CVE-2019-0797: Zero-day exploits keep coming

Our proactive technologies detected yet another Windows exploit that was used in APT attacks.

At the risk of seeming monotonous, we are compelled by circumstances to report that three months after the last zero-day vulnerability was found, our proactive technologies have uncovered another Windows exploit. This time, the vulnerability affects many more versions of the operating system: 64-bit Windows 8 and 10 (up to build 15063) find themselves plumb in the danger zone. We duly notified Microsoft, and a patch was included in a system update released on March 12.

Curiously, though, despite the continual release of updates for current versions, many users are in no hurry to install them for fear of disrupting their computers’ operations. This “wait and see what happens to others” approach is not recommended.

What is CVE-2019-0797?

This is no less than the fourth privilege escalation exploit recently detected by our systems. As in the case of CVE-2018-8589, it is a race condition error in the win32k.sys driver (technical details are available on Securelist). We know about several targeted attacks that made use of this exploit. It potentially allows intruders to gain complete control over the vulnerable system.

How to avoid problems

Our advice remains the same:

  • Install the corresponding system update (available on the Microsoft website);
  • Always update software (in particular, operating systems) to the latest versions, and replace it when the support period expires, if possible;
  • Use security solutions with behavioral analysis technologies.

The technologies used to detect the exploit (Advanced Sandboxing, Anti Targeted Attack, Behavioral Detection Engine, Automatic Exploit Prevention) are deployed in the Kaspersky Security for Business solution.