Microsoft recently fixed an admin-to-kernel vulnerability in Windows, six months after security experts from Avast brought the problem to the attention of the company.
Hackers from the Lazarus Group, affiliated with the North Korean government, actively used the zero-day exploit. It involves the driver appid.sys for AppLocker, which whitelists software built into Windows.
Although Avast reported the vulnerability to Microsoft six months ago, the company only fixed it during last February’s Patch Tuesday update. The vulnerability’s code is CVE-2024-21338. Initially, it went unmentioned that the vulnerability was exploited, but this information was added after Avast reported about the exploit.
Tip: Patch Tuesday update does not complete installation on Windows 11
According to Avast, Lazarus Group exploited the admin-to-kernel vulnerability to gain read and write permissions to the Windows kernel and install their FudModule rootkit. This way, they hide files and processes from the operating system while gaining a high degree of control over that same system. That can mean bypassing security software and sabotaging critical processes without Windows noticing.
‘Holy grail’ among exploits
Lazarus’ exploit interacts undetected with the kernel, the part of an OS that manages the most sensitive processes. For such malware to work, hackers must first obtain administrator privileges in an infected PC. In recent years, Lazarus and other hacker groups have successfully overcome this hurdle.
What is new about this exploit is that the hackers did not use their own vulnerable driver (BYOVD, or ‘bring your own vulnerable driver) but directly exploited a vulnerability of an already existing driver. Avast calls this the “holy grail” among vulnerabilities because security systems are much less likely to notice it.
Microsoft does not see such admin-to-kernel vulnerabilities as its responsibility. The company sees administrators and their work as part of the Trusted Computing Base (TCB), as the company’s Security Service criteria state. In other words, it is the administrator’s job to identify and fix such vulnerabilities. Nevertheless, the exploit was eventually patched by Microsoft itself.
Read more: Windows 11 Enterprise update focuses on Windows Autopatch