If you’re one of those conscious users, who acquaint themselves before they install anything onto their computers, Microsoft security updates included, then this article is for you. When you pay attention to the small print, and in the case of Windows updates – knowledge base (KB) descriptions, you will definitely come across:
- Elevation of privilege
- Remote code execution
- Security feature bypass
- Information disclosure
Those are the issues that Microsoft security bulletins regularly address on Patch Tuesdays, and accordingly fix. However, elevation of privilege and remote code execution are sensibly preferred by attackers. If your knowledge in the Windows operating system (or any OS) is above average, you are most definitely acquainted with these security terms and their definitions. And you can navigate away from this page (but first you can share it with the lesser-educated).
In case you go through the bulletins on a regular basis but feel like your knowledge is not sufficient enough, continue reading.
What Is Elevation of Privilege?
As explained by Microsoft, elevation of privilege happens whenever an attacker is given authorization permissions beyond those initially granted. For instance, this attack happens when an attacker with a privilege set of read only permissions somehow elevates the set to include read and write.
Elevation of privilege is also known as vertical privilege escalation. This is when a lower privilege user (or application) suddenly has access to functions or content meant for higher privilege users or apps.
In every monthly security bulletin released by Microsoft, there are updates addressing elevation of privilege.
In the language of security experts, how is an elevation of privilege attack described?
This attack is a type of network invasion that takes advantage of programming errors or design flaws (vulnerabilities, or CVEs) to authorize the attacker with elevated access to the network and its associated data and applications.
We mentioned vertical privilege escalation. What about horizontal?
Like we said, vertical privilege escalation happens when the attacker grants himself higher privileges. This type of network intrusion is usually carried out by performing kernel-level operations that enable the attacker to run unauthorized code.
Horizontal privilege escalation, on the other hand, demands the attacker to use the same level of privileges he already has, while undertaking the identity of another user with similar privileges. For instance, horizontal privilege escalation is when an attacker is obtaining access to another person’s online banking account.
What Is Remote Code Execution (RCE)?
Shortly said, the ability to trigger arbitrary code execution from one computer on another (mostly via the Internet) is widely known as remote code execution. Again, what enable attackers to execute malicious code and gain control over the compromised system is (surprise, surprise) vulnerabilities. Once the system is under the attackers’ control, they can elevate their privileges. That being said, the best way to prevent remote code execution attacks is by never allowing vulnerabilities to be exploited. Unfortunately, remote code execution flaws are very often favored by attackers, and that is what makes keeping your operating system up-to-date crucial.
Sadly, there are many cases of vulnerabilities being exploited in the wild before the adequate release of a patch. Because of their severe character, zero-day vulnerabilities are often rated critical. Windows is also prone to zero-day exploits, such as CVE-2015-2545 from 2015, found in Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1. Luckily, Microsoft patched this vulnerability soon after it was disclosed.
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens specially crafted media content that is hosted on a website. This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. The security update addresses the vulnerabilities by correcting how Windows handles resources in the media library.
What Is Security Feature Bypass?
This type of attack can happen on a local level. Local attackers can exploit such a flaw to bypass specified security restrictions and perform malicious activities. Such vulnerability in Windows Kernel was disclosed by Microsoft on May 12, 2015. The update that was released to patch it is KB 3050514. In Microsoft’s language, “the vulnerability could allow security feature bypass if an attacker logs on to an affected system and runs a specially crafted application”.
To understand security feature bypass, let’s take another look at the vulnerabilities patched on March 8 2016 – KB 3141780.
This security update for the .NET Framework addressed security feature bypass. The security feature bypass was found in a .NET Framework component that did not correctly validate certain elements of a signed XML document.
What Is Information Disclosure?
Information disclosure is a term used by Microsoft to describe vulnerabilities that intentionally or unintentionally disclose information to an attacker that is not authorized to have access to it. However, a more relevant way to describe such a threat is information exposure.
Even though information disclosure is frequently used in vulnerability databases, the word ‘disclosure’ isn’t always associated with security issues. The disclosed information can be sensitive to the particular software’s functionalities, or can reveal details about the software’s environment. If such information is leaked, it could be useful to an attacker in many attack scenarios.
No matter what you call it – information disclosure or information exposure, such flaws can be both resultant and primary. A resultant information disclosure can happen via a PHP script error that reveals the full path of an application. A primary ID may happen due to timing discrepancies in cryptography (via cwe.mitre.org ).
The severity of an ID flaw depends on the type of information that is made available to attackers.
An example of an ID flaw in Windows is the vulnerability from October 15, 2014. The flaw was found in SSL 3.0 and was patched with the KB 309008 update.
Threat Modeling against Vulnerabilities
According to the Open Web Application Security Project, threat modeling is one way to prevent vulnerability exposure in any application:
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application. Threat modeling is not an approach to reviewing code, but it does complement the security code review process. The inclusion of threat modeling in the SDL (software development lifecycle) can help to ensure that applications are being developed with security built-in from the very beginning.
Microsoft has developed several tools that ease the SDL process and help prevent security flaws from being exploited:
- Attack Surface Analyzer 1.0
- Microsoft Threat Modeling Tool 2016
- MiniFuzz basic file fuzzing tool
- Regular expression file fuzzing tool
For more information, visit Microsoft.
One question remains, though…
Why Does Windows Have So Many Vulnerabilities?
There is one easy and quite obvious answer: Windows is probably the most widely used operating system. Being popular has its downside. Even the believed-to-be-invincible Mac has become prone to ransomware attacks.
Overall, Microsoft continues to release software that has lots of security flaws, which have not been predicted by the developers. The KB patches are full of security fixes that address the unforeseen vulnerabilities (described in this article). An example of a bad security practice is Windows XP’s autorun feature that would run anything within the autorun.ini file from external drives.
And let’s not forget that attacks happen because there are too many vulnerable (not regularly patched, not supported by MS anymore, or worse, pirated) versions of Windows out in the wild. That, and the fact that many people, including employees in various business sectors, know little about threat prevention and lack sufficient knowledge in the current threat landscape.
So, employ a powerful anti-malware, an external firewall, spam filters, and keep all of your software up-to-date at all times. And pray you don’t become a victim to vulnerability exploits!
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter