Windows Zero-Day Vulnerability

Microsoft patch zero-day vulnerability discovered by Kaspersky Labs 2019

Last week, Microsoft published a patch for a zero-day vulnerability in Windows that could allow hackers to control a targeted machine in complete.

The vulnerability revealed to Microsoft on March 17, 2019 by Kaspersky Lab scientists, Vasily Berdnikov and Boris Larin, who found last month’s zero-day vulnerability. The vulnerability was verified and designated by Microsoft as CVE-2019-0859. The defect in the Windows kernel is a usage-free problem that enables escalation of local privileges.

CVE-2019-0859 is a vulnerability found in the CreateWindowEx feature that is Use-After-Free. CreateWindowEx sends the WM NCCREATE signal to the window when it was first formed during execution. It is feasible to set a custom callback by using the SetWindowsHookEx feature that can manage the WM NCCREATE signal right before calling the window procedure, “the researchers clarified in a blog post.

“All windows are displayed in win32k.sys by the tagWND structure which has a” fnid “field also known as the Function ID. The field is used to define a window class; all windows are divided into classes such as ScrollBar, Menu, Desktop and many more.”

According to security researchers, when a window’s Function ID is set to 0, they could “set extra data from inside our hook for the window procedure” and “change the address for the window procedure immediately after our hook.”

“Because our MENU-class window was not effectively initialized, it enables us to achieve control over the address of the freed memory block,” they said.

The vulnerability affecting various Windows 64-bit versions ranging from Windows 7 to older Windows 10 builds is using HMValidateHandle method and bypassing ASLR (Address Space Layout Randomization).

The vulnerability of Windows Zero-day enables hackers to generate constant backdoors on targeted computers and to obtain the capacity to execute arbitrary code in kernel mode.

Then an attacker could install programs; view, modify or delete information; or generate fresh accounts with complete user privileges. An intruder (who would have to log into the scheme already) can also operate a specially designed application to exploit the vulnerability and take control of an impacted system.

“Discovering a fresh Windows zero-day being actively exploited in the wild shows that such costly and rare instruments stay of excellent concern to threatening actors, and organisations need safety alternatives that can safeguard against such unidentified threats,” Kaspersky safety specialist Anton Ivanov said.

“It also reaffirms the significance of cooperation between the safety industry and software developers: bug hunting, responsible disclosure and timely patching are the best methods to keep consumers secure from fresh and emerging threats.”

Microsoft published a vulnerability patch as part of the company’s April 2019 Patch Tuesday April 10, 2019 crediting Vasiliy Berdn for Kaspersky Lab scientists.

“The update addresses this vulnerability by correcting how Win32k handles objects in memory,” the researchers added.

This is the fifth consecutive LPE zero-day vulnerability found in Windows in recent months by the Kaspersky Lab researchers. The previously found four vulnerabilities are CVE-2018-8453CVE-2018-8589CVE-2018-8611 (a zero-day in the Windows Kernel Transaction Manager) and the CVE-2019-0797 “fourth horseman” vulnerability.

Kaspersky indicates that Windows users install as soon as possible the Microsoft patch for the fresh vulnerability. They also suggest continuing to regularly update all the software.

Source: Kaspersky

3 COMMENTS

  1. Your article is awesome! How long does it take to complete this article? I have read through other blogs, but they are cumbersome and confusing. I hope you continue to have such quality articles to share with everyone! I believe there will be many people who share my views when they read this article from you!

  2. Long time supporter, and thought I’d drop a comment.

    Your wordpress site is very sleek – hope you don’t mind me asking what theme you’re using?

    (and don’t mind if I steal it? :P)

    I just launched my site –also built in wordpress like yours– but the theme slows (!) the site
    down quite a bit.

    In case you have a minute, you can find it by searching for “royal cbd” on Google (would appreciate any feedback) – it’s still in the works.

    Keep up the good work– and hope you all take care of yourself during the coronavirus scare!

LEAVE A REPLY

Please enter your comment!
Please enter your name here