Kaspersky
automated detection technologies have found a Windows zero-day vulnerability.
The exploit based on this vulnerability allowed attackers to gain higher
privileges on the attacked machine and avoid protection mechanisms in the
Google Chrome browser. The newly discovered exploit was used in the malicious
WizardOpium operation.
Zero-day vulnerabilities are previously unknown bugs in
software, which, if found by criminals first, enable them to operate unnoticed
for an extended period of time, inflicting serious and unexpected damage.
Regular security solutions do not identify the system infection nor can they
protect users from a yet-to-be-recognized threat.
The new Windows vulnerability was found by Kaspersky
researchers as a result of a separate zero-day exploit. In November 2019,
Kaspersky's Exploit Prevention technology, which is embedded in most of the
company's products, detected a zero-day exploit in Google Chrome. This exploit allowed
attackers to execute arbitrary code on a victim's machine. Upon further research
of this operation, which the experts called ‘WizardOpium,' another
vulnerability was discovered, this time in Windows OS.
It emerged that the newly discovered Windows zero-day
elevation of privileges (EoP) exploit, CVE-2019-1458, was embedded into a
previously discovered Google Chrome exploit. It was used to gain higher
privileges in the infected machine as well as to escape the Chrome process
sandbox - a component built to protect the browser and the victim's computer
from malicious attacks.
Detailed analysis of the EoP exploit showed that the abused
vulnerability belongs to the win32k.sys driver. The vulnerability could be
abused on the latest patched versions of Windows 7 and even on a few builds of
Windows 10 (new versions of Windows 10 have not been affected).
"This type of attack requires vast resources. However, it
gives significant advantages to the attackers and, as we can see, they are
happy to exploit it," said Anton Ivanov, security expert at Kaspersky. "The
number of zero-days in the wild continues to grow and this trend is unlikely to
go away. Organizations need to rely on the latest threat intelligence available
at hand and have protective technologies that can proactively find unknown
threats such as zero-day exploits."
Kaspersky products detect this exploit with next verdict
PDM:Exploit.Win32.Generic.
The vulnerability was reported to Microsoft and patched on
December 10, 2019.
To prevent the installation of backdoors through the Windows
zero-day vulnerability, Kaspersky recommends taking the following security
measures:
- Install Microsoft's
patch for the new vulnerability as soon as possible. Once the patch is
downloaded, threat actors can no longer abuse the vulnerability.
- Make sure that all
software is updated as soon as a new security patch is released if you are
concerned about the safety of your whole organization. Use security
products with vulnerability assessment and patch management capabilities
to make sure these processes run automatically.
- Use a proven security
solution with behavior-based detection capabilities for protection against
unknown threats, such as Kaspersky Endpoint Security.
- Make sure your security
team has access to the most recent cyber threat intelligence. Private
reports on the latest developments in the threat landscape are available
to customers of Kaspersky
Intelligence Reporting. For further details, contact: intelreports@kaspersky.com.
- Use sandbox technology
to analyze suspicious objects. Basic access to Kaspersky Cloud Sandbox is
available at https://opentip.kaspersky.com/.
For further details on the new exploit, see the full report on Securelist.
To take a closer look at the technologies that detected this
and other zero-days in Microsoft Windows, a recorded Kaspersky webinar
is available to view on demand.