In the latest Cumulative Update, Microsoft has patched a vulnerability in Windows 10 discovered and reported by Kaspersky in August 2018 which was being used in very targetted attacks in the middle east.
CVE-2018-8453 | Win32k Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Kaspersky believes the exploit was being used by hacker group FruityArmor and notes that the “code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.”
Kaspersky Lab says they detected the exploit proactively through the following technologies:
- Behavioral detection engine and Automatic Exploit Prevention for endpoints
- Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)
With only a few known victims in the middle east with a high-quality exploit it seems likely that the attacks are state-sponsored, but Kaspersky notes that the number of victims are too few to know for sure what the common pattern is.
Read all the details at Kaspersky here.