Windows Security

2024

Microsoft is preparing to tighten protection against popular attack vectors

Microsoft blogs have reported on tightening security tools in various company products that are designed to improve user security. In particular, on August 27^[1] message was published] on the development of a new security tool that will ensure the integrity of records in system logs. And on September 6, information was published^[2] that support for ActiveX components will be disabled by default in the Microsoft Office Office suite.

So at the end of August, an article was published on Microsoft's security blog stating that the Common Log File System (CLFS) was actively used by cybercriminals to attack Windows and raise privileges in the system. To do this, use the method of violating the logic of processing system messages, when a malicious record overwrites the data of another message, which leads to incorrect processing when analyzing the system log.

Errors in processing records in system logs have recently been used especially often, we even released a separate study[3] on this topic, "said Boris Larin, a leading expert at Kaspersky GReAT, Kaspersky Lab. - It's great to see that our work, and the work of other researchers, to uncover attacks using such vulnerabilities prompted Microsoft to retaliate.

According to the company's statistics from 24 vulnerabilities in CLFS, 19 vulnerabilities led to a similar type of attack, and at least three (CVE-2022-37969^[4], CVE-2023-23376^[5] and CVE-2023-28252^[6]hackers were actively exploited. However, for Russia, it seems, the statistics are somewhat different.

Attacks where attackers use errors in the processing of system log records have not been encountered lately, "Gennady Sazonov, engineer of the Solar 4Rays incident investigation group, Solar Group, assured TAdviser readers. - According to our statistics, over the past year and a half, the most popular vector of penetration into the victim's infrastructure is still the exploitation of vulnerabilities in publicly available applications, rather than phishing emails.

Microsoft developers have proposed to enter a checksum of the entry in the system log - the so-called authentications Hash-based Message Authentication Codes (HMAC) - to protect against interference with the processing of system logs. This code will allow system log processing to detect a record integrity violation and not process those in which unauthorized interference will be noticed. Microsoft has announced that the feature is already being tested in Windows Insiders Canary, and after checking its operation, it will be included in the main installations of Windows 11.

However, according to Ilnaz Gataullin, technical head of the MTS Red SOC MTS Red cyber attack monitoring and response center, you can improve the security of the Windows CFLS logging service through existing registry branches by determining other values ​ ​ using the following commands:

Set-ItemProperty -Path `HKLM:\SYSTEM\CurrentControlSet\Services\CLFS\Authentication` -Name Mode -Value 2

Set-ItemProperty -Path `HKLM:\SYSTEM\CurrentControlSet\Services\CLFS\Authentication` -Name EnforcementTransitionPeriod -Value 2592000

The use of third-party executable components built into the document - these include ActiveX controls - is one of the important vectors in a phishing attack. Therefore, disabling them by default can significantly improve the security of the client's information system. Microsoft has planned in the MC884011 update, which will become available in October this year, to enable the mode when the launch of the ActiveX component will be blocked by default.

Since 2007-2008, active exploitation of vulnerabilities in ActiveX components has been recorded, - explained Ilnaz Gataullin. - Now the facts of exploitation are not so stormy, rather everyone has already got used to the fact that ActiveX in itself is a serious vulnerability, and it must be turned off. In my opinion, it has long been necessary to disable ActiveX components by default to reduce attack vectors. I believe that the innovations and cardinal solutions were led not by an increase in the exploitation of attacks using these mechanisms, but by the regular identification of new 0-day vulnerabilities that Microsoft itself was tired of fighting.

Phishing is one of the popular methods of primary penetration of hackers into the system, so any mechanisms for protecting against penetration with "malicious" documents will reduce the surface of the attack.

Phishing emails with attachments in the form of Microsot Office documents are of some popularity today, "Gennady Sazonov confirmed the current situation. - For some groups, this method of entering the victim's infrastructure is preferable. However, emails sent often contain malicious links or other types of files (.pdf,.rar). In some cases, attackers try to disguise an executable malicious file or script by adding a double extension or replacing the file icon with something that inspires the user's trust.

However, any user can independently enable the default ActiveX disable mode now. So Ilnaz Gataullin recommends using the following powershell command for this:

Set-ItemProperty -Path `HKLM:\software\policies\microsoft\office\common\security` -Name disableallactivex -Value 1

It is possible that the developed tools for tightening Microsoft's protection will not be available to Russian users, but this does not mean that Russian information systems will be defenseless against these attacks.

In any case, the measures implemented by Microsoft developers close only a small part of the techniques used by the attackers, - said Gennady Sazonov. - Third-party protections require additional investment, but provide a much more comprehensive approach to protection. For example, Secure Email Gateway solutions provide better protection not only against phishing emails with malicious attachments in the form of MS Office documents, but also any other kind of phishing and spam. Third-party protection requires additional investment, but provides more comprehensive protection. As a rule, they are designed to compensate for the shortcomings of the built-in security mechanisms or significantly expand them.

Therefore, the already installed protection tools of Russian manufacturers may well independently cope with attempts to exploit these types of vulnerabilities. Of course, if it is possible to install updates, then it is better not to neglect such an opportunity, but the superimposed protection tools can cope with the reflection of attacks even for unknown threats.

We have technologies that allow us to detect such attacks, including attacks using unknown vulnerabilities, attacks with so-called zero-day exploits, "said Boris Larin. - Actually, in this way, we discovered several dozen similar vulnerabilities actively used in attacks that were not known before, and reported them to the manufacturers of popular software (Microsoft, Adobe, Apple, Google) in order for them to release fixes. But unfortunately, there is no ideal protection against hacker attacks in the world, so we always recommend installing the latest updates.

Hackers encrypted the industrial company's infrastructure with an unrecoverable Windows flaw

Pro-Ukrainian cybercriminals disabled IT infrastructure the Russian an industrial company using a flaw. Windows We are talking about the well-known since 2022 lack of interaction operating system with digital signatures of drivers. This was announced Solar by "" on August 26, 2024. Investigating this incident in May 2024, experts from the Solar 4RAYS Group Cyber ​ ​ Threat Research Center found Solar out that vulnerability it allowed attackers to upload harmful a driver to the victim's network that disabled it. anti-virus ON Bypassing protection, hackers a number of to encrypt corporate systems were able to and partially destroyed, causing servers virtualizations great damage to the company.

Attackers entered the network of an industrial organization in April 2024 through a hacked contractor account. From the contractor's host using the RDP (Remote Desktop Protocol) protocol, they gained access to a number of systems. But, before committing destructive actions, hackers were able to disable the security software so that their actions could not be detected and blocked.

The lack of work of Microsoft, which was exploited by cybercriminals, has been known for a long time. In 2022, the company introduced a policy of mandatory digital signature of software that can get into the core of the system, including various drivers. This signature can be obtained through a special developer portal. If there is no signature, then Windows 10, starting with version 1607, simply will not start the new driver. This measure was introduced for security: so that attackers have less ability to create malware signed with certificates from legal, but unclean certification centers.

However, to ensure compatibility with older drivers (for example, with hardware drivers that are no longer released), Microsoft left several exceptions to this policy. One of them is that the driver must be signed using the final certificate (that is, a certificate issued to a specific organization) no later than July 29, 2015. It was this exception that the attackers used, using the technique of replacing certificate timestamps. They took a certificate from a Chinese electronics manufacturer and "aged" it to the right extent so as not to "arouse suspicion" from the operating system.

