Translated by
2019/05/15 16:53:21

Security of Windows

Security of the Windows operating system, Microsoft company.



Critical vulnerability in Windows can cause epidemic of scale of WannaCry and Petya

On May 15, 2019 the Rostelecom-Solar company announced critical vulnerability which threatens with the next wave of mass viral infections. Vulnerabilities of CVE-2019-0708 are subject operating systems of the Windows family. It allows the malefactor who did not undergo authentication to perform remote accomplishment of any code at the attacked workstation or the server.

According to information provided by the company Microsoft for successful attacks the malefactor needs to have only network access to to the computer or to the server with the vulnerable version of the Windows operating system. For vulnerability operation it is enough to malefactor to send specially created request to service of remote desktops of direct systems, using the RDP protocol. Thus, if the system service is published on perimeter, vulnerability can be exploited directly from network internet, without use specialized harmful SOFTWARE.

If the malware using this vulnerability will be created, it will be able to extend from one vulnerable computer to another similarly to the encoder WannaCry which in 2017 caused damage to the organizations worldwide. For May, 2019 vulnerability is relevant for the direct attack from the Internet as it was in case of WannaCry, for several tens organizations in Russia and more than 2 million organizations in the world. Risks of implementation of more difficult attack are relevant for almost all companies, and the potential damage from delay in rapid response and acceptance of protective measures will be comparable with damage caused by vulnerability of EternalBlue.
Vladimir Dryukov, director of the center of monitoring and response to cyber attacks of Solar JSOC of Rostelecom-Solar company

If on external perimeter of the organization there is earlier published RDP service for the vulnerable operating system – recommend to close this access immediately. Regardless of its existence it is necessary to set quickly the patches released Microsoft, and before – whenever possible to limit use of the protocol in the organization. It is necessary to take this situation seriously as the organization of any industry can be subject to vulnerability.

In Windows 10 two dangerous vulnerabilities opening access to the computer of the victim are closed

On March 22, 2019 the company Positive Technologies reported that her expert Mikhail Tsvetkov revealed two critically dangerous vulnerabilities of century Microsoft Windows 10. They allowed attacking to get access to to the computer based on this operating system and to intercept confidential information. In a March service pack of security from Microsoft both vulnerabilities were eliminated.

Vulnerabilities are detected in the DHCP client who is built in the Windows 10 operating system.

Similar vulnerabilities are operated as follows. The malefactor configures the DHCP server which will respond to the requests of a network configuration intentionally with the damaged packets on the computer. In some networks it is possible to attack from the mobile phone or the tablet. Further the malefactor needs to wait for the moment when the vulnerable computer based on Windows 10 requests updating of lease of the IP address (that there is usually an once a couple of hours) and to send the illegitimate answer allowing to acquire the rights of the anonymous user on the computer of the victim.
Mikhail Tsvetkov, expert of Positive Technologies

However, at development of the attack using this vulnerability the malefactor could face a number of difficulties. The rights of the anonymous user have restrictions: with such privileges access to the user and system processes, folders and branches of the register and some other folders is prohibited. And for increase in privileges and continuation of the attack other existing vulnerabilities can be used. According to the statistics Positive Technologies, workstations in the organizations in general are protected unsatisfactorily: in 100% of cases the internal malefactor can take full control over network. For example, in 2017, after WannaCry attack, more than in half of systems experts detected vulnerability which was used by this virus racketeer. At the same time the patch for it was released several months prior to epidemic.

The violator also had to be in one network with the attacked system. But it could be the hacker who got access to insufficiently protected workstation using a phishing. At the same time a crucial system — for example, the automated banking system could be an ultimate goal. Besides, in some organizations the attack could be possible and directly from external networks.

Both detected vulnerabilities gave the chance to carry out the attack, substituting the answer of the legitimate DHCP server for the message of the violator. For the attack the malefactor had to send the special list of DNS suffixes (CVE-2019-0726) or report abnormally large number of options (CVE-2019-0697) in the DHCP answer.


