Flaw found by Microsoft with help from ESET

Jul 5, 2018 08:27 GMT  ·  By

Microsoft has recently addressed a vulnerability in Windows 7 that was found with help from ESET, with the company saying that no attacks happened given the fast response to the rapid discovery.

In a technical analysis of the flaw, Matt Oh, Windows Defender ATP Research, says the team at Microsoft worked together with ESET researchers and Adobe to patch two different zero-day exploits in one PDF originally believed to include an unknown Windows kernel vulnerability.

“During my investigation in parallel with ESET researchers, I was surprised to discover two new zero-day exploits in the same PDF. One exploit affected Adobe Acrobat and Reader, while the other exploit affected older platforms, Windows 7 and Windows Server 2008,” Oh explains.

While the first exploit was targeting Adobe JavaScript engine, the other was specifically aimed at Windows, allowing the shellcode to escape the Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. Windows 10 users weren’t exposed, as this operating system included security mitigations to block exploits.

Install updates as soon as possible

The Microsoft security researcher says no attacks were recorded and the exploit was only in early development stage, which means that users were protected before a malicious actor could take advantage of the flaws.

“Finding and neutralizing a double zero-day exploit before an attacker had a chance to use it was an amazing result of the great collaboration between ESET, Microsoft, and Adobe security researchers,” he posted.

The two exploits were patched in CVE-2018-4990 - Security updates available for Adobe Acrobat and Reader - APSB18-09 and CVE-2018-8120 - Win32k Elevation of Privilege Vulnerability, and users are recommended to deploy the security updates as soon as possible.

In case a delay is necessary, IT admins should disable JavaScript in Adobe Acrobat and Acrobat Reader until the updates are installed. Additionally, PDF attachments should be double-checked for spear-phishing and other attacks to make sure no exploits are targeting systems in the network until the patching is complete.