How Microsoft helped neuter ‘double zero-day exploit’ before anyone was infected
- 04 July, 2018 04:29
Microsoft has provided more details about a recently patched critical zero-day attack on Adobe’s Acrobat Reader that could be combined with a less severe zero-day exploit against the Windows kernel to hack Windows 7 machines.
The pair of related exploits were the source of a conflict in advisories posted by Microsoft and Adobe that each disclosed in May after investigating a malicious PDF document in March that was uploaded to Alphabet-owned VirusTotal.
Adobe initially said there were no exploits in the wild for the Acrobat flaws it patched in May, but changed its advisory shortly after when Microsoft said someone other than it had an exploit for the related flaw in the Windows kernel.
The flaw in Adobe and Microsoft software was discovered by ESET researcher Anton Cherepanov who said he found a “rare case” when an attacker was able to exploit Reader and Windows in order to bypass the Adobe Reader sandbox. Usually bypassing the Reader sandbox requires exploiting a bug in the operating system, but this one required combining a remote code execution flaw in Reader and then escalating privileges in Windows.
Windows 7 and Windows Server 2008 systems not patched today are still vulnerable and Microsoft would like users to know that if they had updated to Windows 10 they would not be vulnerable, even without the patch.
The consequences could be bad too for those on older systems, it says. If an attacker exploited the flaw, they could run their own malware in kernel mode, allowing them to gain control by installing their own programs, modifying data, or creating new accounts with full user rights.
“The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory,” wrote Microsoft Windows Defender Research team.
Microsoft also revealed a few more details about the Windows elevation of privilege that could exploit Windows 7 machines not patched against CVE-2018-8120.
The attack used so-called “reflective” Dynamic-Link Library (DLL) loading, which loads a DLL into memory without being linked to a process in the name of avoiding detection. The attack takes effort because the attacker needs to develop their own custom loader.
Therefore it’s likely only nation-state hackers or anyone else with significant resources could do this. Microsoft took steps to detect it in Windows 10 through Windows Defender ATP. As Microsoft explained in late 2017: “Reflective DLL loading isn’t trivial—it requires writing the DLL into memory and then resolving its imports and/or relocating it. To reflectively load DLLs, one needs to author one’s own custom loader.”
Microsoft also offered details about how the attack would gain persistence on vulnerable Windows 7 machines.
The message Microsoft is conveying is that everyone should upgrade to Windows 10. Windows 7 Service Pack 1 extended support, where it receives only security updates, expires on January 14, 2020.