Windows 10 patching process may leave enterprises vulnerable to zero-day attacks

2015-03-11

Aryeh Goretsky

ESET, USA
Editor: Martijn Grooten

Abstract

Microsoft recently announced its new patch roll-out strategy for the latest incarnation of the Windows operating system. Aryeh Goretsky considers how the Windows 10 patching process might affect both the enterprise and the home user.


Last year, ESET presented a webinar [1] in which we discussed some of the improvements Windows 10 is bringing to Microsoft’s flagship operating system. At the time of the presentation, not much had been publicly revealed by Microsoft about how the new operating system would be patched, although we did note that Microsoft’s use of fast and slow release channels for updates could mean that some users might be subject to buggy updates, while others could be exploited by zero-day [2] vulnerabilities:

Windows updates reloaded

On 30 January, Microsoft published a new article in its Windows For Your Business blog, aptly titled ‘Windows 10 for Enterprise: More secure and up to date’ [3]. In the article, Microsoft explained its new patch roll-out strategy, which I will attempt to paraphrase below:

  • A new Long Term Servicing (LTS) branch for businesses to use on mission-critical systems will deliver security and critical updates, but no new features. This sounds similar to the LTS [4] plans currently used by Ubuntu [5] and the Mozilla Foundation [6]. One major apparent difference is that Windows 10 will have a much longer support cycle of ten years. This will comprise five years of mainstream support, followed by five years of extended support, as compared to Ubuntu’s five-year support and Mozilla’s one-year support model for their respective LTS branches.

  • A current branch for businesses will provide security updates on a regular basis. Feature updates will be deployed as well, but on a less frequent basis in order to allow businesses to plan for them.

  • Finally, consumers and Windows Insiders (Microsoft’s public beta test program) will receive all updates first – not just security and critical updates, but also new features and non-critical updates. Any bugs or crashes they come across in those updates will, presumably, be fixed before the updates are offered to enterprise users.

While splitting Windows users into different groups in order to test patches makes sense, and is something that many companies already do internally as a means of testing patches before a global roll-out, there are some downsides to this approach:

  • Consumers and anyone else not running enterprise versions of Windows 10 could be receiving less well tested and perhaps even beta-quality code as part of their Windows 10 updates. And while home users and small businesses may not run 24×7 mission-critical systems that require 100% availability, they may be running systems which are critical to them, and running unstable code on their computers may cause crashes, performance problems and other issues preventing them from using their computers for work and play.

  • Enterprises, on the other hand, may have to wait a while longer for Microsoft to signal the ‘all clear’ on patches until they have received enough testing by Microsoft’s consumer ‘guinea pigs’ for them to be marked as ready for enterprise deployment. Attackers, meanwhile, suffer no such delays and can begin creating exploits immediately to target vulnerabilities that have yet to be patched in Windows 10 Enterprise.

It is also important to keep in mind that Microsoft’s assessment of the impact of a vulnerability may be different from the actual impact it has in your organization. Microsoft makes use of both a Security Rating System [7] and an Exploitability Index [8] in order to help determine impact. While these assessments are generally accurate for the majority of Microsoft’s customers, there will be enterprises that are at higher risk due to the way in which the technologies are deployed and used throughout the business. Conversely, there will be some enterprises that are at lower risk for the same reason.

Good patch, bad patch

The question of patch quality is key here. Last year and in early 2015, there were several occasions on which Microsoft released updates for Windows only to receive numerous reports of problems from customers – some of which were so severe that Microsoft had to pull the updates until they themselves could be updated (see Table 1).

MonthPatch
July 2014

MS14-037: Cumulative security update for Internet Explorer: July 8, 2014 [9]

(Broke Flexera InstallShield [10] and Dell Encryption software [11])

August 2014

MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014 [12]

Update to support the new currency symbol for the Russian ruble in Windows [13]

August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 [14]

August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012 [15]

(0x50 STOP error; issues with managing fonts; issues with displaying fonts; issues with displaying application windows)

September 2014

Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928) [16]

(Update failed to install correctly and had to be replaced, twice)

October 2014

Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 [17]

(Prevented Windows from booting)

December 2014

Update Rollup 8 for Exchange Server 2010 Service Pack 3 (KB2986475) [18]

(Broke Outlook’s connection to a specific version of Exchange)

February 2015

PowerPoint 2013 Update (KB2920732) – February 2015 [19]

(Prevented PowerPoint 2013 from running on Windows RT devices)

Table 1. Microsoft released several updates for Windows only to receive numerous reports of problems from customers.

Microsoft has certainly indicated that Windows 10 will receive updates and new features more quickly, but it is still an open question as to what this means for Windows 10’s quality, let alone its reliability and resiliency.

Windows 10 Enterprise Technical Preview Build 9926 showing ‘fast’ and ‘slow’ release channels.

Figure 1. Windows 10 Enterprise Technical Preview Build 9926 showing ‘fast’ and ‘slow’ release channels.

Recommendations

Until we have evidence of how Windows 10’s new patching strategy works in the real world, it is recommended that the following steps be taken:

  • Continue testing and evaluating Windows 10 in your environment. Regardless of whether you decide to deploy it immediately or wait, continuing to familiarize yourself with its new features will help ensure that your rollout goes more smoothly.

  • Since the effect of Microsoft’s new patching schema won’t be known until sometime after Windows 10 has become generally available, hold off with deployment until you can determine whether this makes Windows 10 more secure or less secure than the operating system(s) it is replacing.

    If the delay in enterprise updates results in the attack surface increasing, you may be better off staying on an older enterprise version of Windows that receives updates sooner than Windows 10’s enterprise version.

  • Another approach worth considering would be to change how update rollouts are staged in your organization: in many organizations, it is common to test Windows updates across a small percentage of users (often 10%) before rolling out across the entire enterprise.

