SCSPBP4: Windows System Startup Process Protection
The out-of-the-box CSP policies provide significant protection against these vulnerabilities, as they do against any type of injected code. No policy updates are necessary. As soon as the injected code attempts behavior that is not normal for the program it was injected into, CSP blocks that behavior. Since the goal of most attacks is to use the program's privileges in unauthorized ways, most attacks will be blocked. Some specific examples:
- All CSP policies block incoming network connections by default, thus preventing access to this vulnerability from remote systems. If inbound network connections are required, the customer must configure the policy to allow specific remote networks to connect. Unknown (and potentially malicious) remote systems would still be blocked.
- All CSP policies prevent LSASS and CSRSS from launching any unexpected programs. The policies have a very specific list of programs LSASS and CSRSS normally launch. If the attack code tries to download and run a Trojan program, it won't be able to launch the Trojan. This is true whether the attack is made via this vulnerability or any other method and whether it is injected from a remote system or a malicious local program.