2016 Windows Exploitations

Over the course of 2016, vulnerabilities in Internet Explorer and Edge were fixed after numerous exploitations. According to statistics, the number of vulnerabilities exploited from the outside in Internet Explorer has declined and no vulnerabilities were found to be exploited in the Edge web browser. Vulnerabilities from the outside were most likely not found in Edge, due to the setting that keeps security features turned on by default.

There have been around 60 software updates, which is the largest number of updates given to windows users, which fixed attacks such as, Remote Code Execution (RCE) and Local Privilege Escalation (LPE). Also, most updates for Win32k.sys (windows operating system) and kernel mode drivers fixed LPE vulnerabilities. The number of patched vulnerabilities increased in 2016, expect for Internet Explorer.

Microsoft also presented a cumulative update model for Windows 7 and 8.1. Unlike, previous models the updates are offered cumulatively in a monthly package. This new update model, made the process of updating easier for users, lessening the number of steps, especially for IT specialists who constantly update their windows. A Windows 10-year Anniversary update was also issued in 2016. This update brought the Linux subsystem for users, who can now use the bash (a command language) command interpreter and other Linux tools; as well run their own Linux applications.

The most common exploit attacks in Windows are RCE and LPE. RCE is used to compromise system, while LPE is used to acquire maximum privileges in that system. RCE attacks are intended to target vulnerabilities in web browsers to download and run malicious executables like drive-by downloads. Once the attacker penetrates the system, he/ she needs maximum privileges for their code to get full control of the system. Usually, exploited LPE vulnerabilities are in standard Windows win32k.sys driver.

Once the attacker, exploits a vulnerability in win32k.sys he/ she gets all system privileges and is able to run malicious codes in kernel mode. The attacker can also use the vulnerabilities to get into “god mode”, which provides the ability to circumvent hypervisor security measures and get full control of a system with a VM.