In the process of investigating the attacked servers of the company, Solar 4RAYS experts found two samples of malware, one of which searched the system for signs of the presence of a security solution, and the other turned it off by the team from kernel mode. As a result of the investigation, all malware was removed from the infrastructure, and the company received recommendations for further actions to close vulnerabilities exploited by hackers.

Such a technique allows cybercriminals to turn off any software (and not just) anti-virus ON and develop freely attack in the target infrastructure. Previously, such attacks were practiced mainly by cybercriminal groups from the Asian region, but now we see its active spread among other attackers. But if Asian hackers mostly assembled without data destroying infrastructure, then Eastern attackers often Europe target destructive ones, which exacerbates the threat. In order to "catch" such an attack in time, you need to regularly check the performance of the security solutions installed in the infrastructure. If telemetry does not come from some software, this is an obvious reason to check it. In addition, it is important to periodically assess the compromise. Such a check increases the chances of identifying an attack before serious consequences occur, "said Ivan Syukhin, head of the Solar Incident Investigation Group 4RAYS Solar Group.

Microsoft blocked Linux boot

Security researchers at the Ars Technica portal found^[7], that the KB5041580 update suite, which the company Microsoft released on August 13, blocks downloads Linux on the same computer. The policy stated that this package will be installed only on devices where there is only Windows, but in fact it turned out that updates are installed on all devices and as a result block the loading of Linux even on dual-boot computers, that is, those where at the time of launch you can choose to start Windows or Linux. Often this configuration is used on home, training or test computers.

The description of the specified service pack says that it fixes the error CVE-2022-2601^[8] in the GRUB2 bootloader, which made it possible to bypass the Secure Boot mechanism developed by Microsoft. The bug was found in 2022, but only now Microsoft has managed to develop a tool to solve it. At the same time, fixes in GRUB2 have long been released by the developers of this bootloader themselves, and in its modern versions it is no longer possible to use this error.

The Microsoft security method was developed in conjunction with Red Hat, creating the so-called UEFI Secure Boot Advanced Targeting (SBAT), the installation of which creates a policy for loading operating systems. In particular, the update KB5041580 established a policy to block the download of even those versions of Linux where the error in the GRUB2 has been fixed - Ubuntu 24.04 and Debian 12.6. After installing this package, the message "Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation».

Russian companies rarely use Windows and Linux on the same device, since it is wrong to install several operating systems both from the point of view of IT and from the point of view of information security, - Sergey Kutsenko, a leading expert in the field of IT infrastructure protection at K2 Cybersecurity, commented on the situation for TAdviser. - I think this can be found only in some test circuits in conditions of limited resources.

This opinion is confirmed by Alexey Khoroshilov, a leading researcher at the ISP RAS, who is the head of the Center for Security Studies of System Software. In a dialogue with TAdviser, he noted that installing Windows and Linux on the same device is not so common, especially with UEFI Secure Boot activated. In addition, FSTEC has developed a special methodology ^[9]] Update Security Assessment, which is recommended for all updates. Actually, FSTEC itself tests updates and publishes their results in a special catalog, but it was not possible to find the results of this assessment for KB5041580 updates there.

As a way to restore work, it is recommended to delete the SBAT data installed in UEFI, "Luka Safonov, a representative of Garda, recommended to TAdviser readers. - To do this, you can disable Secure Boot in the firmware, download a fresh Linux distribution with support for UEFI Secure Boot, for example, Ubuntu, execute the command "mokutil --set-sbat-policy delete" in the console, and then reboot the Linux distribution to set the correct SBAT policy. After that, you can return the Secure Boot mode in the firmware.

Actually, the same recommendations are contained in the original study of Ars Technica, where problems with the Microsoft update were discovered. All security researchers interviewed by TAdviser agreed with the effectiveness of this method, and only Aleksey Khoroshilov added that a more secure bootstrap procedure can be organized if the recommendations^[10] to Configure Trusted Linux Kernel Boot, published by the Center for System Software Security Studies, are implemented.

A hole in the built-in Windows antivirus allows you to infect your PC with minimal effort

At the end of July 2024, it became known that later the Microsoft Defender SmartScreen security vulnerability allowed hackers to easily distribute malware such as ACR Stealer, Lumma and Meduza. Read more here

2023

Fix a vulnerability in the Microsoft WinDbg development tool

The MTS MTS RED RED Advanced Research Team (Advanced Research Team) has identified vulnerability software Microsoft WinDbg in the debugger. MTS RED ART expert Alexander Kalinin discovered a hole in, safety which can be used in the course of developers attacks , including in order to embed bookmarks in the applications they create. Microsoft was notified of the vulnerability as part of a responsible disclosure policy and has already fixed the problem. The company announced this in September 2023.

Microsoft WinDbg is one of the most popular tools for debugging applications running on the base. operating system Windows It allows developers to collect and analyze reports information about incorrect operation of the application from users. Vendors use this information to identify and correct source code flaws that remained unknown earlier. The vulnerability discovered by the MTS RED ART expert was that a problem report automatically sent to developers could be embedded malicious code or linked, since the debugger did not check the security of the contents of such. files

The danger of attacking developers directly is that they usually have local administrator rights on the work machine and access to the source code of the products. The result of such an attack can be a leak of confidential information and even embedding bookmarks in the company's software solutions in order to gain access to the infrastructure of its customers, - said Alexander Kalinin, leading system architect of the center for security of execution environments, expert of the MTS RED ART group of MTS RED.

The vulnerability allows an attacker to remotely run arbitrary malicious code on a workstation with Microsoft WinDbg installed and SMB protocol access to the attacker's server. Due to the insecurity of the process of processing dmp reports about problems, an attacker can run arbitrary code execution on a vulnerable host and implement a library spoofing attack, thereby injecting malicious capabilities into legitimate software.

To protect against these risks, MTS RED ART experts recommend that developers use exclusively versions of Microsoft WinDbg as part of Windows SDK 11 and higher, in which this vulnerability was fixed by the vendor.

Infection of Windows computers with a modular Trojan bootloader Trojan.Fruity.1

Doctor Web has identified an attack on Windows users using a modular Trojan Trojan.Fruity.1 bootloader. With its help, attackers are able to infect computers with various types of malicious applications, depending on their goals. A number of techniques are used to hide the attack and increase the chances of its effectiveness. Among them are a multi-stage process of infecting target systems, the use of harmless programs to launch Trojan components, as well as an attempt to bypass antivirus protection. This was reported on July 27, 2023 by Dr.Web.

Starting in 2022, Doctor Web will register user complaints about Windows computers infected with Remcos RAT (Trojan.Inject4.57973) malware. During the investigation of these incidents, Dr.Web specialists revealed an attack in which the main role is assigned to a multi-component Trojan Trojan.Fruity.1 loader. To spread it, attackers create malicious sites, as well as specially trained installers of various programs. Among them are tools for fine-tuning the operation of processors, video cards and BIOS, utilities for checking the state of computer equipment and a number of others. Such installers serve as bait and contain not only the potential software victim of interest, but also the Trojan itself along with all its components.

When trying to download a particular program from a fake site, the visitor is redirected to the MEGA file-sharing service page, where he is invited to download the zip archive with the Trojan package.

When an unsuspecting victim retrieves an executable file from the archive and runs it, the standard installation process begins. However, along with the sought-after harmless program, which distracts the user's attention, Trojan.Fruity.1 also gets to the computer. Along with other components, it is copied to the same folder as the decoy program.

