About a month ago Microsoft Defender started to protect against a disabled “Protection by local [sic] Security authority”. The developers have corrected this error. Defender has received new protection components for this: “Hardware-supported stack protection in kernel mode” and “Firmware Attack Surface Reduction”.
Microsoft Defender: New protection modules
The Defender update could have gone through many users unnoticed. The taskbar icon for Windows security currently usually shows a yellow exclamation mark – although the error that was responsible for this has now been fixed. Since mid-March, Defender had falsely warned that local security authority protection was disabled. This is no longer the case.
The taskbar icon for Windows security currently often still shows an error.
(Bild: Screenshot / dmk)
Instead, on computers with more recent processors, the warning confusingly indicates that a new protection is active, even though the switch is set to “Off”: “Microsoft’s FASR (Firmware Attack Surface Reduction) protection is activated on your device.” . This appears as a signature for a module that is also new.
Microsoft’s explanation of this is: “For code running in kernel mode, the CPU confirms requested return addresses with a second copy of the address stored on the shadow stack to prevent attackers from substituting an address that runs malicious code instead. Note that not all drivers are compatible with this security feature”. It is a protective mechanism that Microsoft already wanted to include in Windows 10 – called “hardware-enforced stack protection”.
The Windows security icon in the taskbar shows an error again. This time, however, it concerns a new protection mechanism.
(Bild: Screenshot / dmk)
Newer processors from Intel and AMD support a shadow stack mechanism with which they keep a copy of the program stack. If malware attacks a security gap in software that enables manipulation of the stack and changes the return address in the process, the modern CPUs can recognize the change by comparing it with the intact shadow copy and prevent the malicious code from being executed. This helps prevent attacks such as those based on return-oriented programming (ROP), which is a common trick of malware.
Better protected during boot process
After activating the option, next to which Microsoft explains the FASR protection, and the necessary restart, the error message from the Windows Security Center in the taskbar disappears. However, nothing about the firmware protection is displayed on a test device. According to the explanation of the core isolation component of Microsoft’s Defender, apparently a “firmware protection” function should be visible. Microsoft explains the mechanism in detail in an online article. Put simply, FASR should check firmware components on hardware that supports it for changes and thus ensure that no malware sneaks into the boot chain.
Even if it is not entirely clear whether the firmware protection is now active or not, additional protection modules are a welcome development IT managers worry that something might really be wrong on the affected computers.
(dmk)
