ESET researchers have discovered a security flaw within Windows. The vulnerability is located in the Windows Win32 kernel, part of the subsystem that allows applications to communicate with the operating system and hardware.
The flaw "can be used to escalate privileges on an already compromised machine and allow attackers to execute malicious code with the highest privileges," explained Benoit Grunemwald, cybersecurity expert at Eset France, to 01net. In short, a hacker could take complete control of a computer, install viruses or exfiltrate sensitive data. Exploiting the flaw does not require the victim to click on a link, open a file, or perform any other action.
This is a Use-After-Free (UAF) vulnerability, "related to improper use of memory during software operation", the expert explains. This type of flaw occurs when a program continues to use memory space after it has been freed. It "can lead to software crashes, malicious code execution (including remote execution), privilege escalation, or data corruption.".
A flaw combined with malware
According to research conducted by Eset, the vulnerability has been exploited in cyberattacks since 2023. To exploit the flaw, hackers first use a virus called PipeMagic. This malware is "capable of exfiltrating data and allowing remote access to the machine," opening the door to exploiting the Windows Win32 kernel flaw. Discovered by Kaspersky in 2022, the malware has been implicated in ransomware attacks.
Numerous versions of Windows are vulnerable, including still-supported iterations, "prior to Windows 10 build 1809, including Windows Server 2016." Benoit Grunemwald specifies that older versions of Windows, which are no longer supported by Microsoft, are also affected, namely Windows 8.1 and Server 2012 R2. Millions of computers are vulnerable and "at risk of being compromised."
Microsoft deploys a patch
Alerted by Eset, Microsoft has fixed the flaw as part of its latest Patch Tuesday. According to the software publisher, exploiting the breach requires a certain amount of expertise. In a response to 01Net, Tenable confirms Microsoft's analysis and believes that its "exploitation appears more complex than usual." Indeed, exploiting the vulnerability requires a competitive situation. In short, the breach can only be exploited when multiple kernel processes attempt to access the already freed memory resource. The appearance of the vulnerability depends on the order in which these processes access the memory.
At the same time, Microsoft has also fixed six other vulnerabilities in the operating system. Eset strongly recommends that users of affected Windows systems follow Microsoft's advice and apply the necessary patches. Additionally, users using computers running outdated versions of Windows are encouraged to upgrade to newer versions. As reported by our colleagues at Bleeping Computer, the Eset alert has been forwarded to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Believing that "these types of vulnerabilities are attack vectors commonly exploited by cybercriminals and represent major risks," the organization is asking all US federal agencies to install patches before April 1, 2025.
0 Comments