One of the "modules" of the Trojan, the attackers made legitimate programs. In this example, the Trojan.Fruity.1 is embedded in one of the language libraries, which programming Python uses the python.exe interpreter with a valid one to run. digitally signed In addition, cases of using VLC media player files and the environment have been identified. virtualizations VMWare

The following is a list of files associated with the Trojan:

• python39.dll - a copy of the library from the Python package with malicious code embedded in it;
• python.exe - the original Python interpreter to run the modified library;
• idea.cfg - configuration with payload location data;
• idea.mp3 - encrypted Trojan modules;
• fruit.png - encrypted payload.

After they are removed from the installer, a multi-stage process of infecting the system begins. The following image shows a general diagram of algorithm the operation of the Trojan.Fruity.1:

1 stage of infection

When you start the python39.dll library, the Trojan.Fruity.1 decrypts the contents of the idea.mp3 file and extracts the dll library and shellcode (code number 1) from it for the second stage. It also reads the contents of the idea.cfg file. It contains a string with information about the location of the payload that the Trojan should start. The payload can be downloaded from the Internet or located locally on the target computer. In this case, the local fruit.png file previously extracted by the Trojan installer is used.

Stage 2 infection

The decrypted shellcode (code# 1) starts the cmd.exe command interpreter in the suspended state. The memory of the created process records information about the location of the payload (fruit.png), the shell code for the third stage (code No. 2), as well as the context for its operation. Then, a patch is entered into the image of the decrypted dll file at the first stage, indicating the address of the context in the process. Then this dll file is injected into the cmd.exe process, after which control passes to the library.

Stage 3 infection

The injected library checks the received string with the location of the encrypted payload. If the string begins with the abbreviation http, the library tries to download the target file from the Internet. Otherwise, it uses a local file. In this case, the library is passed the local path to the fruit.png file. This image is moved to a temporary directory, after which code No. 2 is launched to decrypt it. In the fruit.png file, using steganography, two executable files (dll libraries) are hidden, as well as shellcode for initializing the next stage (code No. 3).

Stage 4 Infection

After performing the previous steps, the Trojan.Fruity.1 starts code# 3. With its help, it tries to bypass detection by antiviruses and interfere with the process of its debugging when analyzed by information security experts. The Troyan is trying to inject msbuild.exe into MSBuild. In case of failure, the attempt is repeated for the cmd.exe (Windows command interpreter) and notepad.exe (Notepad) processes. Using the Process Hollowing method, one of two dll bibliotecks decrypted from the fruit.png image, as well as a shell code for initializing the fifth stage (code No. 4), is injected into the target process.

Then, in the temporary directory of the system, a dll file with a random name is created, into which the contents of the decrypted executable file from the same image are written. This file is also injected into the target process. However, this uses the Process Doppelgänging method, with the help of which the original application process in memory is replaced by malicious. In this case, the library is a Trojan spy program Remcos RAT.

Stage 5 infection

Using shellcode embedded in the library (code No. 4) and dll libraries, Trojan.Fruity.1 installs the python.exe application to startup the operating system. He also creates a task in the system scheduler to launch it. In addition, Trojan.Fruity.1 adds this application to the list of exceptions for scanning with built-in Windows antivirus. Then the shellcode writes random data to the end of the python39.dll file so that it changes the hash sum and thereby differs from the original file from the Trojan installer. In addition, it modifies library metadata by changing the date and time it was created.

As of July 2023, the Trojan.Fruity.1 distributes Remcos RAT spyware, with the help of which attackers are able to infect computers and other malware. At the same time, they can be downloaded from the Internet and distributed along with Trojan.Fruity.1 as part of Trojan software installers. As a result, cybercriminals have more options for implementing various attack scenarios. Dr.Web specialists remind that it is necessary to download software only from trustworthy sources - from official developer sites and from specialized directories. In addition, antivirus must be installed to protect computers. Dr.Web products detect and remove the Trojan.Fruity.1 Trojan and its malicious components, so they do not pose a danger to users.

Microsoft unveils Win32 app isolation - a new security standard for Windows applications

Microsoft has announced a public preview of another Windows security feature - Win32 app isolation. This feature allows you to isolate Win32 applications from unnecessary resources and other applications, creating a barrier to attackers. This became known on June 19, 2023.

Win32 app isolation is based on AppContainers technology, which creates a security boundary for processes, and components that virtualize resources and provide intermediary access to other resources. To isolate their applications, developers need to pack them using tools provided by Microsoft and use Application Capability Profiler to provide applications with access to additional resources.

The goal of Win32 app isolation is to limit damage and protect users' privacy choices in the event of an application compromise. When the Win32 application runs with the same privilege as the user, it can access the user's information without their consent. As a result, there is a risk of unauthorized access to the user's personal data by attackers without his knowledge or consent.

Win32 app isolation is an addition to existing Windows sandbox options such as Windows Sandbox and Microsoft Defender Application Guard. Unlike these options, which are based on security-based virtualization, Win32 app isolation is based on AppContainers and other features.

Win32 app isolation is supported on Windows 11 and will be available for Windows 10 in the future^[11].

With the help of a Trojan in pirated Windows assemblies, attackers stole $19,000 worth of cryptocurrency.

Dr.Web specialists have identified a Trojan styler program in a number of unofficial OCWindows 10 assemblies that attackers distributed through one of the torrent trackers. As representatives of Dr.Web told TAdviser on June 14, 2023, a malicious application named Trojan.Clipper.231 replaces the addresses of crypto wallets in the clipboard with addresses set by scammers. With the help of this Trojan, attackers have already managed to steal cryptocurrency in the amount equivalent to about $19 thousand. Read more here.

UserGate detects a vulnerability in the ICMP implementation for Windows

UserGate On March 29, 2023, the Monitoring and Response Center announced that it had added a signature to the Intrusion Detection System (UserGate IDPS) in NGFW 7.0 to detect operation in the vulnerabilities Internet Control Message Protocol (ICMP) implementation from in Microsoft OS Windows More details. here

2022

Microsoft engineers Microsoft left millions of Windows users vulnerable

A mistake by Microsoft engineers left millions of Windows users vulnerable. This became known on October 17, 2022.

The lack of Windows updates allows a hacker to compromise a computer using a driver.

For almost 2 years, Microsoft specialists have violated key Windows protection, leaving millions of customers vulnerable to infection, malware which has been especially effective in recent months.

Microsoft says Windows Update automatically blacklists new software drivers to prevent a known method of malware infection ON called BYOVD (Bring Your Own Vulnerable Driver).

This method allows an attacker with administrator privileges to easily bypass Windows kernel protection. Instead of writing an exploit from scratch, the cybercriminal simply installs a third-party driver with known vulnerabilities. It then exploits these vulnerabilities to gain instant access to some of Windows' most secure areas.

It turned out that Windows incorrectly downloaded and applied updates to the blacklist of drivers, which made users vulnerable to regular BYOVD attacks.

Moreover, even legitimate drivers sometimes contain vulnerabilities that lead to memory damage or allow hackers to inject their malicious code directly into the kernel. Even after the flaws are fixed, older drivers with errors will remain available for BYOVD attacks, since they are already signed.

Microsoft is aware of the threat of BYOVD and is working on protection. To stop these attacks, the company creates blocking mechanisms that prevent Windows from downloading signed and vulnerable drivers^[12].

Fix 52 privilege escalation vulnerabilities

Microsoft has fixed 52 patch privilege escalation vulnerabilities. This became known on July 13, 2022.

The company has fixed 1 commonly used zero-day vulnerability and 84 other bugs. 4 of the 84 vulnerabilities are classified as "critical" because they allow remote code execution. The number of errors in each vulnerability category is listed below:

• 52 privilege elevation vulnerabilities;
• 4 security bypass vulnerabilities;
• 12 RCE vulnerabilities;
• 11 disclosure vulnerabilities; information
• 5 Denial of Service (DoS) vulnerabilities.

Tuesday of the July fixes fixed the actively used 0-day privilege escalation vulnerability. This vulnerability was discovered inside the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).

CVE-2022-22047 - Windows CSRSS vulnerability associated with privilege elevation. With this flaw, a cybercriminal can gain system privileges, Microsoft[13] 52 privilege [14].

Magniber ransomware threatens millions of Windows 11 users

On May 30, 2022, it became known that 360 Security Center analysts discovered another version of Magniber ransomware aimed at systems running Windows 11. According to experts, on May 25, the volume of attacks using Magniber increased significantly.

Extortionate ON distributed through several online platforms, sites with, pirated software fake pornographic sites, etc. When a user visits a fake site, malefactors they try to force the victim to download from harmful file their network drives.

According to the researchers, program extortioner it has practically not changed, but now it can hit several versions. OS Windows For enciphering victim files, the program uses algorithms encryption RSA and AES. The RSA algorithm is 2048 bits long, which makes Magniber hard. to crack After encryption, the file suffix becomes random, and a separate payment page opens for each victim. The redemption cost is 0.09 bitcoin in the first five days. If the ransom is not paid within the specified period, then the payment page will become invalid, and the cost of the ransom will double.

According to security researchers, there is no secure decryptor for this ransomware. In addition, experts do not yet know about the weak points of the malware that can reverse the infection.

Magniber is aimed at ordinary users, not companies, so experts recommend that users remain vigilant, do not download pirated software and use only official sites.

This is the second time in two months that Magniber has attacked Windows users. In April, attackers used fake Windows 10 updates to spread malware.^[15]

Malicious code found in Windows event logs

On May 5, 2022, Kaspersky Lab"" reported that its experts had discovered an unusual harmful campaign. It storages malware uses event logs for. Windows Moreover attacking , a wide range of techniques are used, including SilentBreak and CobaltStrike, legal penetration testing tools. Also, the infection chain includes a whole set of auxiliary modules, including those written in. They Go are used to make it difficult to detect Trojans the last stage.

Previously, the company's experts did not see a technique for hiding malicious code inside Windows event logs. The module from the archive downloaded by the victim is responsible for the initial infection of the system. Some files are signed with a digital certificate to increase trust in them. This chain ends with several Trojans at once to remotely manage infected devices. They differ in the way commands are transmitted (HTTP or named pipes), and even in their set. Some versions of the Trojans have dozens of such teams.

"In addition to using two commercial tools at once and a large number of modules, we were interested in the fact of storing encrypted shellcode in the Windows event log. Such a technique for hiding the presence of malware in the system could be added to the MITRE matrix, "- comments Denis Legezo, lead cyber security Kaspersky Lab expert.

To protect against file-free software and similar threats, the company recommends:

• Install an effective security solution such as Kaspersky Endpoint Security Cloud it has a component that allows you to detect anomalies in file behavior and detect file-free malware;
• use the EDR solution and product to combat complex targeted attacks, as well as provide monitoring center (SOC) employees with access to up-to-date analytics and regularly improve their skills through professional training. These features are available within the Kaspersky Expert Security package;
• Apply endpoint security solutions and specialized services to help protect against the most advanced attacks. The Kaspersky Managed Detection and Response service allows you to recognize and stop an attack in the early stages before attackers achieve their goals.

Scammers distribute infostiler under the guise of Windows 11 update

On April 19, it became known that cybercriminals they distribute fake updates Windows 11 containing, malware which steals from data (browser credentials, -), cookiefiles system files cryptocurrency and wallets. More. here

Windows Defender Application Control blocks vulnerable drivers

On March 29, 2022, it became known that Microsoft provided Windows users with the ability to block drivers with vulnerabilities using Windows Defender Application Control (WDAC) and the "blacklist" of vulnerable drivers.

This option is part of the Core Isolation security feature set for devices that use virtualization-based security. The feature works on devices running Windows 10, Windows 11, Windows Server 2016 and later with Hypervisor-Protected Code Integrity (HVCI) enabled, as well as systems running Windows 10 in S-mode.

The software security layer of WDAC, which blocks vulnerable drivers, protects Windows systems from potentially malicious software, ensuring that only protected drivers and applications run.

The "blacklist" of vulnerable drivers used by the Windows security option presented is updated with the help of independent hardware vendors (IHVs) and original equipment manufacturers (OEMs).

WDAC protects Windows systems from third-party drivers with any of the following attributes:

• Known security vulnerabilities that attackers can exploit to elevate privileges in the Windows kernel.
• Malicious behavior (malware) or certificates used to sign malware .
• Actions that are not malicious, but bypass the Windows security model and can be used by attackers to elevate privileges in the Windows kernel.

You can enable the Microsoft Vulnerable Driver Blacklist option under Windows Security > Device Security > Kernel Isolation. Once enabled, it blocks certain drivers based on their SHA256 hash, file attributes such as file name and version number, or the code signing certificate used to sign the driver.^[16]

2021

FSB IT structure reports dangerous Windows vulnerability

On September 13, 2021, the National Coordination Center for Computer Incidents (NCCC) of the Russian Federation, created by decree of the FSB, announced the existence of a serious vulnerability in Windows operating systems .

We are talking about the so-called "zero-day" vulnerability (0-day). It is associated with incorrect validation of input data in the MSHTML component. The breach ON in allows an attacker to remotely execute arbitrary code on the target system by opening a specially crafted document by the user. Microsoft Office

According to Interfax, citing a statement by NCCCA, the software flaw is relevant for Microsoft Windows versions 7, 8.1, 10 and Microsoft Windows Server versions 2008, 2012, 2016, 2019, 2022.

It is noted that taking into account the lack of official fixes from Microsoft, prerequisites are created for the mass infection of users' computers with various malware. There are facts about the delivery of the malicious Cobalt Strike application in this way, which in 2016 was used in a series of attacks on Russian banks, the NCCCI reported.

In the IT structure, the FSB recommends temporarily disabling the ability to install ActiveX components in the operating system and preview documents in Windows Explorer, update antivirus tools, check them with antivirus when receiving emails with files, and check the network traffic for the presence of compromise indicators presented in the "IOC20210910.csv" file.

According to BleepingComputer, cybercriminals shared about the Windows vulnerability on one of the hacker forums. All information is presented in such a form that it will not be difficult for anyone to use the exploit in their own attacks. BleepingComputer specialists, for example, demonstrated this in 15 minutes.^[17][18]

Windows 10 will start blocking potentially unwanted software by default

Windows 10 will start blocking potentially unwanted software by default. This became known on August 4, 2021.

Protection will only be available to Windows 10 users using Windows Defender, not a third-party security solution.

According to Microsoft experts, potentially unwanted applications "can cause the device to work slowly, show unwanted ads, or, in the worst case, install other software that can be more dangerous or annoying." Such programs are not malicious, but usually this software is not necessary.

The company introduced support for PUA blocking in Windows 10 in 2018, but users had to enable this feature using PowerShell. The ability to enable or configure protection in the "Windows Security" section was introduced ​​v the May security update for Windows 10 in 2020.

Protection against potentially unwanted applications is enabled by default from August 2021, but only for Windows 10 users who use Windows Defender, rather than a third-party^[19] security solution^[20].

Vulnerability that damages the hard drive after viewing the file

A vulnerability in Windows 10 damages the hard drive after viewing the file. This became known on January 14, 2021.

The vulnerability appeared in Windows 10 (build 1803) and continues to exist in the latest version.

A vulnerability in Microsoft Windows 10 allows attackers to damage an NTFS-formatted hard drive with a single-line command. A single-line file can be hidden inside a Windows shortcut, ZIP archive, batch files, or various other vectors to cause errors in hard disk operation that instantly damage the file system index.

An information security researcher using the alias Jonas L drew attention to an uncorrected vulnerability in NTFS affecting Windows 10. According to the expert, the vulnerability appeared in the version of Windows 10 (build 1803) and continues to exist in the latest version. In addition, an ordinary user with low privileges on Windows 10 systems can exploit the problem.

The disk can be corrupted even if you simply try to access the NTFS attribute "$ i30" in the folder in a certain way. The Windows NTFS index attribute (string "$ i30") is associated with directories and contains a list of directory files and subfolders. In some cases, the NTFS index may also include deleted files and folders, which is convenient when responding to incidents or forensics.

It remains unknown why access to this attribute damages the disk, but the registry key that would help diagnose the problem does not work.

After running the command at the Windows 10 command prompt and pressing Enter, the user will see an error message "The file or directory is damaged and unreadable." Windows 10 will immediately display notifications prompting the user to restart the computer and repair the damaged disk volume. When you restart, the Windows Disk Checker utility starts and begins restoring the hard drive.

After the disks are corrupted, Windows 10 will generate errors in the event log indicating that the master file table (MFT) for a particular disk contains a corrupted record.

The expert also noted that the created Windows shortcut file (.url) with the icon location set to "C:\: $ i30: $ bitmap" will exploit the vulnerability, even if the user has never opened the file. As soon as this shortcut file is downloaded to a Windows 10 PC and the user views the folder in which it is located, Windows Explorer will try to display the file icon. To do this, Windows Explorer will try to access the created icon path inside the file in the background, thereby damaging the NTFS hard drive in the process^[21]

2020

Increase in the number of vulnerabilities in Microsoft software by 48%, to 1268

In mid-June 2021, the information security company BeyondTrust released a vulnerability report, ON Microsoft according to which the total number of holes in Microsoft products reached a record level (1268) in 2020, which is 48% more than in the previous year. Experts believe 132 problems Windows 10 were critical and 56% of them could have been prevented by removing administrator rights.

The BeyondTrust report says that Microsoft's unidentified vulnerabilities are causing almost one attacks hackers in three worldwide, with about 1.5 billion people using Windows operating systems every day. Microsoft declined to comment.

Experts identified the largest number of critical problems in Windows Server: they account for 138 out of 902 vulnerabilities, and the rest of the problems relate mainly to software, Windows 7 Windows RT ,/ Windows 8 8.1 and Windows 10. Problems were also found in other Microsoft products, including 8, Microsoft Edge 9, Internet Explorer 10 and 11. Collectively, all browsers had 92 vulnerabilities in 2020, and 61 of them (66%) were considered critical.

The BeyondTrust report noted that in 2020, 27 critical vulnerabilities were identified in Internet Explorer 8, 9, 10 and 11 browsers.

Removing administrator rights could mitigate 24 of these issues by eliminating 89% of the risk, the report said.

Experts also note that the number of critical vulnerabilities in Microsoft Edge in 2020 decreased from 86 to 34. However, in this case, removing administrator rights could reduce the danger of 29 and 34 problems (85%).

Microsoft Office has identified 79 vulnerabilities involving Excel, Word, PowerPoint, Visio, Publisher and other Office products. Only five of them were deemed critical, but removing administrator rights would mitigate the effects of hacking in four out of five cases.^[22]

Critical vulnerability of DNS services for 17 years threatened Windows Server users

The company, Check Point Software Technologies Ltd. a provider of solutions in the field, cyber security on July 15, 2020 announced the identification of a vulnerability in -. DNSservers Windows Thanks to this vulnerability hackers , they can create malicious DNS queries to the Windows DNS server and execute arbitrary code, which, in turn, leads to a violation of everything. IT infrastructures The critical vulnerability, called Signed, affects versions of Windows from 2003 to 2019.

DNS is part of the global network infrastructure. Internet This system translates the names of websites familiar to users into the lines of numbers that devices need to search for a site or send an email. Taking advantage of the DNS server vulnerability, the hacker gains administrator rights domain and can manipulate user email, network traffic, restrict access to services, collect user credentials data , and more.

Check Point Research experts informed Microsoft about the vulnerability found on May 19, 2020. The company acknowledged the lack of security and promptly developed a patch (CVE-2020-1350). Microsoft also assigned the vulnerability the maximum risk level (CVSS: 10.0). The danger of the Signed vulnerability is that one exploit can trigger a chain reaction. As a result, one compromised device can become a malware distributor throughout the organization's network within minutes of the first exploit.

Microsoft fixes for this vulnerability are available from July 14, 2020. Check Point recommends that Windows users quickly fix the vulnerability of DNS servers. Check Point experts believe that the likelihood of exploiting the Signed vulnerability is high, since it will not be difficult for hackers to find the necessary ways. 99% of companies around the world are in danger, since everyone uses services in one way or another, Microsoft Active Directory including the necessary DNS, Check servers Point emphasized. If hackers manage to carry out an attack before organizations install patches, then the scale of the damage can be compared to the WannaCry 2017 epidemic. Then 300 thousand computers in 150 countries suffered from the activities of cybercriminals, and the total damage exceeded 1 billion. US dollars

"DNS server malfunction is a very serious problem. Exploiting a server vulnerability allows hackers to gain access to all sensitive company data. There are not many vulnerabilities of this type, but their presence exposes any company using OCWindows Server to a serious risk of compromising the entire corporate network. The Signed vulnerability has existed in Microsoft code for more than 17 years. If we found it, we can assume that someone else also knows about its existence, "said Omri Herscovici, head of the Check Point research group.

Safety measures:

• 1. You must use the Microsoft patch to fix the Signed vulnerability.
• 2. You must use a third-party vendor to secure your corporate IT infrastructure.
• 3. Other ways to block an attack: in the'CMD 'field, enter:
  • reg add
  • "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS

BlueKeep vulnerability that allows you to gain full control over your computer

On March 27, 2020, the company Positive Technologies announced that during the monitoring of current threats (threat intelligence), the company's experts found out that Russia the number of network nodes in available via the Remote Desktop Protocol (RDP) in just three weeks (since the end of February 2020) increased by 9% and amounted to more than 112,000. Already, over 10% of such resources are vulnerable to the BlueKeep security bug (CVE-2019-0708), which allows the attacker to gain full control over the computer database. Windows Vulnerabilities are affected,, and. operating systems Windows 7 Windows Server 2008 Windows Server 2008 R2 More. here

Apple computers infect viruses 2 times more often than Windows systems. Results of the year

In mid-February 2020, Malwarebytes, which develops protection and recovery solutions, software presented an annual report on malware. to software More. here

2019

Windows 10 ranked third in terms of vulnerabilities

In the course of analyzing the statistics of vulnerabilities in various operating systems and software products at the end of 2019, it turned out that Windows 10 was in third place (357 vulnerabilities). Read more here.

