Research Shows Zero-Days Much Less Likely to Compromise Latest Windows OS Version
The biannual schedule for Windows 10 feature updates hasn’t been popular with enterprises or consumers but Microsoft maintains that it is the best way to provide a secure computing environment for its customers. With the threat landscape changing so rapidly, Windows needs to be updated more frequently than in the past.
Matt Miller, a Microsoft Security Response Center security engineer, recently tweeted new research that shows only about 40% of Windows zero-day vulnerabilities were used to successfully compromise the latest versions of Windows between 2015 and 2019. So, hackers were more likely to effectively use zero-days against older versions of the OS.
Additionally, in about 66% of incidents, zero-days failed to compromise Windows because of exploit mitigations added to the latest OS version. If you remember, Microsoft integrated features that are part of the Enhanced Mitigation Experience Toolkit (EMET) into Windows 10. EMET is a free tool for Windows 7 and Windows 8.1 that can optionally be used to bolster security. Microsoft adds and updates exploit mitigations with each new Windows 10 feature update. In Miller’s own words:
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
This highlights that staying current with the latest version of Windows has remained a good defense for many of the zero-day exploits observed in the wild that target Windows CVEs due in large part to the mitigations being added each release.
Miller recently presented at BlueHat Israel where he shared figures showing that Windows is most often compromised using zero-days before Microsoft develops a patch or because companies fail to patch their systems. And it’s no surprise that 70% of all vulnerabilities in Windows are memory-management bugs.
Need for a Safe Systems Programming Language
Ryan Levick, Principal Cloud Developer Advocate, recently announced that Microsoft is exploring memory-safe programming languages, starting with Rust, to move developers from C and C++. Rust is designed with integrated protections to safeguard against problems like memory corruption vulnerabilities, buffer overflows, use-after-free flaws, and more. As Levick points out, memory-safe languages, like C# and Python, are already widely used at Microsoft. But there’s a need for a systems programming language, for building systems like OS kernels, to replace C and C++ that offers speed and predictable performance. That’s where Rust comes in.
Rust is already quite popular in the developer community. Mozilla has been using it for Firefox since July 2016, which would make sense as Rust started as a Mozilla research project. Cloudflare and Dropbox both make some use of Rust. Memory-safe languages allow developers to get on with coding new features without worrying about memory flaws that could let hackers compromise the app.
Windows 10 Servicing and Security
According to this research, it appears that Microsoft’s promise of a more secure Windows rings true for organizations that are keeping up-to-date with the latest Windows 10 feature updates. But it’s no easy task to test and deploy major feature releases twice yearly. To help organizations stay current, Microsoft is testing a new strategy for the 2019 fall release of Windows 10, 19H2. For the first time, the feature update will be delivered via servicing as a Cumulative Update (CU) for users running Windows 10 1903. Users upgrading from older versions will receive the update in the form of a full OS upgrade instead.
Microsoft hasn’t committed to this plan for versions of Windows beyond 19H2, but I believe anything that helps users stay current is likely to be adopted in the long term. It’s likely we’ll see a tick/tock release schedule going forwards where the second yearly feature update is released as a CU. And if you want to keep your systems secure, data backs up that keeping Windows current with the latest feature releases significantly reduces the chance of compromise.