Microsoft patch zero-day vulnerability discovered by Kaspersky Labs
Microsoft last week released a patch for a Windows zero-day vulnerability that could allow hackers to take full control over a targeted device.
Kaspersky Lab researchers, Vasily Berdnikov and Boris Larin, who discovered the zero-day vulnerability last month reported the vulnerability to Microsoft on March 17, 2019. Microsoft confirmed the vulnerability and designated it CVE-2019-0859. The flaw is a use-after-free issue in the Windows kernel that allows local privilege escalation.
“CVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure,” the researchers explained in a blog post.
“In win32k.sys all windows are presented by the tagWND structure which has an “fnid” field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others.”
According to the security researchers, when the Function ID of a window is set to 0, they could “set extra data for the window procedure from inside our hook” and “change the address for the window procedure that was executed immediately after our hook.”
“Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed,” they said.
The vulnerability that affects multiple 64-bit versions of Windows ranging from Windows 7 to older builds of Windows 10 use HMValidateHandle technique and bypass ASLR (Address Space Layout Randomization).
In simpler words, the Windows Zero-day vulnerability allows hackers to create persistent backdoors on targeted machines and gain the ability to run arbitrary code in kernel mode. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Also, an attacker (who would need to already be logged into the system) can run a specially crafted application to exploit the vulnerability and take control of an affected system.
“The discovery of a new Windows zero-day being actively exploited in the wild shows that such expensive and rare tools remain of great interest to threat actors, and organizations need security solutions that can protect against such unknown threats,” said Anton Ivanov, a security expert at Kaspersky.
“It also reaffirms the importance of collaboration between the security industry and software developers: bug hunting, responsible disclosure and prompt patching are the best ways of keeping users safe from new and emerging threats.”
Microsoft released a patch for the vulnerability as part of the company’s April 2019 Patch Tuesday on April 10, 2019 crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin.
“The update addresses this vulnerability by correcting how Win32k handles objects in memory,” the researchers added.
This is the fifth consecutive LPE zero-day vulnerability found in Windows in recent months by the Kaspersky Lab researchers. The previously found four vulnerabilities are CVE-2018-8453, CVE-2018-8589, CVE-2018-8611 (a zero-day in the Windows Kernel Transaction Manager) and the CVE-2019-0797 “fourth horseman” vulnerability.