PureLocker ransomware attacks enterprise servers running Windows and Linux

On November 18, 2019, it became known that experts from Intzer and IBM X-Force IRIS team published an analysis of the PureLocker ransomware, characterized by a number of atypical features for programs of this kind. The ransomware attacks primarily corporate servers running Windows and Linux. Read more here.

CTF protocol allows you to capture any PC

On August 14, 2019, it became known that the little-known CTF protocol used in all versions operating system Microsoft Windows starting with is XP unsafe and can be used by an attacker to conduct a target. attacks This was reported by a resource with ZDNet reference to a security researcher from the Google Project Zero team Tavis Ormandy, who discovered the problem.

According to the expert, the vulnerable protocol allows hackers to seize any application, including one launched with administrator authority or even the entire OS.

How exactly the abbreviation CTF stands for is unknown - Ormandy could not find information about this in the Microsoft documentation. However, it is known that CTF is part of the Windows Text Services Framework (TSF) - a system that is responsible for displaying text in Windows and applications for it.

When a user launches an application, Windows also starts the CTF client for that application. The CTF client subsequently receives information about the OS system language and keyboard input method. The CTF server continuously monitors these parameters, and if they change, instructs the CTF client to "adjust" to them in real time.

Ormandy found out that the process of interaction between a CTF client and its server is not protected in any way, that is, any application, user or even an isolated process can simply connect to a CTF session.

{{quote 'Although the CTF server requires stream, process and window identifiers (HWND) from its client, however, due to the lack of any authentication mechanism, nothing prevents the transfer of fake data, the expert notes. }}

Thus, having established control over the CTF session of the application, an attacker can send commands to these applications, masquerading as a CTF server. With this technique, hackers are able to steal or manage data from running programs. If the program is running with elevated privileges, nothing will prevent the attacker from taking full control of the victim's computer.

According to Ormandy, any Windows application or process that displays text in the user interface can be captured. In support of his words, the expert recorded a video in which he successfully captured the CTF session of the Windows 10 login screen.

ZDNet reports that Microsoft has released a fix (CVE-2019-1162) that solves the problem Ormandy described in terms of privilege escalation. However, as the journalists of the publication note, the CTF protocol itself needs to be modernized, since it is vulnerable due to its architecture.

Ormandy posted a tool on GitHub that will allow researchers to independently test the protocol for other security problems, and also published a more detailed description of the problem on the Google Project Zero blog^[23].

Microsoft: 40% of zero-day attacks on Windows are successful

Almost 40% of hacker attacks that exploit zero-day vulnerabilities in the most current versions of Windows have been successful compared to less recent operating systems. This was announced on July 24, 2019 by Microsoft Security Response Center specialist Matt Miller, citing statistics collected since 2015.

According to him, in two out of three cases, zero-day vulnerabilities did not work against the latest versions of Windows due to security measures that Microsoft is adding to new operating systems.

As noted by ZDNet, Matt Miller wants to say that the vast majority of zero-day vulnerabilities exploited by attackers in real attacks only work against older versions of Windows. If you regularly update the OS, it will be protected from some such attacks, the publication reports.

Speaking at the February BlueHat IL 2019 information security conference, Matt Miller said that vulnerabilities in Windows are exploited before the patch is released or when the update becomes irrelevant months after release.

Microsoft claims that due to the presence of a set of protection technologies in Windows 10, such as Control Flow Guard and Device Guard, users of the operating system can feel safe to some extent with regular updates.

At the end of July 2019, Matt Miller also cited data that 70% of all security issues fixed by Microsoft over the past 12 years were related to memory management.

Microsoft Security Response Center is working to reduce the number of such errors, so they consider the Rust programming language as an alternative to C and C++.

Windows security talk Matt Miller is set to present at Usenix WOOT 19 in August.^[24]

Ban in German schools for security reasons

In mid-July 2019, it became known about the ban on Microsoft 365 (formerly Office 365) and Windows 10 in German schools. Authorities fear that the personal data of students and teachers may be available to the US government. Read more here.

Critical vulnerability in Windows could cause WannaCry and Petya outbreak

On May 15, 2019, Rostelecom-Solar announced a critical vulnerability that threatens another wave of massive viral infections. Vulnerabilities are CVE-2019-0708 affected by Windows operating systems. It allows an unauthenticated attacker to remotely execute arbitrary code on the attacked workstation or server.

According to information provided by the company, Microsoft for a successful attacks attacker, you just need to have network access to the computer to or a server with a vulnerable version of operating system Windows. To exploit the vulnerability, an attacker only needs to send a specially crafted request to the Remote Desktop service of target systems using the RDP protocol. Thus, if the system service is published on the perimeter, the vulnerability can be exploited directly from the network, without Internet using a specialized one. harmful ON

author '= Vladimir Dryukov, Director of the Solar JSOC Cyber Attack Monitoring and Response Center of Rostelecom-Solar In the event that malware is created that exploits this vulnerability, it can spread from one vulnerable computer to another in a similar way that to the encoder WannaCry damaged organizations around the world in 2017. In May 2019, the vulnerability is relevant for a direct attack from the Internet, as was the case with WannaCry, for several dozen organizations Russia in and more than 2 million organizations in the world. The risks of a more complex attack are relevant for almost all companies, and the potential damage from delay in prompt response and taking protective measures will be comparable to the damage caused by the EternalBlue vulnerability.

If there is a previously published RDP service for a vulnerable operating system on the external perimeter of the organization, we recommend closing this access immediately. Regardless of its presence, it is necessary to quickly install patches released by Microsoft, and before that, if possible, limit the use of the protocol within the organization. It is necessary to take this situation with all seriousness, since the vulnerability can be exposed to the organization of any industry.

Windows 10 closes two dangerous vulnerabilities that open access to the victim's computer

On March 22, 2019, Positive Technologies announced that its expert Mikhail Tsvetkov had identified two critically dangerous vulnerabilities in MicrosoftWindows 10. They allowed an attacker to gain access to a computer based on this operating system and intercept confidential information. In the March security update package from Microsoft, both vulnerabilities were fixed.

Vulnerabilities were found in a DHCP client built into the Windows 10 operating system.

Such vulnerabilities are exploited as follows. An attacker configures DHCP on his computer, server which will respond to network configuration requests with deliberately corrupted packets. In some networks, you can attack mobile phone with or. tablet Next, the attacker needs to wait until the vulnerable Windows 10 computer requests an update to the lease IP address (which usually happens every couple of hours), and send an illegitimate response that allows you to obtain the rights of an anonymous user on the victim's computer.

However, when developing an attack using this vulnerability, an attacker could face a number of difficulties. Anonymous user rights have restrictions: with such privileges, access to user and system processes, folders and registry branches and a number of other folders is prohibited. And other existing vulnerabilities can be used to elevate privileges and continue the attack. According to Positive Technologies statistics, workstations in organizations as a whole are unsatisfactory: in 100% of cases, an internal attacker can seize full control of the network. For example, in 2017, after the WannaCry attack, experts discovered a vulnerability that this ransomware virus used in more than half of the systems. At the same time, the patch for her was released a few months before the epidemic.

