Trending CVEs for the Week of April 15th, 2019
- Apr 17, 2019
- Michael Tucker
This week’s trending vulnerability may sound eerily familiar. CVE-2019-0859 is an elevation of privilege vulnerability in Win32k component of Microsoft Windows operating system. Just like CVE-2019-0797, another elevation of privilege vulnerability in Win32k that we talked about a month ago, the vulnerability was detected by Kaspersky Lab researchers and is being actively exploited in the wild. In fact, this is the fifth local privilege escalation zero-day vulnerability that has affected Microsoft Windows since October of 2018.
The vulnerability can be used to establish persistent backdoors to targeted machines. An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
The vulnerability affects a range of Windows OS versions, from Windows 7 to Windows 10. For a full list, refer to the Security Focus advisory for this vulnerability.
Technical details about the vulnerability and how the exploit works are available in a detailed post by Kaspersky researchers. According to them, Kaspersky Lab discovered this vulnerability when their automatic exploit prevention systems detected an attempt to abuse it. The vulnerability was being used in advanced persistent threat campaigns targeting 64-bit versions of Windows OS from Windows 7 to the latest builds of Windows 10.
In the observed attacks, a malicious executable makes use of the legitimate PowerShell framework with a Base64-encoded command, which then fetches a second-stage PowerShell script from Pastebin. That in turn executes a third and final stage, also a PowerShell script, which unpacks lightweight shellcode. The main goal of the shellcode is to make a trivial HTTP reverse shell, which then helps the attacker gain full control over the victim’s system.
A patch for this vulnerability was pushed out by Microsoft in the most recent Patch Tuesday last week (along with patches for more than 70 unique vulnerabilities). Users should update their systems as soon as possible.
Share your thoughts in our community!