30 Jul

Microsoft enhances security with xFG, KDP, and buried Win10 Update deferral options

This month, I’ll be writing a reaction blog post to Aaron and Brad’s discussion on the Enterprise Dish podcast. This is not intended as a recap of what they discussed, and I may even contradict them some of the time (don’t tell Aaron!), so I would encourage you to check out their discussion as well, embedded below.

WFH isn’t temporary

And what a mess they start off with. The world is still in a pandemic, our country is a particular standout on that point, and everyone who is able to do so is working remotely (with the thousand interruptions per day that this often entails). We have more SmartDeploy customers experimenting with cloud deployment and remote device management than ever before, and even here at Prowess and SmartDeploy, we have multiple new hires that we’ve never met in person (which is itself an interesting security challenge!). And of course, security updates to Windows are coming faster and harder than ever before.

Microsoft introduces xFG and KDP

Two new features came to Windows last month – Extreme Flow Guard (xFG) and Kernel Data Protection (KDP). Broadly speaking, these two updates seek to accomplish conceptually similar things – prevent malware from exploiting deliberately-crafted breakdowns in the normal execution of application code to inject arbitrary code (either into memory or into the OS kernel), which will then be executed with administrative privileges without anyone authorizing the application to do so. It’s a form of OS hardening – rather than playing whack-a-mole with individual memory or kernel corruption vulnerabilities (many of which may not be discovered until they are exploited in the wild), Microsoft (in parallel with Intel’s CPU development) seems to be trying to harden the OS against such vulnerabilities more broadly. Which is good. Running a line of evil code without having the requisite privileges is, and should be, difficult. But an attacker only needs to succeed once the hard way – it’s the proverbial “wishing for more wishes” after that point. Once you’ve taken administrative control of a computer (or a domain), everything else you want to do becomes easier. The organization defending against such an attack must then rely on various post hoc methods of detection, which the attacker may now have the requisite permissions to compromise as well. We’ve seen the results of this with many data breaches, as it is later revealed that the extent of compromised computers, user accounts, and data was more extensive than the affected organization initially believed – or disclosed publicly, in many cases.

As Brad’s colleague Russell Smith notes in his blog post explaining the two new features, xFG is Microsoft’s second attempt to systemically mitigate memory corruption vulnerabilities, because their first crack at the problem broke a lot of applications. And isn’t this always the battle? The answers, individually, sound easy and a little dismissive of reality. Update your apps! Fix your stuff! And you, Director of IT, should silo and test every one of your updates on a test bench (with personnel who presumably spend a lot of their time on other tasks). Withhold them with WSUS, test them exhaustively, and only roll them out when they are proven not to break a single application for a single user. And meanwhile, a potential vulnerability is out in the world, your company remains at risk. It’s a hard and high-stakes choice, and we trivialize it at our peril, because users and admins alike may eventually just throw up their hands and give up.

A bit harder to defer Windows 10 Updates

Microsoft rolled out another feature with this update…they made manually deferring Windows 10 Feature Updates a little harder to find for end users, removing it from the Windows Update UI, and forcing the user who desires (and has been granted by their IT admin) such granular control over their update experience, to dig a little deeper and create a local GPO to do so. As Aria Carley notes on the Windows IT Pro blog, Microsoft is already defaulting users on Version 1903 or later to remain on their current Windows 10 version until it is nearing its end of life, 18-30 months after the particular OS version’s release date. By the time the longest possible end-of-life date arrives, as many as five new versions of Windows 10 will have been released (and would have previously pestered the user on the Windows Update screen). By hiding these options until they present a relevant security choice for the user to make, Microsoft may annoy a few users who crave granularity, but it also strikes me as a fine, secure-by-default usability choice. I’ve spoken to a great many users (and IT directors!) operating under the mistaken impression that they have to install the latest version of Windows 10 every 6 months to remain fully security-patched (which – if they review the Windows lifecycle factsheet – is not at all true), and anything the UI can do to disabuse them of that notion while also encouraging their users to install regular updates to their current version of Windows 10 strikes a fine balance in my view.

That’s all for July! Stay patched, stay frosty, and stay safe.

About the Author

Glenn Bristol
Glenn Bristol has been an integral part of the SmartDeploy Support team since 2014. He enjoys helping customers work through technical challenges. When Glenn isn't working you can find him spending time with his family or reviewing movies on his podcast.