[German]In April 2019, Microsoft closed the CVE-2019-0859 vulnerability in Windows with a security update. Kaspersky security researchers have observed multiple attacks attempting to exploit this vulnerability in Windows 7 to 10.
Vulnerability CVE-2019-0859 in Windows
Vulnerability CVE-2019-0859 is located in Win32k.sys and allows attackers to elevate privileges. The vulnerability exists in Windows if the Win32k component does not properly process objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code in kernel mode. He could then install programs, view, modify, or delete data, or create new accounts with full user privileges.
However, to exploit this vulnerability, an attacker must first log on to the system. He could then run a specially developed application that could exploit the vulnerability and take control of an affected system. The CVE-2019-0859 vulnerability exists in all versions of Windows, but cannot be exploited remotely. However, malware delivered to users as downloads or mail attachments could exploit this vulnerability.
Microsoft documented the vulnerability in April 2019 and patched the still supported Windows versions with an update. The problem is that these updates in conjunction with various security products from Avast, Avira and Sophos cause installation problems (see April 2019 updates freezes Windows 7, 8.1, 10 & Server). Some users and administrators have therefore hidden the updates for a while.
Kaspersky discovered exploit in March 2019
Kaspersky security specialists point out that the CVE-2019-0859 vulnerability in win32k.sys is likely to be actively attacked. As early as March 2019, Kaspersky security researchers discovered an attempt to attack Win32k.sys by exploiting the proactive security technologies used in the products. The analysis revealed the zero-day vulnerability CVE-2019-0859 in win32k.sys. Kaspersky then informed Microsoft.
After Microsoft patched this vulnerability last week, Kaspersky reveals some information. The security vendor writes in this document (German, here is an English article) that CVE-2019-0859 is a use after free vulnerability in the system function that handles available dialog boxes, more specifically their complementary styles. According to Kaspersky, the ITW exploit pattern found during attack attempts targeted all 64-bit operating system versions of Windows 7 up to the latest builds of Windows 10.
The exploit of the vulnerability allows the malware to download and execute a script written by the attackers. In the worst case, this can give attackers complete control over the infected device. According to Kaspersky, a previously unidentified criminal APT group could gain sufficient privileges to install a backdoor created with Windows PowerShell using the vulnerability.
Theoretically, this should enable cybercriminals to remain undetected, writes Kaspersky. The backdoor was used to download the payload, which the cybercriminals could use to gain complete control over the infected computer. For more details on how the exploit works, see this report on Securelist.
Kaspersky recommends that you install the relevant security updates and use your own security software to protect against these exploits (they now detect the exploit). However, the installation of security updates is a problem if they cannot be installed due to problems.
Microsoft Office Updates (Patchday April 2, 2019)
Microsoft Security Update Summary (April 9, 2019)
Patchday: Updates for Windows 7/8.1/Server (April 9, 2019)
Patchday Windows 10-Updates (April 9, 2019)
Patchday Microsoft Office Updates (April 9, 2019)