Microsoft patches 0-day Windows flaw under attack

  • Liam Tung (CSO Online)
  • 10 October, 2018 05:48

Microsoft has released a patch for a Windows elevation of privilege flaw that it says is being exploited.

The flaw, tracked as CVE-2018-8543, is in the Win32k component of Windows and could be used to run malicious code in kernel mode, allowing an attacker to install programs, modify data, and create new accounts with full user rights. 

Microsoft notes that an attacker would need to log on to a vulnerable system before exploiting the flaw, and then run malware that exploits the vulnerability in order to take control of an affected system. 

Security updates are available for all supported versions of Windows 10 through to Windows 7 and Windows Server.

Microsoft hasn’t shared details about the attacks but credited Kaspersky Lab for reporting the flaw, which is likely being used in targeted attacks. 

The patch is part of Microsoft’s scheduled October Patch Tuesday update, which addresses 49 security flaws in total, 12 of which are critical, and 35 of which are rated as important. It also has fixes for one moderate and one low severity issue. 

As noted by Trend Micro’s Zero Day Initiative (ZDI), three of the flaws are publicly known, including a remote code execution flaw in the Microsoft JET database, a Windows kernel elevation of privilege flaw, and an Azure IoT device client SDK memory corruption bug.

The critical flaws were found in Internet Explorer, Microsoft Edge, Windows Hyper-V, and Microsoft's Chakra scripting engine. 

ZDI’s Dustin Childs also spotted an update to old bug, CVE-2010-3190, that was first addressed in 2010. The issue stemmed from insecure programming practices that allowed "binary planting" or "DLL preloading attacks”, according to Microsoft’s writeup on the issue

Between 2010 and 2014 Microsoft has released fixes for the same issue affecting Office, Windows, the Windows address book, Windows backup manager, Windows Media, and other products. 

The latest product it’s discovered were impacted by this class of flaw is Exchange Server. All versions prior to Exchange Server 2016 Cumulative Update 11 need to be patched, according to Microsoft’s advisory.    

Microsoft also warned customers with Windows 7 and Windows Server 2008 R2 machines they’ll need install the Servicing Stack Update (SSU) 3177467 before installing the October 2018 security updates. The absence of an SSU from 2016 could cause the update to fail to install. 

Microsoft recently explained the importance of installing SSUs, which were previously not labelled as security updates and so were missed by some customers. In turn, this caused problems installing this year's August and September security-only updates and Monthly Rollups. Affected customers were advised to install the October 2016 Windows 7 SP1 SSU (KB 3177467), and then install the newer updates to avoid the problem.