The intruder also had to be on the same network as the system under attack. But it could be a cracker who gained access to an insufficiently protected workstation through phishing. At the same time, the ultimate goal could be a critical system - for example, an automated banking system. In addition, in some organizations, an attack could be possible directly from external networks.

Both discovered vulnerabilities made it possible to carry out an attack, replacing the response of the legitimate DHCP server with an intruder message. To attack, the attacker had to send a special list of DNS suffixes (CVE-2019-0726) or report an abnormally large number of options in the DHCP response (CVE-2019-0697).

2018

Windows 10 sent user activity data to Microsoft

After the release of Windows 10, Microsoft was hit by a flurry of indignation caused by the fact that the OS "spied" on users. This became known on December 13, 2018. Although the company ended up making changes (in the form of countless options that still need to be remembered), additional switches actually do little to help.

In updated versions of Windows 10, there is an "Activity History" feature that allows you to return to actions on devices and view the history of these actions in the timeline, provided that the function is enabled ("The Activity History is enabled by default, but can be disabled).

The timeline works if the options are enabled:

• "Save my activity log on this device" on the Activity Log Settings page;
• "Send my activity log to Microsoft";
• "Show actions on specific accounts."

It is clear that the first parameter allows you to track user actions, and the second sends this data to Microsoft. However, even if you disable all three options, the corresponding data will still be displayed on the page account.microsoft.com. Even if you disable Action Log through the Group Policy Editor, information will still be collected and displayed. You can disable downloading and publishing user actions, but this will not help^[25].

Windows found a file that collects passwords and e-mail messages

In September 2018, it became known about the existence of a secret file in Windows, which stores passwords and email correspondence. The problem is relevant for users of devices with touch displays.

According to ZDNet, citing cybersecurity expert from Digital Forensics and Incident Response (DFIR) Barnaby Skeggs, a file called WaitList.dat is used in Windows to improve handwriting recognition when a user draws a touchscreen with a finger or stylus. When typing in this way, the function offers a replacement in the event of an error, as well as the words that the computer owner uses most often.

According to Skeggs, as soon as the user starts writing something on the screen, text from each document and email that is indexed by the Windows Search Indexer service is saved in the WaitList.dat file. Data from all text files found on the computer, such as e-mail letters or Office documents (not only metadata, but also content), flock to WaitList.dat, even without opening these documents and correspondence or even if they were deleted, the expert warns.

The file itself is located at the following address:

C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat

Barnaby Skeggs believes that such a file is a real gift for hackers who managed to penetrate the computer. They do not need to search for passwords in browsers or somewhere else - just copy WaitList.dat for themselves. You can find passwords in this file using simple PowerShell commands.

For users who store passwords in text documents or e-mails, the expert recommended deleting the WaitList.dat file.^[26]

Microsoft will allow Windows 10 users to view telemetry

Along with the release of a major update to Windows 10, scheduled for release in April-May 2018, Microsoft will release^[27] the Windows Diagnostic Data Viewer^[28] application, which will allow users to view which telemetry data is sent from their devices to the manufacturer's servers. The app is already available to Windows Insider members.

According to Microsoft representative Marisa Rogers, the tool will allow users to search, view and filter diagnostic data collected from devices (information about the name, version and build of the OS, user ID, diagnostic level, settings, various data about the device and browser, installed and used applications, passwords, updates, content consumption (movies, photos, etc.), licenses and date of their purchase, etc.).

With the application, users can only view data, but not delete it. Thus, computer owners and system administrators will be able to get an idea of ​ ​ what data is collected, and take measures to prevent the collection of some information for reasons of confidentiality or compliance with the established requirements.

2017

Recommended Security Standards for Windows 10 Devices

In early November 2017, Microsoft published a list of recommended security standards for Windows 10 devices. The standards include a number of hardware and software requirements that guarantee the protection of the device.^[29]

Hardware requirements are divided into 6 categories: processor generation, processor architecture, virtualization, Trusted Platform Module (TPM) cryptographic specifications, bootloader verification and RAM.

• Microsoft recommends using 7th generation Intel and AMD processors, which include Mode based execution control (MBEC) mode, which provides additional kernel security.
• Processor architecture requirements include a 64-bit processor because only Virtualization-based Security (VBS) is available.
• Windows 10 devices must support Intel VT-d, AMD-Vi, or SMMU ARM64 for Input-Output Memory Management Unit (IOMMU) virtualization capabilities. To use the Second Layer Address Translation (SLAT) feature, processors must support Intel Vt-x with Extended Page Tables (EPT) or AMD-v with Rapid Virtualization Indexing (RVI).
• The recommended component is the Trusted Platform Module cryptographic specification - a hardware module integrated into a computer chipset, or purchased as a separate module for supported motherboards, which is responsible for the secure generation of cryptographic keys, their storage, secure generation of random numbers and hardware authentication.
• The platform loader verification function does not allow downloading firmware developed by anyone other than the system manufacturer.
• The optimal amount of RAM is at least 8 GB.

At the same time, Microsoft puts forward the following requirements for the device software:

• The system must have firmware that implements the Unified Extension Firmware Interface (UEFI) version 2.4 or higher.
• The system must have firmware that implements UEFI Class 2 or UEFI Class 3.
• All drivers must be compatible with the Hypervisor-based Code Integrity (HVCI) tool.
• System firmware shall support UEFI Secure Boot. This function must be enabled by default.
• The Secure MOR revision 2 tool must be implemented in the system firmware.
• The system shall support the Windows UEFI Firmware Capsule Update specification.

Dutch accusation of violation of privacy of citizens' data

In October 2017 , the Dutch Data Protection Authority (DPA) accused Microsoft of violating local privacy laws for information owned by people who use computers running Windows 10.

The regulator concluded that Microsoft does not inform users that the company constantly collects data on applications used and visits to Internet pages when browser Edge it starts with default settings.

Criticism of the DPA also stems from Microsoft's failure to tell customers about the type of data being collected and the purpose of these actions. In addition, the practice of an American company does not imply that people can give real consent to the processing of their personal data.

It turns out that Microsoft's operating system monitors every step you take on your computer. This leads to an intrusive intrusion into your account, "says DPA Vice Chairman Wilbert Tomesen. —what does it mean? Do people know about it, do they want it? Microsoft should provide users with a fair opportunity to solve this themselves.

If the company does not address all these violations, it may be sanctioned, including a fine, the DPA adds.

Microsoft has been criticized more than once for its treatment of privacy issues. The Creators Update for Windows 10 introduced a new privacy configuration structure, but DPA claims that this update does not eliminate violations identified during the investigation.

According to the Dutch Department of Personal Data Protection, by October 2017, there are more than 4 million active devices based on Windows 10 Home and Pro in the Netherlands.^[30]

What data does Windows 10 collect: official list

On April 7, 2017, Microsoft published the official list of user data collected by Windows 10.

Along with this statement, the corporation made changes to the privacy settings of Windows 10. Now each user has the right to choose from two packages of information that his system will collect about him - basic or advanced. These changes are part of the Creators Update OS update scheduled for April 11, 2017^[31].

Information collected:

• all applications installed on the PC, including remote ones,
• monitoring the operation of the connection network,
• accounting for connected peripherals:
  • keyboards,
  • mice,
  • printers,
  • drives
  • , etc.

• system failures,
• updates,
• date of license acquisition,
• computer performance,
• browsers
  • history of visits,
  • search queries.

For analysis in the USA, the system sends data about the selected interface language, name and version.

