14 DAY TRIAL // The latest batch of updates for Windows operating system addresses several kernel-level vulnerabilities, one of them being exploited in targeted attacks.
Microsoft released on Tuesday eight security bulletins, two of them being rated “critical” (MS15-056 and MS15-057), while the severity level of the rest was set as “important.”
Memory corruption leads to privilege elevation
The bulletin containing details on the kernel-level flaws (MS15-061) is not critical, but out of the eight problems described, one of them (CVE-2015-2360) was reported as being leveraged by threat actors.
The flaw touches on the Windows kernel-mode driver Win32k.sys, which does not free memory properly after use, allowing the possibility to elevate privileges and execute arbitrary code on the affected machine within the context of another user.
“To exploit this vulnerability, an attacker would first have to log on to the system,” Microsoft says in its advisory, which is probably the reason it was not rated with critical severity. “An attacker could then run a specially crafted application designed to increase privileges,” the company added.
Vulnerability is important but patching is critical
Applying the patch provided by Microsoft is the only way to mitigate the risks because there is no workaround available. The update is designed to correct how the Windows kernel-mode driver handles the objects in the memory of the system.
Kurt Baumgartner, principal security researcher at Kaspersky, says that users should not delay installing the fix (computer restart is required) on account that the problem received an “important” severity mark because “defending against its deployment as a part of targeted attack activity is most certainly critical.”
Credited for the discovery of CVE-2015-2360 is Maxim Golovkin, part of Kaspersky’s threat research team (GReAT, Global Research and Analysis Team).
The two critical bulletins include security patches for Internet Explorer and Windows Media Player, exploiting some of them allowing the possibility of remote code execution by accessing a specially crafted web page in the browser or malicious media content in the player.
Users with administrative rights on the system are the most impacted and the damage on accounts with lower privileges is less severe.