Patch issued for critical Windows bug

Microsoft has warned users to patch their Windows systems after researchers found that a flaw is being actively exploited in the wild.

The Windows exploit, tagged CVE-2019-1458, has been patched by Microsoft as part of a round of 36 updates across a range of services, and could give attackers higher privileges on compromised machines. Cyber criminals taking advantage of this exploit, moreover, can avoid protection mechanisms in the Google Chrome browser.

The bug has also been connected with a separate Google Chrome exploit that was used in active Operation WizardOpium attacks, as identified by Kaspersky’s SecureList researchers in November. The two-phased attack involved a small portable executable (PE) loader, and then the actual privilege escalation exploit. 

“This type of attack requires vast resources; however, it gives significant advantages to the attackers and as we can see, they are happy to exploit it,” said Kaspersky security expert Anton Ivanov.

“The number of zero-days in the wild continues to grow and this trend is unlikely to go away. Organizations need to rely on the latest threat intelligence available at hand and have protective technologies that can proactively find unknown threats such as zero-day exploits.”

Detailed analysis shows the vulnerability used belongs to the win32.sys driver, and primarily affected Windows 7 machines and a few builds of Windows 10. Not all Windows 10 devices are affected because new OS builds use certain additional protective implement measures.

The exploit, specifically, relates to the window-switching features, for instance, use of Alt-Tab combination. This is why the exploit’s code uses a few WinAPI calls to emulate a key-press.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory,” the Microsoft Security Research Team said. 

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.”

While the flaw is potentially devastating, to be affected, users’ machines must also have been previously compromised by the Google Chrome vulnerability. This flaw was recently addressed, although hackers are still targeting users with unpatched versions of Chrome.