When WannaCry hit last month, Microsoft took the unusual step of patching all of its older operating systems to guard against the systemic threat the ransomware posed to infrastructure and critical facilities, like hospitals. The one OS that didn’t require any patching was Windows 10. Now, Microsoft has released a report on how Windows 10 is designed to prevent ransomware attacks. While such techniques are always a race between black hats on one side and white hats on the other, it’s an interesting look at how OS design has evolved over the years, and what an OS developer can do to help prevent them.
While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. For older Windows versions like Windows 7 and Windows Server 2008 that didn’t take the fix in security bulletin MS17-010, but had cloud protection turned on (in Microsoft Security Essentials or Windows Defender AV) WannaCrypt was prevented from executing. However, these older versions do not have the level of exploit hardening and platform features (e.g., Device Guard, instant cloud protection etc.) available in Windows 10 to effectively protect against the threat.
Unsurprisingly, Microsoft recommends upgrading to the latest version of Windows to solve the problem (you knew that was coming). But the company does make a good point in its whitepaper. Bing, Windows Defender, Windows 10, and Office 365 are all Microsoft products, which means the company has a very good window into the overall shape and scope of threats, even emerging ones. This is one area where big data and extensive analytics can be genuinely useful, and using a cloud-based antivirus system allows Microsoft to update its heuristics and detection algorithms in real time.
Microsoft also used the malware as an opportunity to plug for Microsoft Edge, its semifunctional non-browser that’s good for maximizing battery life and not much else. While it’s true that Edge defaults to a “clean” HTML5 experience, the browsers lack of extensions and plugins have done nothing to help it gain market share. Chances are you don’t use it (at least, not as a primary driver). It’s true that Edge has a better record on socially engineered malware blocking compared to Firefox or Chrome, at least according to tests conducted by NSS Labs, but every time I use Edge I wind up restarting it several times a day to recover webpages that have stopped responding. This even happens on MSN.com, where you’d think the browser would have a maximum chance of being properly compatible.
The Creators Update also added the ability to enable Antimalware Scan Interface support (AMSI) “during strategic execution points in JS or VBS script runtime.” The goal is to block malicious code from executing even when the code has deployed its own obfuscation methods to compensate for other detection schemes.
Finally (and inevitably), MS is pushing the idea of Windows 10 S as the most secure version of its operating system available. This is undoubtedly true, yet simultaneously worthless for the vast majority of users. Right now, the Windows 10 Store is simply lacking too much software to be a credible method of locking down a system. For now, it’s interesting to see how Windows 10 is secured against certain malware attacks in ways that previous versions of Windows weren’t — and it’ll be very interesting to see how well these protections hold up over the longer term.