Windows vulnerability: Oh My Kernel!

If you’re part of the 13% using iOS / OS X, then rest assured, this is not the article for you (you can read our dedicated Apple-rant here). If you do, however, find yourself amongst the 12% using Windows OS, then you’re in the right place. That is, if learning about a new Microsoft vulnerability is what you’re looking for. Now, no need to feel uncomfortable. If cyber-incidents didn’t make us a tad uneasy, what would be the point in even discussing them?This week’s cyber-unsettling topic focuses on a hacking campaign that was originally identified by Google’s Threat Analysis Group on October 31st, only to be acknowledged by Microsoft the next day. Experts state that found infestations made their way inside vulnerable systems by exploiting two weak spots in Adobe Flash and the Windows kernel. In an emergency update, Adobe patched its Flash Player just a little before the Google outing, on October 26th. The patch addresses a use-after-free vulnerability (also know as CVE-2016-7855), which consists in leveraging a certain type of memory corruption flaw with the aim of executing arbitrary code. Just to be safe, you might want to check that the available update has already been installed on your system. But more on why this is absolutely necessary, later.Whereas Adobe rose up to the occasion, Microsoft wasn’t so quick in releasing a patch for the CVE-2016-7255 vulnerability. Between the moment Google announced its discovery and the moment an update was published for all OS versions, almost one week went by, with the emphasis on ONE full week. We’re not particularly a fan of country music, but there’s something in the song of Mark Knopfler that speaks to us in the case of the Microsoft vulnerability: “Sometimes you’re the windshield. Sometimes you’re the bug”. Why is that? Well, let’s just say that a critical vulnerability, known to be currently exploited, roaming patch-less in the wild, is not exactly what Microsoft calls good press. Or anyone else, for that matter.As a local privilege escalation (EoP) in the Windows kernel, the CVE-2016-7255 vulnerability becomes notably dangerous if paired with the Adobe use-after-free flaw. Knowing that Adobe Reader runs PDF files in a sandbox, if cybercriminals were to attempt to take advantage of this memory corruption vulnerability, they could trigger a sandbox escape via the win32k.sys system call NtSetWindowLongPtr(). The result: Oh My Kernel! Whereas the Flash bug provides black hats with a way in, but only with the same rights as that of a regular user, the Windows bug upgrades these rights all the way to the admin level.

The Flash vulnerability was present in every supported version of Windows before the patch release. Knowing this, with an update already at hand, was Google’s rushed communication even necessary? The executive vice president of Microsoft’s Windows and Devices, Terry Myerson, openly criticized the web giant, going as far as calling the decision “disappointing, and puts customers at increased risk”. Stating otherwise, what Google did is nothing new, as it only followed their vulnerability disclosure policy. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure”, Myerson went on. It’s certain that not everyone agrees with this one-size-fits-all approach.That being said, what do you think? Should we take the human element out of the equation and systematically communicate flaws as they appear? Or should we keep them under the wraps until a patch is released? A controversial debate for another time, perhaps. Russian APT group strikes again: bugs, bugs everywhereIn the meantime, Microsoft confirmed who is behind the ongoing cyber-attacks targeting Windows – a Russian hacking group that will probably go down in history as the cybercriminal organization with the most nicknames. We counted 5 so far: Strontium, Fancy Bear, Advanced Persistent Threat 28, Sednit and Sofacy. Since it seems like each entity analyzing this hacking campaign gets to baptize it, we would like to mention that, if it were up to us, the name we would have come up with is Bratva (in Russian, “brotherhood”; a nickname for the Russian Mafia). #badassBut, for the purpose of this article and for the sake of our readers’ sanity, we shall settle for Fancy Bear.Famous for its alleged hacking of the Democratic National Committee, this APT group starts by sending out malicious emails from other hacked or fake emails on the off-chance that someone, somewhere will finally click on that seemingly harmless link, enabling them to create a backdoor. Described as a “low-volume spear-phishing campaign”, “its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries”, according to Microsoft. “Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia”.As we’ve already mentioned, the Russian perpetrators seek out Intel using fake emails that rely on the fear factor. Basically, the group continuously pursues its target for several months, harassing it with fake “privacy alerts” issued by Google or Microsoft. This is exactly what happened to John Podesta, Hillary Clinton’s campaign leader. Last March, Podesta finally subsided to the temptation of clicking on the link provided by a fake alert to change his password. What’s more, the email appears to have been so expectedly crafted that it fooled Clinton’s entire campaign staff. “Once inside, [the APT group] moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information”, Myerson added.Up until here, it’s your ordinary advanced persistent threat all the way. However, where Fancy Bear is really special (besides being called that way) is its way of working. Known since at least 2007, it distinguishes itself today amongst the most potent threats in cyberspace. According to a report issued last year by Microsoft, the hacker group is characterized by its “aggressive, persistent tactics and techniques, and its repeated use of new zero-day exploits to attack its targets”. Myerson did not hesitate to state that “Microsoft has attributed more [zero-day] exploits to Fancy Bear than any other tracked group in 2016”.

There’s no turning your weaknesses into strengths this timeIn cybersecurity, a weak spot is just that… a weak spot.So what can you do? Well, you can patch, patch again and then patch some more.

Windows’ latest security Patch Tuesday became available on November 8 th. Containing no more, no less than 14 updates (or “bulletins” as Microsoft prefers to call them), this patch treats several types of vulnerabilities:

Six Remote Code Execution (RCE) bugs, deemed critical; One Remote Code Execution bug, deemed important, but not critical; Six Elevation of Privilege (EoP) bugs, all deemed important except for the CVE-2016-7255

vulnerability explained in this article, which was deemed highly critical. One Security Bypass hole, deemed important.

Documented in bulletin MS16-135 or Security Update for Windows Kernel-Mode Drivers (3199135), the EoP vulnerability that Google outed made a lot of noise, even though there were five other different bugs in the kernel. And with good reason! This particular bug earned Microsoft’s highest exploitability score, meaning zero. We should explain that, in this case, the lower the score, the direr the situation is. Whereas 4 means “not affected”, 1 implies “exploitation [is] more likely”, so you can safely assume that cybercriminals will probably find out about it soon. When a vulnerability gets a score of 0, however, it means we’ve definitely hit rock bottom, as “exploitation [has already been] detected”. Makes it easy to understand now why this type of bugs are called 0-days, right?Now that we’ve shed some light on this controversial Windows vulnerability, there’s one more thing we’d like to add (or repeat):

Link:

https://www.reveelium.com/en/windows-vulnerability-oh-my-kernel/