    Consider increasing the initial rollout to a slightly higher number, such as 15% of users, followed by a second phase of rollouts to another 25–33% before globally deploying updates to all users. Adding a second wave of testers can help detect issues not discovered during the first wave of deployment, as well as helping to pinpoint issues discovered in that first wave.

    All too often, the initial phases of a rollout involve a company’s most technical users (IT, R&D engineering and so forth), not taking into account users from other departments who often have specialized use cases. Make sure your test waves include users from all departments and at all computing skill levels. Broadening your testing to include additional categories of users will increase the chances of identifying problems before the global rollout.

  • While each new version of Windows brings enhanced security mechanisms, determined adversaries will up their game as well. Deploy anti-malware software that uses a variety of techniques beyond simple signature-based detection, including heuristics, emulation, HIPS [20], exploit-blocking and SIGINT in order to protect endpoints.

  • If an attacker should breach your network’s perimeter, there are still steps you can take to slow their movement through the network as well as limit their access to useful intelligence:

    • implement multi-factor authentication for access to sensitive data

    • encrypt sensitive data stored on endpoints.

  • Finally, and this is more of a general rule than one specific to Windows 10, implement a backup methodology that works for your organization, and verify periodically that it works.

Conclusion

Over the past years, we have seen attacks increase against all platforms, not just Microsoft’s. As a matter of fact, one might even argue that such attacks are a sign of success: it means the platform is now large enough for attackers to see value in targeting it. We cannot say for certain what the overall impact of Windows 10’s new patching strategy will be on the security of businesses that adopt it, and we won’t be able to assess the situation until some time after Windows 10 has established itself in the enterprise. And, of course, there’s no guarantee that simply being a more secure version of Windows [21] (as Windows 8 was in comparison with Windows 7, or even Windows 8.1 was in comparison with Windows 8.0 [22]) will mean widespread adoption, either.

Bibliography

[1] Goretsky, A. Make 2015 More Secure: Lessons from 2014. BrightTALK. https://www.brighttalk.com/webcast/1718/125051.

[2] Zero day. Virus Radar. http://virusradar.com/en/glossary/zero-day.

[3] Alkove, J. Windows 10 for Enterprise: More secure and up to date. Windows for your Business. http://blogs.windows.com/business/2015/01/30/windows-10-for-enterprise-more-secure-and-up-to-date/.

[4] Long-term support. Wikipedia. http://en.wikipedia.org/wiki/Long-term_support.

[5] LTS. Ubuntu wiki. https://wiki.ubuntu.com/LTS.

[7] Security Bulletin Severity Rating System. Security TechCenter. https://technet.microsoft.com/en-us/security/gg309177.aspx.

[8] Microsoft Exploitability Index. Security TechCenter. https://technet.microsoft.com/en-us/security/cc998259.

[9] MS14-037: Cumulative security update for Internet Explorer: July 8, 2014. https://support.microsoft.com/kb/2975687.

[10] Microsoft’s Security Update – Impact on InstallShield and InstallShield for AdminStudio (KB2962872). http://www.flexerasoftware.com/landing/Microsoft-Security-Update-IS-AR-KB2962872.html.

[11] Paoli, C. InstallShield and Dell Encryption Crashes Connected to July Security Patch. Redmond Magazine. http://redmondmag.com/articles/2014/07/15/july-security-patch-issues.aspx.

[12] MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014. http://support.microsoft.com/kb/2982791.

[13] Update to support the new currency symbol for the Russian ruble in Windows. http://support.microsoft.com/kb/2970228.

[14] August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2. http://support.microsoft.com/kb/2975719.

[15] August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012. http://support.microsoft.com/kb/2975331.

[16] August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012. https://technet.microsoft.com/en-us/library/security/ms14-055.aspx.

[17] Microsoft Security Bulletin MS14-055 – Important. Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928). https://technet.microsoft.com/en-us/library/security/2949927.

[18] Update Rollup 8 for Exchange Server 2010 Service Pack 3. http://support.microsoft.com/kb/2986475.

[21] Goretsky, A. A white paper: Windows 8’s Security Features. We Live Security. http://www.welivesecurity.com/2012/10/09/windows-8s-security-features/.

[22] Goretsky, A. Windows 8.1 – security improvements. We Live Security. http://www.welivesecurity.com/2013/11/17/windows-8-1-security-improvements/.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

VB2018 paper: Office bugs on the rise

It has never been easier to attack Office vulnerabilities than it is nowadays. In this paper Gabor Szappanos looks more deeply into the dramatic changes that have happened in the past 12 months in the Office exploit scene.

VB2018 paper: Tracking Mirai variants

Mirai, the infamous DDoS botnet family known for its great destructive power, was made open source soon after being found by MalwareMustDie in August 2016, which led to a proliferation of Mirai variant botnets. This paper presents a set of Mirai…

VB2018 paper: Hide’n’Seek: an adaptive peer-to-peer IoT botnet

This paper presents a thorough analysis of the inner workings of Hide’n’Seek, a peer-to-peer IoT botnet discovered in January 2018. With an exploit table that can be updated in memory and modular in its approach, Hide’n’Seek gives us a glimpse of…

Botception: botnet distributes script with bot capabilities

Researchers Jan Sirmer and Adolf Streda describe the branch of the Necurs botnet that they have been monitoring, the changes it has undergone in the course of a year, and present an analysis of the next stage of the attack: Flawed Ammy.

VB2018 paper: Since the hacking of Sony Pictures

Minseok (Jacky) Cha describes various attacks in Korea which occurred after the Sony Pictures hacking incident and which are suspected to be the work of the same group, the Lazarus Group.


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.