Windows is still one of the world’s most popular operating systems. It powers billions of computers across the globe. Windows has become a byword for computing. Microsoft and Windows dominance make them a constant target. And while Windows 10 is their most secure operating system yet, it still has numerous vulnerabilities.
The vulnerabilities are not small, either. The DoubleAgent attack can hijack each Windows version, disabling antivirus programs in the process. Furthermore, Microsoft Edge is a massive target for hackers. Not quite at the same level as internet Explorer — that would be outrageous — but at worrying levels, nonetheless.
Microsoft products are still regularly exploited. Despite ramping up the security for Windows 10, it remains a major target. Let’s consider what’s been happening and why.
March 2017 saw security researchers from Cybellum announce the discovery of a new Windows zero-day exploit. The Israeli research team confirmed that the attack, named DoubleAgent, can “directly assault and hijack control over the antivirus.” DoubleAgent exploits a relatively unknown feature found on all versions of Windows from XP to Windows 10.
DoubleAgent exploits the Microsoft Application Viewer, a runtime verification tool used to discover and fix bugs in applications. Researchers discovered an undocumented ability that allows an attacker to replace the standard verifier with a custom verifier. Once the custom verifier is in place, the attacker can “inject any DLL into any process.” This takes place extremely early during the “victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself.”
The Application Viewer is designed to strengthen application security by checking and fixing bugs. Ironically, it does the opposite, earning the DoubleAgent name in the process.
Antivirus Used Against You
An attack that can take control of your antivirus is significant. Attacks that disable antivirus and antimalware software are common, but having the tables completely turned is an eye-opener. By using DoubleAgent, a malicious actor can:
- Turn antivirus into malware — Antivirus software operate from a privileged position on your computer. As it is a highly-trusted operation, antivirus can see everything, and do anything. Therefore, any malicious activity is considered legitimate, and the attacker can bypass any security.
- Modify the Antivirus behavior — The attacker has free reign to change whitelists, blacklists, open ports, alter firewalls, and much more. By disabling the antivirus, backdoors could easily be installed.
- Destruction — The malicious actor can simply destroy the system, depending on the reason for the attack. Without any antivirus to stop certain actions, local storage could be encrypted, or formatted.
Furthermore, unfettered access across the entire system through the antivirus could see private and/or sensitive data stolen.
Cybellum contend that the only antivirus product able to defend DoubleAgent is Windows Defender. Windows Defender is the only antivirus product using Windows Protected Processes mechanism, a kernel-level protection technique specifically designed to mitigate attacks of this type.
Conversely, Avast CTO Ondrej Vlcek said Cybellum alerted his firm to the vulnerability last year. As such, the vulnerability is no longer an issue. Norton Security told ZDNet a similar story: after investigating the issue, they found no vulnerability caused by the proof-of-concept attack (despite the video created by Cybellum attacking their product).
Nonetheless, they have implemented additional detection and blocking techniques.
Microsoft Edge at Pwn2Own
Pwn2Own is an annual hacking contest held at the CanSecWest security conference. The 2017 edition marked the 10th anniversary of the competition and a massive $1,000,000 prize fund. The targets change every year, but are usually a mix of browsers and other common software.
Microsoft introduced an entirely new browser with Windows 10. Edge was largely created from scratch as to avoid building on the vulnerabilities of yesteryear, found in old Internet Explorer versions. Microsoft needed a browser to directly compete with Chrome and Firefox. In some parts, it has succeeded. In others, it is still lagging behind…
The 2017 Pwn2Own saw Microsoft Edge hacked “no less than five times.” You want the good news? These hacks are completed by highly-skilled, professional hackers. One hack, completed by a team from “360 Security,” exploited a heap overflow bug in Microsoft Edge, a type confusion in the actual Windows kernel, and an uninitialized buffer in VM Workstation, escaping a virtual machine.
In other words, they completed three separate advanced hacks to gain access to the host operating system. Their efforts earned them $105,000.
Other Hacks Are Available
There were four other successful hacks against or utilizing Microsoft Edge. The Pwn2Own focus on Microsoft Edge is eye-opening and worrying. Microsoft built a new browser from scratch to eliminate many of the old insecurities that saw IE ridiculed. Unfortunately, it seems Microsoft Edge is similarly susceptible.
As an aside, Google Chrome was unhackable.
Why Microsoft? Why Windows?
Do Microsoft take more flak than they truly deserve?
In my opinion, Microsoft is running at about even. The computing world love to pile onto Microsoft for each and every vulnerability found. And rightly so. As the company with the largest market share, Microsoft has a massive responsibility to protect users, be they home, business, or enterprise, from the expansive world of hacking and cybercrime.
Earthquakes, hurricanes… Haiti is definitely more vulnerable than Windows 10.
— Cristiano Chesi (@CristianoChesi) October 4, 2016
However, as robust as we would like Windows to be, hackers gon’ hack. And as Cybellum’s DoubleAgent zero-day discovery illustrates, there are always unexpected attack vectors waiting to be found. Windows is closed-source. Microsoft keeps their source code under wraps — understandably. There are inherent issues with any propriety software. The litany of bugs, vulnerabilities, and zero-day exploits are a direct symptom of that.
Microsoft Windows remains extremely popular. It is accessible, familiar for many, as well as coming pre-installed on millions of computers. Microsoft clearly understand the need for security. Windows 10 is vastly more secure than previous Windows versions. Microsoft Edge is moving in the right direction, albeit slowly. But newsworthy vulnerabilities, such as the year-old zero-day only just patched, will continue to cause understandable alarm across throughout the cyber security world.
Despite Windows 10’s improved security, you should still be running a competent anti-virus application or full online security suite.
Do you feel safe using Windows? How would you improve Windows security? Does Microsoft do enough to protect users? Let us know your thoughts below!
Image Credit: a-image via Shutterstock.com