In its monthly security update release for August, Microsoft patched 31 separate vulnerabilities, two of which the company says are under active exploitation.
The more serious of the two vulnerabilities is a memory corruption flaw in the scripting engine in Internet Explorer 11. The bug can lead to remote code execution and allow an attacker to take complete control of a target system. This flaw (CVE-2020-1380) is of particular concern because it has been used in active attacks in conjunction with other Windows vulnerabilities. Researchers at Kaspersky discovered the vulnerability after intercepting and blocking an attack against a company in South Korea in May.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Microsoft advisory says.
This vulnerability is in a different class than a handful of other recent zero days exploited in IE, as it’s in a newer scripting engine that was introduced in IE 9. The exploit attempts that Kaspersky observed used a full chain that targeted the most recent Windows 10 builds. Although the company did not attribute the exploitation attempts to any specific group, it said there are similarities to previously discovered exploits used by the DarkHotel group, which is associated with North Korea. DarkHotel has been known to use a variety of zero days in the past and historically targets South Korean organizations quite often.
Kaspersky researcher Boris Larin reported the vulnerability, along with a separate elevation of privilege flaw used in the same exploit chain, to Microsoft in June. Microsoft patched the EoP vulnerability (CVE-2020-0986) that month, but the fix for the IE memory corruption bug was not ready yet, so in the advisory for CVE-2020-0986 the company said that the vulnerability had not been exploited in the wild. Larin said Wednesday that this was a conscious effort to avoid alerting the attackers using the exploits that they had been burned.
“At the time of our original report this was a tactical move. Patch for the RCE exploit was still not ready and disclosing about the attack would have warned the attackers. If attackers knew that their exploit has been exposed then they would start to use it while they can,” Larin said on Twitter.
"If attackers knew that their exploit has been exposed then they would start to use it while they can."
In the attack that Kaspersky observed, the attackers exploited the IE 11 flaw and then created a folder and inserted an executable file in the folder. That executable contains the exploit code for the EoP vulnerability.
“The vulnerability makes it possible to read and write the arbitrary memory of the splwow64.exe process using interprocess communication, and use it to achieve code execution in the splwow64.exe process, bypassing the CFG and EncodePointerprotection. The exploit comes with two executables embedded in its resources. The first executable is written to disk as CreateDC.exe and is used to create a device context (DC), which is required for exploitation. The second executable has the name PoPc.dll and if the exploitation is successful, it is executed by splwow64.exe with a medium integrity level,” Larin’s blog post on the attack says.
The second actively exploited vulnerability that Microsoft patched on Tuesday could allow an attacker to bypass some of the security features in Windows.
“A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded,” the advisory says.