Microsoft sent out a patch on Tuesday which sought to fixe two actively-exploited Windows zero-day vulnerabilities. The first which targeted Windows 7 users was brought to public attention last week by Google security engineer, Clement Lecigne. He warned that the zero-day vulnerability could be used together with a Chrome exploit to take over Windows systems and advised people to upgrade to Windows 10.
The second flaw was found by Kaspersky Lab saying they have detected a new exploited vulnerability in Windows, which it believes has been used in targeted attacks by at least two threat actors.
The exploit targets Windows 8 and Windows 10, using a vulnerability in Microsoft Windows’ graphic subsystem to achieve local privilege escalation. This provides the attacker with full control over a victim’s computer.
The exploited vulnerability was detected by Kaspersky Lab’s Automatic Exploit Prevention technology.
Kaspersky Lab products detect the exploit as:
The Kaspersky researchers who discovered the bug, Vasiliy Berdnikov, and Boris Larin, say in a blog post: “In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys.”
They add: “CVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection.”
This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows recently discovered by Kaspersky.
The researchers believe the detected exploit could have been used by several threat actors including FruityArmor and SandCat.
Active since around 2016, FruityArmor is known to have used zero-days in the past on people linked with various government organizations. SandCat is a new threat actor discovered only recently by Kaspersky. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.
Check for this patch update and install it immediately, ensure you regularly patch to take advantage of all updates.