This applies to the version of the system in force on April 7, 2017. After the Creators Update is installed, each user will be able to select a basic sent data package, the number of which is halved. This set includes OS quality data, computer component information, and application compatibility information. The full package does not differ from the current one.

Microsoft did not say - which will require the user in exchange for activating the basic telemetry package, since if it is completely free, no one will choose the full package. You should not expect the option of completely disabling tracking.

2016: Windows Subsystem for Linux is able to hide viruses

On September 13, 2017, it became known that the Windows Subsystem for Linux subsystem had the potential for concealment. harmful ON

In March 2016 Microsoft , she announced support for the bash command interpreter in. Windows 10 For this, the company together Canonical with created a subsystem - Linux Windows Subsystem for Linux, WSL. It supports the launch of Linux applications without using, containers virtualizations a separate rebuild of utilities and without using the Linux kernel - native executable files OS are launched through a special layer that translates Linux system calls to system calls on the fly Windows^[32]

WSL was created as a project independent of specific Linux distributions. However, in the first version it is already optimized for working with Ubuntu. Windows 10 introduced support for openSUSE Leap, and after running WSL in the user version of Windows, Microsoft decided to add it to the server edition of the operating system. After several months since the appearance of WSL in the top ten, the opinions of analysts have been voiced - the subsystem can serve as an obstacle to virus detection.

According to Check Point experts, using WSL on a PC, you can run a number of well-known malware, making them invisible to the most common virus protection tools. The problem is not in WSL, experts noted, but in the carelessness of developers of antivirus software and security systems.

The method developed by experts allows you to quietly run any malware in Windows 10. Attackers have prospects until an effective mechanism for protecting PCs with Windows 10 and WSL is created. This method is called bashware because it uses the bash command shell through which Linux applications are launched.

According to Check Point engineers, the creators of the antivirus software did not pay much attention to WSL because they believed that this subsystem needed to be activated manually. Since the ability to run Linux applications on Windows is mainly needed by developers, it includes a relatively small number of users. According to Microsoft, to do this, you need to activate developer mode, install the component, reboot the device and deploy WSL.

Bashware automates these steps and runs the function automatically. To activate developer mode, it is enough to change several sections in the registry. This can be done in the background, unnoticed by the user. As for the reboot, the hacker can either wait for the victim to turn off the computer, or initiate a critical error that will cause the OS to restart. After that, bashware loads the necessary environment created on the Ubuntu platform and launches malware in it. You can download WSL drivers to your computer manually and without restarting.

Windows regards the launch of a Linux application as a pico-process - a type of process that is structurally different from those that occur when native programs are launched. The researchers found out that no antivirus tracks these processes, despite the fact that Microsoft provided the Pico API to antivirus developers. To work with bashware, you do not need to write special viruses for Linux, which will then be launched in the attacked Windows using WSL. Thanks to the Wine program, you can use regular malware for Windows, including the long-known one - it will be hidden from antiviruses.

2015

Five Windows 10 security bulletins in 2 weeks

On August 11, 2015, Microsoft presented five security bulletins affecting Windows 10, another applies to the Microsoft Edge browser, in total, 14 bulletins have been released since the release of this version of the OS. The new release includes updates to other Microsoft products traditional for the second Tuesday of the month. ^[33].

Three of them are critical, these updates are recommended to be installed as soon as possible. Among them are MS15-079, MS15-80 and MS15-81 that close vulnerabilities in Windows, Internet Explorer (browser) and Microsoft Office. According to analyst Wolfgang Kandek, 40% of updates released this month by Microsoft are for Windows 10. For comparison, in the first two months after the release of Windows 8, 60% of the total number of updates for Microsoft products were released for it.

Critical updates are rarely released for Office. This release closes a vulnerability through which attackers can gain control over the user's system, forcing him to open a specially created Word document. According to Microsoft, this vulnerability is already being exploited by cybercriminals.

Bulletin MS15-085 refers to a vulnerability in which USB flash drives containing code that is activated when it is connected to a device are used to gain access to the system. Examples of this are already available. The bulletin is MS15-083 worth paying attention to users of Windows Vista and Windows 2008 working with file-sharing services with the SMB (Small Message Block) protocol.

Overview of information security innovations in Windows 10

In 2015, before the official start of sales of Windows 10, reviewers analyzed what useful security features for enterprises were added to the new product.

Microsoft touts improvements in areas such as identity protection and access control, information protection, and threat resilience. For example, in the area of ​ ​ access control, Windows 10 will have native two-factor authentication, as Microsoft is trying to force users to go beyond the method of using a single password, which turned out to be too vulnerable. With two-factor authentication, attackers must obtain two pieces of information to hack the system, such as a password and code sent to a user's device, such as a smartphone.

In terms of information protection, Windows 10 is equipped with data loss prevention (DLP) technology, which is to separate personal and corporate data, and also protects the latter with "containment." Enterprise applications, data, email, web content and other sensitive information will be automatically encrypted in Windows 10 - both desktop and mobile.

IT professionals will have the opportunity to develop control policies - which applications can access enterprise data. Windows 10 extends VPN management capabilities to protect corporate data in employee-owned devices.

In the area of threat and malware resistance, Windows 10 will have device blocking features, allowing users to launch only applications signed using Microsoft's signature service.

IT administrators will be able to determine which applications they consider trustworthy: those they sign themselves, which are signed by independent software vendors, or those that are available in the Microsoft Store (formerly the Windows Store), or all of them.

2014: Natalia Kasperskaya: Windows has dangerous bookmarks

Speaking about ensuring information security states as one of the goals of import substitution, the general director of the group InfoWatch Natalia Kasperskaya at a round table To the State Duma in July 2014 expressed confidence that Windows has "bookmarks" that could damage the country.

"I have no doubt that they are there, and that at some point it is not difficult to activate them, including in those computers that are considered a protected environment: just because there is such a technical possibility. It is opportunities that are important, "Kasperskaya

said.

She added that there is no way to check "all the multimillion-dollar lines of Windows code that the developers wrote, since this requires a developer staff equal to what Microsoft has."

Developing the topic, Natalya Kasperskaya noted that everyone understands "what can happen if, for example, Microsoft is ordered to install any malicious updates throughout the country and when all computers throughout the country turn off almost overnight."

The possibilities of "bookmarks" have not yet been implemented in practice, since Russia is not in a state of open hostilities: "if we assume for a second that the country is in such a state, then they can be activated," the CEO of InfoWatch believes.

Microsoft Information Security Director in Russia Vladimir Mamykin on this occasion told TAdviser that one of the key factors ensuring the creation of secure systems based on the corporation's products is its cooperation with the state and compliance with national software certification requirements .

Microsoft products are regularly certified for compliance with information security requirements of the Russian Federation. Microsoft makes it possible for the state to make sure that there are no "secret doors" in Microsoft products. Today, more than 40 products have been certified, including Windows 8. Our clients, including state customers, can be sure that their information systems are protected in accordance with Russian requirements, "says Mamykin.

Sergey Grudanov, general director of Certified Information Systems, notes that the basis for the security of information systems is to check the software used in them for compliance with the Russian security requirements imposed by the FSTEC and the FSB. The ability to analyze the source codes, including for the absence of bookmarks in them, has been provided by Microsoft to the Russian special services for more than 10 years, and the company itself has received the largest number of certificates issued to foreign software manufacturers, Grudanov says.

Notes