Microsoft has released a patch for a Windows vulnerability that at least one attack group has already used as part of an exploit chain in some targeted attacks.
The Windows bug is a local elevation-of-privilege vulnerability and it affects many current versions of the OS, including Windows 10 and Windows 7. Researchers at Kaspersky Lab discovered the vulnerability while investigating some recent attacks that also involved a bug in Google Chrome. The Chrome vulnerability was a zero day at the time that the attacks were discovered in October, and after Kaspersky disclosed it to Google, the company patched it in Chrome 78.
While they were in the process of investigating the attacks that exploited the Chrome flaw, the Kaspersky researchers discovered that the attackers were using the vulnerability in conjunction with a previously unknown Windows bug.
“The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as ‘Volodya’,” the researchers said in their analysis of the flaw.
“The EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot simply start a new process using native WinAPI functions.”
The actual vulnerability lies in the win32k.sys driver in Windows and an attacker who is able to exploit it would have the ability to run arbitrary code. In order to exploit the flaw, the attacker would already need to have some access to the target machine, though.
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft’s advisory says.
The attacks that exploited the Chrome and Windows flaws were watering-hole style operations that employed malicious JavaScript on a Korean-language site. The Kaspersky researchers did not connect the attacks to any specific known threat group, but noted there were some similarities with DarkHotel operations, which occurred mainly in Asian countries.
The Windows vulnerability was patched as part of Microsoft’s December updates this week.