Microsoft patched a zero-day vulnerability that enabled attackers to escalate privileges on targeted systems, which include Windows 7, Server 2008 and Server 2008 R2 systems. The vulnerability, rated important, was part of Microsoft’s Patch Tuesday November security bulletin, which included 62 unique vulnerabilities, 12 of which are rated critical.
The zero-day bug (CVE-2018-8589) is traced to a Windows device driver “Win32k.sys,” and could allow an attacker to escalate privileges and run arbitrary code in the context of the local system.
Kaspersky Lab is credited for discovering the zero-day. According to Kaspersky Lab, the zero-day has been identified in use by a number of APTs. Researchers there are scheduled to release more information on the use of the vulnerability by cyber-espionage groups on Wednesday.
“The CVE is rated as important and the attacker would need to log on to the system to exploit the vulnerability, but when exploited the attacker would gain full control of the affected system,” according to Chris Goettl, director of product management, security, Ivanti.
Glen Pendley, deputy CTO at Tenable, said the flaw is being actively exploited in the wild by threat actors and poses a real-world risk to organizations.
Of the 12 critical vulnerabilities reported Tuesday, Microsoft’s Chakra JavaScript engine, used by Microsoft Edge, was behind eight of them.
“[Five of the] memory corruption vulnerabilities (CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588) would give attackers the ability to execute code remotely if a user on a vulnerable system were to access a malicious website or malicious content hosted on a website (e.g., advertisements),” said David Carver, threat intelligence analyst at Recorded Future.
“Browser and scripting engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users,” wrote Jimmy Graham, director of product and vulnerability management at Qualys.
Microsoft also fixed a vulnerability (CVE-2018-8566) impacting its BitLocker tool for encrypting hard drives with 128 bit or 256 bit encryption. The bug is a Public Disclosure vulnerability in Windows 10, Server 2016 and Server 2019. “The Security Feature Bypass vulnerability exists in BitLocker and could allow an attacker to bypass protection to gain access to encrypted data. To exploit the vulnerability the attacker must gain physical access to the target system,” Goettl noted.
Goettl said that patching for CVE-2018-8566 is especially important for laptops that can easily be physically accessed.
In related news, Adobe on Tuesday released three patches – including a fix for a flaw in Adobe Acrobat and Reader that exposes hashed passwords and that already has publicly available proof-of-concept (PoC) exploit code.