Kaspersky claims credit for finding critical Windows security flaw being actively exploited in the wild
While patched last week, Kaspersky claims attackers are exploiting the flaw in a string of new attacks to take full control of targets' PCs
Attackers have been trying to exploit a new vulnerability in the Windows operating system, according to security researchers.
The flaw, which was discovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab last month and only patched last week, affects the latest 64-bit versions of Windows and enables attackers to take full control of a user's PC.
In a blog post, the researchers explained that this is the fifth consecutive local privilege escalation vulnerability in Windows that they have found in recent months.
"CVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when it's first created," they explained.
"By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure."
"In win32k.sys all windows are presented by the tagWND structure which has an "fnid" field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others."
The security specialists explained that when the Function ID of a window is set to 0, they could "set extra data for the window procedure from inside our hook" and "change the address for the window procedure that was executed immediately after our hook".
"Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed," they said.
After analysing the exploit, the researchers found that it targeted everything from Windows 7 to older builds of Windows 10, and used the HMValidateHandle technique.
"The exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script," continued the researchers."
Describing this script as "very simple", Berdnikov and Boris Larin said it unpacks shellcode, allocate executable memory, copies shellcode to allocated memory and calls CreateThread to execute shellcode.
They concluded: "The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim's system."
Microsoft has since released a patch for the vulnerability. In a statement, it said: "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
"The update addresses this vulnerability by correcting how Win32k handles objects in memory."
Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.
The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.
Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast