steven36 Posted March 27, 2017 Share Posted March 27, 2017 Without making too much fuss about it, Microsoft patched a zero-day vulnerability used in live attacks by a cyber-espionage group named Zirconium. The zero-day, tracked as CVE-2017-0005, affects the Windows Win32k component in the Windows GDI (Graphics Device Interface), included in all Windows OS versions. According to Microsoft, a successful exploit would have resulted in a memory corruption and elevation of privileges (EoP) for the attacker's code, allowing him to escalate access to the machine and execute code with SYSTEM privileges. Exploit code didn't target newer Windows versions Microsoft says the vulnerability was present in all Windows versions, but attackers crafted their zero-day exploit code with great care, making sure the exploit only executed on computers running a Windows version between Windows 2000 and Windows 8. The OS maker says the attacker intentionally wanted to avoid security features introduced in Windows 8.1 and Windows 10, such as ASLR improvements, Supervisor Mode Execution Prevention (SMEP), and virtualization-based security (VBS), which would have blocked the attack and only exposed his zero-day to unwanted attention. Despite targeting the Win32k component, the zero-day's exploit routine also contained code that targeted 64-bit systems. Microsoft experts say the exploitation technique used in these attacks was also used by the Duqu malware and was previously described in a Virus Bulletin presentation from 2015. Zero-day patched two weeks ago The OS maker says a "trusted partner" identified the zero-day attacks, which they've patched in security bulletin MS17-013, released on March 14, during Microsoft's March Patch Tuesday. At the time it was patched, Microsoft didn't tell anyone CVE-2017-0005 was used in live attacks. Currently, very little public information is available on the Zirconium group, which appears to be a new APT (Advanced Persistent Threat). Microsoft said it's still "actively gathering threat intelligence and indicators attributable to ZIRCONIUM." A technical analysis of the CVE-2017-0005 zero-day is available here. The same MS17-013 security bulletin also included a patch for CVE-2017-0038, a vulnerability discovered by the Google Project Zero team, which Google made public in mid-February after Microsoft failed to deliver a Patch Tuesday that month. By Catalin Cimpanu https://www.bleepingcomputer.com/news/security/microsoft-quietly-patched-windows-zero-day-used-in-attacks-by-zirconium-group/ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.