The ESET report says that by comparison, the ageing Internet Explorer — that Microsoft says it does not want people to use — had 109 vulnerabilities, three of which were exploited in the wild. Thiough Edge had 111 vulnerabilities, none were exploited in the wild. "From our point of view this situation with Edge was predictable, because, unlike IE11, Edge keeps modern security features turned on by default, including the AppContainer full process for sandbox and 64-bit processes for tabs," the report says.
Windows 10 was written for the conditions of today, recognising the use of the Internet and email as prime attack vectors, and has completely removed vulnerabilities that plagued its earlier versions due to code written from the mid 90s when the Internet was in its infancy.
For example, Microsoft’s introduction of the Windows 10 Enhanced Mitigation Experience Toolkit (EMET), features Attack Surface Reduction (ASR). It stops the use of specific, known-vulnerable components in a system by removing a range of interrelated vulnerabilities found in earlier versions of Windows, according to the ESET report.
The report says: "The two most common types of exploit attacks in the Windows world are Remote Code Execution (RCE) and Local Privilege Escalation (LPE). The first is used by attackers to penetrate a system and the second to obtain maximum privileges on that system. In fact, RCE exploits are commonly used to target vulnerabilities in web browsers with the intention of downloading and running malicious executables – such attacks are called drive-by downloads."
Because Windows 10 is so much more secure and not so much affected by zero-day or unpatched vulnerabilities of previous Windows versions, hackers have turned their attention to gaining access via other methods – Adobe’s Flash Player, other third party programs and drivers, poisoned firmware — not just on the computer but on peripherals including printers and routers — and more.
Drivers remain a way into most systems – these are written by a hardware vendor and pushed to a system (either automatically or via notification). Microsoft has again quarantined Windows 10 from the rest by stating that there are to be no multi-version drivers. All Windows 10 drivers must be digitally signed by Microsoft, submitted to and approved by the Windows Hardware Developer Centre and distributed via this mechanism. This measure raises the security bar and increases stability. On the other hand, older peripherals may only run on older Windows hardware.
Firmware poisoning is no longer a Windows 10 issue. On older hardware, malicious code independent of the OS can be installed on a machine that can run multiple operating systems. In other words, it can survive not only Windows reinstallation but also low-level formatting on hard drives, because the firmware is stored on a special SPI flash chip on the motherboard (NVRAM, NVS). Windows 10 includes Secure Boot as part of its UEFI boot system and manufacturers now understand how access to the SPI chip can compromise the system – measures are in place from most hardware manufacturers to prevent this.
Network devices and IoT are targets and more have been hijacked over the past year including some very high-profile devices from enterprise suppliers like Cisco, Fortinet, Juniper and more. Again, this is proof that as Microsoft tightens Windows 10 security hackers will go for other targets.
ESET sums up by saying: "Obviously, the use of a modern up-to-date Windows version, e.g. Windows 10 with the latest updates, is the best approach to being protected from cyber attacks exploiting vulnerabilities. As we have shown above and in previous versions of this report, its components contain useful security features for mitigating RCE and LPE exploits. We can say that actions taken by Microsoft to make modern versions of Internet Explorer more secure were insufficient because so-called advanced security settings that are built into Edge are still optional in IE."
Windows bashers have long cited its vulnerability and they would have been right – 64% of the installed base uses Windows 8.1 or earlier, all of which are based on the original NT code of the late-90s. For reference, Windows 7 has 641 vulnerabilities, Windows XP has 726, and since its inception 4664 have been found. Unpatched Windows 8.1 or earlier, as seen on too many consumer devices, is not secure.
Windows 10 now has 24.36% marketshare and these machines are too hard to crack. That is not to say that enterprising hackers will not find ways but of the 225 CVE vulnerabilities discovered to date none have been exploited in the wild.
For comparison, Apple’s macOS has a total of 3493 vulnerabilities, peaking with the discovery of 708 in 2015 and a further 324 in 2016. Apple’s iOS has had 984 vulnerabilities, again peaking with 387 in 2015 and 161 in 2016. That’s not to say macOS or iOS is any less secure – it simply shows that cyber criminals have made Apple a target and its long OS heritage is ripe for exploit.
Android has 691 vulnerabilities (all versions) and 125 were discovered in 2015 and 523 in 2016. It is the prime target as it runs about 90% of the world’s smartphones. Google is taking drastic steps with Android 7 Nougat to take control of security updates and increase its enterprise take-up. Samsung’s Knox and Blackberry’s PRIV handset (and later) have proven beyond doubt that Android can be secured.
My advice is two-fold. Windows 10 is the most secure version of Windows, so use it (and yes, turn off all the snooping features not dissimilar to what are found in Apple and Google environments) and use a paid anti-virus/malware/email/ID theft/password/Web safety solution. While the free versions are all good at spotting virus and malware, packages like those from ESET, Norton, Trend Micro, Kaspersky and others are very wise investments.