Tuesday, April 16, 2019

Zero Day Exploits Patched by Microsoft (CVE-2019-0859 & CVE-2019-0803)

Hi Friends,

You know how much I LOVE patches, actually they scare they heck out of me...  Here comes the, "When I was a <fill in the blank>" moment.  Ready?  Let me get my rocking chair.

When I was a system administrator patches were the bane of my existence.  Why?  If it isn't broken, DON'T fix it!!  When you work in a production environment, you don't want anything messing up your up-time.  Business people tend to get very fussy when their production applications aren't available and the last thing I wanted to do was add an unknown into a working system.  Yes I know that's what test environments are for, but remember, test isn't something you want to break either.  Where do you think these business folks do all their testing?

But alas, being in the security industry has given me a new perspective on patches that I've never had.  Now that I know about some of the creepy crawly code running around the Internet, it scares me even more than patches!

Zero day this, malware that, exploit this, it's enough to make me want to unplug my Ethernet cable and never plug it back in.  But that doesn't even work anymore because of wireless.  ;-)  So what does this paranoid technical guy do?  Patch.  I'm not saying run out and patch your production environment immediately without some sort of test, but we can no longer hide our heads in the sand and hope it goes away.


















With that said, let's talk about the latest "Patch Tuesday" Microsoft went through.  Microsoft tends to release patch bundles on the second or fourth Tuesday of each month.  It's a practice they started back in 2003.  Unfortunately Patch Tuesday is now followed by Exploit Wednesday.  Yep, just like the rest of us, Threat Actors get to see what Microsoft patched and it's an opportunity to go after vulnerable systems that haven't been patched yet.

Hold onto your socks for this one.  This latest bundle contained patches for 74 vulnerabilities with 15 being classified as critical.  Let's break it down a bit more.  Within that bundle was also a patch for CVE-2019-0859 and CVE-2019-0803.  These two Common Vulnerabilities and Exposures patched a problem with win32k.sys.  Win32k.sys is a very important file and is critical in the startup of Windows.  No file, no boot.

These vulnerabilities are what's called a Use-After-Free, which is the incorrect usage of dynamic memory during the programs operation.  Basically it's a problem of freeing up the memory when a program is done using it.   Because of this situation, Threat Actors have been seen creating PowerShell "HTTP Reverse Shell"  or a backdoor into a system.

Yep it's as bad as it sounds.  The attacker is able to run code in kernel mode and game over man!  They can then install programs, view, change or delete data or create new accounts with full rights.  And FYI, this isn't for some antiquated OS, this is for Windows 7 and 10.

Believe me, I'm not trying to scare you, just tell you the facts.  But if it does scare you a little, you're starting to understand how I feel.  :-)

There's tons of information about this patch bundle and these two CVE's, but here's a great article from BleepingComputer:
https://www.bleepingcomputer.com/news/security/patched-windows-zero-day-provided-full-control-over-vulnerable-systems/

Be safe out there!
Neil

No comments:

Post a Comment