Microsoft fixes CVE-2019-1458 Windows Zero-Day exploited in NK-Linked attacks

Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 flaws, including CVE-2019-1458 Windows zero-day exploited in North Korea-linked attacks

Microsoft’s December 2019 Patch Tuesday updates address a total of 36 flaws, including a Windows zero-day, tracked as CVE-2019-1458 exploited in attacks linked to North Korea. The vulnerability could be exploited to execute arbitrary code in kernel mode.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

The CVE-2019-1458 vulnerability is a privilege escalation issue related to how the Win32k component handles objects in memory.

Microsoft addresses this vulnerability by correcting how Win32k handles objects in memory.

The vulnerability was reported by Kaspersky, experts at the security firm confirmed that the CVE-2019-1458 flaw has been exploited in a campaign called Operation WizardOpium.

“In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks.” reads the analysis published by Kaspersky. “The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as ‘Volodya’.”

The exploit was developed by an individual known as “Volodya,” who has been offering for sale exploit in the cybercrime underground. 

The vulnerability has been exploited alongside the CVE-2019-13720 Chrome zero-day as part of a campaign tracked as Operation WizardOpium at the end of October.

The researchers pointed out that the campaign has very weak code similarities with past Lazarus‘s operations, but the evidence they collected doesn’t allow a certain attribution.

“We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag.” reads a post published by Kaspersky.

At least one of the websites targeted in Operation WizardOpium is in line with earlier attacks of the DarkHotel operation.

Kaspersky experts discovered that the Chrome exploit also embeds an exploit for the CVE-2019-1458 vulnerability that was used by attackers to escalate privileges on the compromised system and escape the Chrome process sandbox.

The privilege escalation exploit works against Windows 7 and some Windows 10 builds, according to the experts it doesn’t affect the latest Windows 10 builds.

“The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation,” Kaspersky explained.

The experts noticed that the compilation timestamp for the file containing the exploit for CVE-2019-1458 was “Wed Jul 10 00:50:48 2019” that is different from the other binaries, a circumstance that indicates it has been in use for some time.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]