A new zero-day vulnerability (CVE-2019-1458) in Windows, discovered by antivirus company Kaspersky, has been used during the cyber attack Operation WizardOpium. With this vulnerability, malicious parties can bypass the security mechanisms in Google Chrome.
Kaspersky’s exploit prevention encountered a zero-day exploit in November that made it possible to execute code on a victim’s system. This was the result of a leak in Google Chrome. During the investigation into this zero-day exploit, Kaspersky found a second exploit, which was used in the same attack as the first one.
The vulnerability uses the win32k.sys kernel driver on the latest versions of Windows 7 and also on some versions of Windows 10. New editions of Windows 10 are allegedly safe.
Kaspersky calls it an ‘elevation of privileges’ operation, as it gives an intruder more privileges in the victim’s system.
Notified in December
Microsoft was notified in December of the zero-day. The leak was patched on 10 December. The attackers used the exploit to break into a Korean website, from which malicious code was executed among visitors.
Kaspersky does not yet have a clear idea on who carried out the attacks.
Earlier this year, Kaspersky found another exploit that took advantage of win32k-sys. This concerned the ‘Use-After-Free’ vulnerability (CVE-2019-0859), which was caused by objects in the memory not being processed properly.