How Windows was exploited in 2014
Researchers have published a new report revealing security flaws in Microsoft Windows and Office patched over 2014, and how services were exploited throughout the year.
On Thursday, security firm ESET published findings from an analysis of Microsoft's Windows and exploitation of the operating system throughout 2014. The detailed report (.PDF) lists the vulnerabilities in Microsoft Windows and Office patched over the course of the year, how drive-by download attacks were conducted and the various exploit techniques used to compromise the system.
As shown below, Microsoft issued patches for most of the vulnerabilities discovered in the Internet Explorer browser. Many of the security issues found are related to the Remote Code Execution type, which allows for drive-by download attacks to occur -- in other words, malicious code unintentionally downloaded to a computer due to a vulnerability in a browser. This, however, can also take place if software is out-of-date or lacks the latest security patches.
Such exploitation of the Windows system was a major trend in 2014. ESET says that in comparison to 2013, Microsoft addressed twice as many IE vulnerabilities over the past year. Microsoft's Patch Tuesday addressed these issues continually during the year, but as shown below, security fixes were also issued for other problems, including Local Privilege Escalation or what Microsoft calls Elevation of Privilege (EoP). This allows an attacker to obtain maximum access levels to Windows resources.
The values are not limited to the latest versions of Internet Explorer, however. Microsoft still supports browser version Internet Explorer 6, which ESET deems "completely unsafe." This version is still distributed with Windows Server 2003, although support is due to end this year.
The security firm says that in 2014, fewer vulnerabilities were closed than in 2013 in all components and products, except in the case of IE. Vulnerabilities were also targeted by cyberattackers, such as the zero-day flaw CVE-2014-4114 . This security issue in the Windows OLE package manager allowed the installation of malware on a victim's computer via a malicious Microsoft PowerPoint presentation, which then paved the way for BlackEnergy malware to infect PCs.
Microsoft has attempted to limit exploitation of the Windows operating system beyond patches and monthly fixes. The Redmond giant also uses exploit mitigation techniques including DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). ROP -- Return Oriented Programming -- gadgets have been used by hackers to bypass DEP, allowing attackers to modify the protection of memory pages with shellcode. These types of bypass have been discovered in exploits of Adobe Flash Player in the past.
However, Windows, the .NET framework and Office can contain legacy, non-secure DLL files which have not been compiled with secure options, placing systems at risk from ROP. These executable libraries can prove useful to attackers, especially if they have been compiled without ASLR support.
An IE security feature introduced in October 2014 is called Out-of-date ActiveX control blocking, which blocks old versions of browser plugins such as Oracle Java and Microsoft Silverlight. This blocks a range of exploits which capitalize on out-of-date versions of the software. However, researchers from Google Zero Team have demonstrated this protection is not foolproof, and an be bypassed using an IE sandbox vulnerability.
The most well-known security service Microsoft offers is the security toolkit EMET. In the latest version, 5.1, Microsoft has included additional features such as ASR (Attack Surface Reduction) and EAF+ (Export Address Table Filtering Plus). The former blocks a range of exploits in a similar way to Out-of-date ActiveX control blocking, and the latter protects .dll reading.
Unfortunately, many Windows users are still on old systems such as Windows XP. While it is possible to trick Microsoft into issuing patches for the legacy system, users are still unprotected. This version does not contain modern anti-exploit features and is no longer patched against fresh vulnerabilities, now that Microsoft has discontinued support for the old operating system.
Baranov Artem, malware researcher at ESET Russia said:
"We can predict for next year that drive-by download attacks will remain as the main avenue for exploiting vulnerabilities and delivering malicious code. Due to the significant and increasing complexity of exploit development, we also can predict that such exploits will continue to be developed by specialist engineers for use in targeted attacks."
Read on: In the world of security
- Botnets in 2014: ZeuS surge, lax policies place Web users at risk
- FTC finalizes charges against Snapchat over user privacy
- Bluster, bravado and breaches: Today's 'terrorist' players in cybersecurity
- Hackers infiltrate White House network
- FireEye predictions for cybersecurity in 2015
- Analysis casts doubt on FBI claims over Tor website seizures
- High volume DDoS attacks rise in Q3 2014
- Apple iOS Masque flaw dangers: Communication app infiltration discovered
- UK hires hackers, convicts to defend corporate networks
- ZeuS variant strikes 150 banks worldwide