulnerabilities (mainly through the use of specially defined character files for win32k. system vulnerabilities are exploited to provide protection. This function is called Block Untrusted Fonts. Currently, Windows 10 users can use this function.

 

EMET 5.5 beta allows users to enable special buffer options. This option is mainly used to count LPE exp when a vulnerability is triggered (almost all exist in win32k. sys ). These font files defined by Microsoft are installed in the % windir %/fonts directory. The Block Untrusted Fonts function is enabled, for example,

 

Conclusion

In this report, we also learned about the various security mechanisms of Web browsers, including the use of Microsoft EMET. We also made statistics on Microsoft Product vulnerability fixes. for users, Windows user mode components currently have the highest level of vulnerability threats. We will continue to pay attention to the specific windows vulnerabilities in the future. For windows users, the existing security mechanisms should be used to improve the security of the local environment.