Kaspersky finds zero-day exploit in Windows OS used in targeted attack

3 January 2020
Kaspersky automated detection technologies have found a Windows zero-day vulnerability. The exploit based on this vulnerability allowed attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser. The newly discovered exploit was used in the malicious WizardOpium operation.

Zero-day vulnerabilities are previously unknown bugs in the software, which, if found by criminals first, enable them to operate unnoticed for a long time, inflicting serious and unexpected damage. Regular security solutions do not identify the system infection nor can they protect users from a yet-to-be-recognized threat.

The new Windows vulnerability was found by Kaspersky researchers thanks to yet another zero-day exploit. Back in November 2019, Kaspersky’s Exploit Prevention technology, which is embedded in most of the company’s products, was able to detect a zero-day exploit in Google Chrome. This exploit allowed attackers to execute arbitrary code on a victim’s machine. Upon further research of this operation, which the experts called ‘WizardOpium’, another vulnerability was discovered, this time in Windows OS.

It emerged that the newly discovered Windows zero-day elevation of privileges (EoP) exploit (CVE-2019-1458) was embedded into a previously discovered Google Chrome exploit. It was used to gain higher privileges in the infected machine as well as to escape the Chrome process sandbox – a component built to protect the browser and the victim’s computer from malicious attacks.  

Detailed analysis of the EoP exploit showed that the abused vulnerability belongs to the win32k.sys driver. The vulnerability could be abused on the latest patched versions of Windows 7 and even on a few builds of Windows 10 (new versions of Windows 10 have not been affected).

Kaspersky products detect this exploit with next verdict PDM:Exploit.Win32.Generic.

The vulnerability was reported to Microsoft and patched on December 10, 2019.

To prevent the installation of backdoors through Windows zero-day vulnerability, Kaspersky recommends taking the following security measures:

  • Install Microsoft’s patch for the new vulnerability as soon as possible. Once the patch is downloaded, threat actors can no longer abuse the vulnerability;
  • Make sure that all software is updated as soon as a new security patch is released if you are concerned about the safety of your whole organization. Use security products with vulnerability assessment and patch management capabilities to make sure these processes run automatically;
  • Use a proven security solution with behavior-based detection capabilities for protection against unknown threats, such as Kaspersky Endpoint Security;
  • Make sure your security team has access to the most recent cyber threat intelligence. Private reports on the latest developments in the threat landscape are available to customers of Kaspersky Threat Intelligence;
  • Use sandbox technology to analyze suspicious objects. Basic access to Kaspersky Cloud Sandbox is available at https://opentip.kaspersky.com/.
For further details on the new exploit, see the full report on Securelist.

To take a closer look at the technologies that detected this and other zero-days in Microsoft Windows, a recorded Kaspersky webinar is available to view on demand.