14 DAY TRIAL // One of the security vulnerabilities that Microsoft resolved on April 9 as part of this month’s Patch Tuesday is a zero-day discovered by Kaspersky and which could end up with hackers obtaining full control of your system.
Detailed in CVE-2019-0859, the Win32k Elevation of Privilege was already exploited in the wild, and Microsoft confirmed that Windows versions old and new were affected. The most recent Windows 10 version, namely the October 2018 Update, was impacted as well.
Kaspersky says the issue was discovered in March and was reported to Microsoft on March 17.
The security vendor reveals in the linked detailed analysis of the vulnerability that the exploit includes a PowerShell command that’s being used to download a second-stage script from PasteBin. Eventually, another PowerShell script is executed to unpack shellcode, allocate executable memory, copy shellcode to allocated memory, and call CreateThread to execute shellcode.
“The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim’s system,” the security company says.
Patches already available
Microsoft says in its documentation that hackers first need to log on to the vulnerable system, so they could rely on a different type of attack before turning to the zero-day discovered by Kaspersky.
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft says.
While Kaspersky says the zero-day was actively exploited, no specifics were shared on the groups that launched the attacks.
Patches for the vulnerability have already been published on April 9, and users are recommended to install them as soon as possible. The flaw has been rated with an Important severity rating.