A month ago, we wrote about finding an exploit for a vulnerability in Microsoft Windows. It may sound familiar, but our proactive technologies have detected another zero-day exploit, and again, the exploit targets a previously unknown vulnerability in the operating system. This time, only Windows 7 and Windows Server 2008 are at risk.
That limitation does not make the threat less dangerous, however. Although Microsoft ended mainstream support of Windows Server 2008 on January 2015 and provided a free upgrade at the launch of Windows 10, not everyone upgraded. Developers are still providing security updates and support for both systems (and should continue to do so until January 14, 2020) because they still have enough clients to warrant the support.
When we detected the exploit, in late October, our experts immediately reported the vulnerability to Microsoft, along with a proof of concept. Developers promptly patched it on November 13.
What you should know about this vulnerability and corresponding exploit
It is a zero-day elevation of privilege vulnerability in the win32k.sys driver. Using this vulnerability, malefactors can gain the necessary privileges for persistence on a victim’s system.
The exploit was used in several APT attacks, mainly in the Middle East region. It was targeting only 32 bit versions of Windows 7. You can find technical data in this Securelist post. Our threat intelligence reports subscribers can also get more information about the attack by contacting firstname.lastname@example.org.
How to stay safe
Nothing new here — but heed our usual advice for vulnerabilities:
- Install Microsoft’s patch immediately.
- Regularly update all software your company uses to the most recent versions.
- Stop using outdated software before its support ends.
- Use security products with vulnerability assessment and patch management capabilities to automate update processes.
- Use a robust security solution equipped with behavior-based detection capabilities for effective protection against unknown threats including zero-day exploits.
Note that once again, credit for detecting this previously unknown threat goes to our proactive technologies: namely, the advanced sandboxing and antimalware engine for the Kaspersky Anti Targeted Attack Platform (a solution made specifically to protect against APT threats) and automatic exploit prevention technology that form an integral subsystem of Kaspersky Endpoint Security for Business.