Windows Zero-Day Vulnerability Allow Hackers To Take Complete Control Over PC

Microsoft patch zero-day vulnerability discovered by Kaspersky Labs

Microsoft last week released a patch for a Windows zero-day vulnerability that could allow hackers to take full control over a targeted device.

Kaspersky Lab researchers, Vasily Berdnikov and Boris Larin, who discovered the zero-day vulnerability last month reported the vulnerability to Microsoft on March 17, 2019. Microsoft confirmed the vulnerability and designated it CVE-2019-0859. The flaw is a use-after-free issue in the Windows kernel that allows local privilege escalation.

โ€œCVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when itโ€™s first created. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure,โ€ the researchers explained in a blog post.

โ€œIn win32k.sys all windows are presented by the tagWND structure which has an โ€œfnidโ€ field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others.โ€

According to the security researchers, when the Function ID of a window is set to 0, they could “set extra data for the window procedure from inside our hook” and “change the address for the window procedure that was executed immediately after our hook.โ€

“Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed,” they said.

The vulnerability that affects multiple 64-bit versions of Windows ranging from Windows 7 to older builds of Windows 10 use HMValidateHandle technique and bypass ASLR (Address Space Layout Randomization).

In simpler words, theย Windows Zero-day vulnerability allows hackers to create persistent backdoors on targeted machines and gain the ability to run arbitrary code in kernel mode. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Also, an attacker (who would need to already be logged into the system) can run a specially crafted application to exploit the vulnerability and take control of an affected system.

“The discovery of a new Windows zero-day being actively exploited in the wild shows that such expensive and rare tools remain of great interest to threat actors, and organizations needย security solutionsย that can protect against such unknown threats,” said Anton Ivanov, a security expert at Kaspersky.

“It also reaffirms the importance of collaboration between the security industry and software developers: bug hunting, responsible disclosure and prompt patching are the best ways of keeping users safe from new and emerging threats.”

Microsoft released a patch for the vulnerability as part of the company’s April 2019 Patch Tuesday on April 10, 2019 crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin.

“The update addresses this vulnerability by correcting how Win32k handles objects in memory,” the researchers added.

This is the fifth consecutive LPE zero-day vulnerability found in Windows inย recent months by theย Kaspersky Lab researchers. The previously found four vulnerabilities areย CVE-2018-8453,ย CVE-2018-8589,ย CVE-2018-8611ย (a zero-day in the Windows Kernel Transaction Manager) and theย CVE-2019-0797ย โ€œfourth horsemanโ€ vulnerability.

Kaspersky suggests Windows users to install Microsoft’s patch for the newย vulnerabilityย as early as possible. They also recommend to keep updating all the software on a regular basis.

Source: Kaspersky

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

Read More

Suggested Post