Windows 10 sent data on actions of users to Microsoft

After a release of Windows 10 to Microsoft the indignation squall caused by the fact that OS "spied" on users collapsed. It became known on December 13, 2018. Though the company as a result made changes (in the form of the infinite number of options which still it is necessary to remember), additional switches in practice a little than help.

In upgraded versions of Windows 10 there is a Magazine of Actions function ("Activity History") allowing to return to actions on devices and to browse the history of these actions on a time line provided that function is included ("The magazine of actions is activated by default, but it can be disconnected).

The time line works if parameters are included:

  • "Save my magazine of activity on this device" on the Parameters of the Magazine of Actions page;
  • "Send my magazine to activity to Microsoft";
  • "Show actions in certain accounts".

It is clear, that the first parameter allows to monitor actions of the user, and the second sends these data of Microsoft. Nevertheless, even if to disconnect all three options, the relevant data will be displayed all the same on the page. Even if to disconnect "The magazine of actions" through the editor of group policy, information will still gather and be displayed. It is possible to turn off loading and the publication of actions of users, but also it will not help[1].

Found the file collecting passwords and messages of e-mail in Windows

In September, 2018 it became known of existence in Windows of the confidential file in which passwords and correspondences by e-mail are stored. A problem it is relevant for users of devices with touch displays. Read more here.


Recommended standards of security for devices under Windows 10

At the beginning of November, 2017 Microsoft published the list of recommended standards of security for devices running Windows 10. Standards include a number of requirements to hardware and to the software, guaranteeing protection of the device.[2]

Requirements to the hardware are separated into 6 categories: generation of the processor, architecture of the processor, virtualization, cryptographic Trusted Platform Module (TPM) specifications, verification of the loader and RAM.

  • Microsoft recommends to use Intel processors and AMD the 7th generation which include the Mode based execution control (MBEC) mode ensuring additional safety of a core.
  • Requirements to architecture of the processor include existence of the 64-bit processor as only in them the safety feature on the basis of virtualization is available (Virtualization-based Security, VBS).
  • Devices running Windows 10 should support Intel VT-d, AMD Vi or ARM64 SMMU for use of opportunities of virtualization of input/output devices (Input-Output Memory Management Unit, IOMMU). For use of function of broadcast of the addresses of the second level (Second Layer Address Translation, SLAT) processors should support Intel Vt-x with Extended Page Tables (EPT) or AMD-v technology with the Rapid Virtualization Indexing (RVI) function.
  • The recommended component is the cryptographic Trusted Platform Module specification — the hardware module integrated into a computer set of chips, or purchased in the form of the separate module for the supported motherboards which is responsible for safe generation of cryptographic keys, their storage, safe random number generation and hardware authentication.
  • Function of verification of the loader of the platform does not allow loading of the firmware developed by someone except the system manufacturer.
  • Optimal amount of RAM — not less than 8 GB.

At the same time, Microsoft makes the following software requirements of the device:

  • A system should have a firmware in which the Unified Extension Firmware Interface (UEFI) interface of version 2.4 or above is implemented.
  • A system should have a firmware in which UEFI Class 2 or UEFI Class 3 is implemented.
  • All drivers should be compatible to the Hypervisor-based Code Integrity (HVCI) tool.
  • The firmware should support the systems UEFI Secure Boot. This function should be activated by default.
  • In a firmware of a system the Secure MOR revision 2 tool should be implemented.
  • A system should support the specification of updating of a firmware Windows UEFI Firmware Capsule Update.

Charge of Holland of violation of confidentiality of these citizens

In October, 2017 the Dutch department of protection of personal data (   Dutch Data Protection Authority, DPA) accused Microsoft of violation of local laws on confidentiality of information belonging to people who use computers on the operating room sistemewindows 10.

The regulator came to a conclusion that Microsoft does not inform users that the company constantly collects data on the used applications and visits of Internet pages in the Edge browser when that is started with default settings.

The authorities of Holland accused Microsoft of violation of the law about data protection in Windows 10
The authorities of Holland accused Microsoft of violation of the law about data protection in Windows 10

The criticism of DPA is also connected with the fact that Microsoft does not announce clients type of the collected data and the purposes of these actions. Besides, practice of the American company does not assume that people could give real consent to processing of the personal data.

It turns out that the Microsoft operating system monitors each step which you take on the computer. It leads to persuasive invasion into your account — the vice-chairman of DPA Wilbert Tomesen says. — What does it mean? Whether people know about it whether they want it? Microsoft should give to users a fair opportunity to solve it.

If the company does not eliminate all these violations, sanctions, including a penalty can be inflicted on it, add to DPA.

Microsoft was criticized for the relation to questions of confidentiality more than once. In updating of Creators Update for Windows 10 the new structure of privacy settings appeared, however in DPA claim that this update does not eliminate the violations revealed during the investigation.

According to the Dutch department of protection of personal data, by October, 2017 in the Netherlands there are more than 4 million active devices based on Windows 10 Home and Pro.[3]

2016: Windows Subsystem for Linux is capable to hide viruses

On September 13, 2017 it became known of existence in a subsystem of Windows Subsystem for Linux of potential for concealment of the malware.

In March, 2016 Microsoft announced support of the command bash interpreter of century Windows 10. For this purpose the company together with Canonical created a subsystem Linux - Windows Subsystem for Linux, WSL. It supports start of the Linux-applications without use containers virtualizations, separate reassembly of utilities and without use of a kernel of Linux — native executable files OS are started by means of the special layer "on the fly" broadcasting system calls of Linux in system calls Windows[4].

WSL was created as the project independent of the specific Linux distribution kits. However, in the first version it is already optimized for work with Ubuntu. In Windows 10 support of openSUSE Leap appeared, and after a running in of WSL in the user version of Windows Microsoft decided to add it to server edition of the operating system. After several months from the moment of emergence of WSL in "ten", opinions of analysts sounded - the subsystem can serve as an obstacle for virus detection.

According to experts of Check Point, using WSL on the PC it is possible to start a number of the known malwares, doing them imperceptible for the most widespread instruments of protection against viruses. A problem not in WSL, experts, and in carelessness of developers of antivirus software and security systems noted.

The method developed by specialists allows to start imperceptibly any malware in Windows 10. Malefactors have perspectives till a time, the effective mechanism of protection of the PC with Windows 10 and WSL will not be created yet. This method received the name bashware as it uses a command cover of bash through which the Linux-application is started.

According to engineers of Check Point, creators of antivirus software did not pay special attention on WSL because believed as if this subsystem needs to be activated manually. As an opportunity to start applications of Linux in Windows is necessary generally to developers, it rather small amount of users includes. As reported Microsoft, for this purpose it is necessary to activate regime of the developer, to install a component, to reboot the device and to unroll WSL.

Bashware automates these steps and starts function automatically. For activation of the regime of the developer it is enough to change several sections in the register. It can be executed by a background, is imperceptible for the user. As for reset, the hacker can or wait until the victim switches off the computer, or to initiate a critical error which will cause restart of OS. After this bashware loads the necessary environment created on the Ubuntu platform and starts in it the malware. The WSL drivers can be loaded on the computer manually and without reset.

Windows regards start of the Linux-application as piko-process - process type, structurally other than those that occur at start of native programs. Researchers found out - any antivirus does not monitor these processes in spite of the fact that Microsoft provided to developers of antiviruses Pico API. For work with bashware it is not necessary to write special viruses for Linux which will be started then in the attacked Windows using WSL. Thanks to the Wine program it is possible to use the normal malware for Windows, including long ago known - it will be hidden from antiviruses.


Five bulletins of security Windows 10 in 2 weeks

On August 11, 2015 the Microsoft company submitted five bulletins of security mentioning Windows 10, one more treats the Microsoft Edge browser, all from the moment of a release of this version of OS 14 bulletins are issued. In new release - updates of other products of Microsoft, traditional for the second Tuesday of month, [5].

Three of them treat discharge critical, these updates are recommended to be set as soon as possible. Among them MS15-079, MS15-80 and MS15-81 closing vulnerabilities of Windows, Internet Explorer and Microsoft Office. According to the analyst Wolfgang Kandek, 40% of the updates released this month by Microsoft company are intended for Windows 10. For comparison, in the first two months after Windows 8 release for it 60% of the total number of updates for products of Microsoft were produced.

For Office critical updates are released seldom. In this release vulnerability through which attacking can receive control over the system of the user is closed, forcing it to open specially created Word document. According to Microsoft, this vulnerability is already used by malefactors.

Bulletin MS15-085 belongs to vulnerability within which for gaining access to a system are used an USB flash, containing the code activated at its connection to the device. Examples of it are already available. The users of Windows Vista and Windows 2008 working with file exchange services with the SMB protocol (Small Message Block) should pay attention to bulletin MS15-083.

The overview of innovations in the field of cybersecurity in Windows 10

In 2015 before official start of sales of Windows 10 OS observers analyzed what safety features, useful to the enterprises, were added to a new product.

Microsoft advertizes improvements in such areas as personal data protection and access control, data protection and resistance to threats. For example, in the field of access control, in Windows 10 there will be native two-factor authentication as Microsoft tries to force users to go beyond a method of use of one password which was too vulnerable. With two-factor authentication, malefactors should obtain two parts of information to crack a system, such as password and code sent to the user's device, for example, on the smartphone.

Regarding data protection of Windows 10 it is equipped with the technology of data loss prevention (DLP) which is in separating personal and corporate data and also protects the last using "control". Corporate applications, data, e-mail, web content and other confidential information it will be automatically ciphered in Windows 10 — both in desktop PCs, and in mobile devices.

IT specialists will have an opportunity to develop politicians of control — what applications can get access to corporate data. Windows 10 expands abilities to manage of VPN for protection of corporate data in the devices belonging to employees.

In the field of resistance to threats and malware, Windows 10 will have functions of blocking of devices, allowing users start only of the applications signed with the help of service of the signature of Microsoft.

IT administrators will be able to define what applications they consider credible: those which they sign which are signed by independent software providers, or those which are available in Microsoft Store (which was Windows Store), or all from them.

2014: Natalya Kasperskaya: in Windows OS there are dangerous "tabs"

Speaking about information security support of the state as about one of the import substitution purposes, the CEO of the Infowatchnatalya group Kasperskaya on a round table in the State Duma in July, 2014 expressed confidence that at Windows OS there are "tabs" which can cause damage to the country.

"I have no doubts that they are there and that at some point to activate them does not represent any complexity, including in those computers which are considered as the protected environment: only because such technical capability is. Opportunities are important", - Kasperskaya told.

She added that there is no opportunity to check "all multimillion code lines of Windows which were written by developers as for this purpose it is necessary to have the staff of developers equal to what is available in Microsoft".

The CEO of InfoWatch Natalya Kasperskaya believes that in case of war of \"tab\" in Windows can be activated
The CEO of InfoWatch Natalya Kasperskaya believes that in case of war of "tab" in Windows can be activated

Developing a subject, Natalya Kasperskaya noted what all understand, "what can be if, for example, it is offered to Microsoft to deliver some harmful updates in the territory of the whole country and when through the whole country all computers are switched off practically suddenly".

Possibilities of "tabs" in practice were not implemented yet as Russia is not in a status of open military operations: "if to assume for a second that the country is in such status, then they can be activated", the CEO of InfoWatch believes.

The Chief information security officer of Microsoft in Rossiivladimir Mamykin about it told TAdviser that one of the key factors providing creation of secure systems based on products of corporation is its cooperation with the state and accomplishment of national requirements to certification of software.

Products of Microsoft regularly undergo certification on compliance to requirements for information security of the Russian Federation. Microsoft gives the chance to the state to be convinced of lack of "secret doors" in products of Microsoft. For today more than 40 products, including Windows 8 are certified already. Our clients among whom and state customers, can be sure that their information systems are protected according to the Russian requirements", - Mamykin says.

Sergey Grudanov, the CEO of The Certified Information Systems company notes that a basis of security of information systems is check of software used in them on compliance to the Russian requirements for security shown to FSTEC and FSB. An opportunity to analyze source codes including regarding lack in them of tabs, Microsoft is provided to the Russian intelligence agencies more than 10 years, and the company received the greatest number of the certificates issued to foreign software makers, Grudanov says.