View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Microsoft Just Made Hackers’ Lives a Lot Harder – but Has Anybody Noticed?

These Office 10 security updates stop easy desktop pwning

By CBR Staff Writer

A host of Microsoft security updates released as part of the latest Windows 10 (version 1803) significantly reduce vulnerabilities, security professionals say, with the five new attack surface reduction rules making it much harder for attacks like Petya and other lateral movement offensives to take place on a network.

The “really important” updates have so far gone largely overlooked.

The rules block executable files from running unless they meet a prevalence, age, or trusted list criteria; use advanced protection against ransomware; block credential stealing from the Windows local security authority subsystem (lsass.exe); block process creations originating from PSExec and WMI commands and block unverified, unsigned processes that run from USB.

 Mimikatz Woe?

The update’s ability to block credential stealing from LSASS particularly stands out.

“Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS,” Microsoft said.

“However, some organizations can’t enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority. In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS”, Microsoft said.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

No more Mimikatz-powered pwning?


 “Slightly disappointing!”

Etienne Greef, CTO of SecureData, told Computer Business Review: “Frankly these should have happened ages ago; they’re obvious patches to make, but with desktops becoming a much bigger target – as well as features, Microsoft has finally done something. If properly used this will block attacks like Petya and other lateral movement attacks, as well as stopping very common DDE exploits that are used in the wild.”

He added: “It might make Red Team life a little harder – I’m almost a bit disappointed! – but it’s good they’ve finally done it…”

One of the other main changes highlighted by information security professionals is a rule that allows admins to prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards.

No More “Cottonmouth” Ripoffs?

It comes as many security professionals drew lessons from Edward Snowden’s leak of the NSA’s “Ant Catalogue”; a 50-page classified document listing technology available to the agency’s Advanced Network Technology (ANT) Division to aid in cyber surveillance.

This included tools like “Cottonmouth-I”, a USB hardware implant that provides a wireless bridge into a target network, via a “covert channel”; something more than a few hackers rapidly emulated.

Chris Wallis, founder of penetration testing specialists Intruder, told Computer Business Review: “Microsoft are definitely raising the bar with this update, and taking away some firm favourites from the attacker’s bag of tricks. While some of the rules may inconvenience in edge cases, most companies will be able to apply them without much fuss, and genuinely level up their cyber security. Attackers will find new ways around, as always, but it’s definitely one small step closer to Bill Gates’ vision of Trustworthy Computing.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.