0-day in Windows Archives – Gridinsoft Blog

Unofficial fixes released for 0-day issue in Windows Mobile Device Management Service

Vladimir Krasnogolovy — Tue, 30 Nov 2021 21:42:50 +0000

Unofficial fixes released for 0-day issue in Windows Mobile Device Management Service Access to Work or School. The problem is present on devices running Windows 10, version 1809 (and later).

The bug is related to a bypass of the information disclosure patch (CVE-2021-24084) released by Microsoft engineers in February this year. This month, cybersecurity researcher Abdelhamid Naseri, who initially discovered the problem, noticed that the vulnerability was not fully fixed and can be used to gain administrator rights.

As we learn from HiveNightmare and SeriousSAM, arbitrary file expansion can be improved to a local vulnerability if you know what files to take and what to do with them. 0patch co-founder Mitya Kolsek explains.

0patch confirms that by using the method described in the blog of researcher Raj Chandel, combined with a bug discovered by Abdelhamid Naseri, it is possible to be able to run code as a local administrator.”

While Microsoft has likely already taken notice of the researchers’ reports, the company has yet to fix the bug, meaning especially systems running Windows 10 (with the latest security updates from November 2021) are still vulnerable to attacks.

Fortunately, two specific conditions must be met for implementation of vulnerability. Firstly, system protection must be enabled on drive C and at least one restore point must be created. Second, at least one local administrator account must be activated on the computer, or the credentials of at least one member of the Administrators group must be cached.

While Microsoft prepares patches, 0patch has already released unofficial free updates for all vulnerable versions of Windows 10 (Windows 10 21H2 also supports 0patch). Let me remind you that 0patch is a platform designed for such situations, there are zero-day fixes and other unpatched vulnerabilities to support products that are no longer supported by manufacturers, custom software, and so on.

The fixes are already available and apply to the following Windows versions:

Windows 10 v21H1 (32-bit and 64-bit) with updates for November 2021;
Windows 10 v20H2 (32-bit and 64-bit) with updates for November 2021;
Windows 10 v2004 (32-bit and 64-bit) with updates for November 2021;
Windows 10 v1909 (32-bit and 64-bit) with updates for November 2021;
Windows 10 v1903 (32-bit and 64-bit) with updates for November 2021;
Windows 10 v1809 (32-bit and 64-bit) with May 2021 updates.

Experts point out that the bug does not apply to Windows Server (since there are simply no problematic functions), there is simply no access to work or study there), and the bug does not apply to Windows 10 version 1803 and earlier versions. The point is that Access to work or study works there in a different way.

The post Unofficial fixes released for 0-day issue in Windows Mobile Device Management Service appeared first on Gridinsoft Blog.

Google: 11 0-day vulnerabilities identified in the first half of 2020

Vladimir Krasnogolovy — Tue, 04 Aug 2020 16:38:05 +0000

Google Project Zero experts estimate that 11 0-day vulnerabilities, actively exploited by hackers, were identified in the first half of 2020.

The current number of 0-day problems indicates that, most likely, that overall this year will be identified the same number of zero-day vulnerabilities, as in 2019 (20).

The link above leads to the company’s internal statistics, which Google specialists collected and tracked since 2014. So, for the first half of 2020, experts included the following problems in their list.

1. Firefox (CVE-2019-17026)

The bug that received the identifier CVE-2019-17026 was discovered by experts from the Chinese company Qihoo 360, and it was associated with the work of IonMonkey – the JavaScript JIT compiler SpiderMonkey, the main component of the Firefox kernel responsible for JavaScript operations (JavaScript engine of the browser). The vulnerability has been classified as type confusion.

The patches are included with Firefox 72.0.1 and are available here.

2. Internet Explorer (CVE-2020-0674)

The problem was exploited by the North Korean hacker group DarkHotel, in conjunction with the aforementioned 0-day bug in the Firefox browser. Both issues have been used to track targets in China and Japan, and have been discovered by Qihoo 360 and JP-CERT experts. Victims of this campaign were redirected to a site where either a Firefox or IE vulnerability was exploited; later victims were infected with the RAT Gh0st.

The patches are included in the February “Patch Tuesday” and are available here.

3. Chrome (CVE-2020-6418)

The vulnerability was identified by experts from the Google Threat Analysis Group, but there are no details about the attacks that exploited the problem.

The bug was fixed with the release of Chrome version 80.0.3987.122, patches are available here.

4 and 5. Trend Micro OfficeScan (CVE-2020-8467 and CVE-2020-8468).

Trend Micro employees spotted both zero days. The bugs supposely have been discovered when Trend Micro investigated a different, older zero-day issue in the same product, used for hacking of Mitsubishi Electric.

The patches can be found here.

6 and 7. Firefox (CVE-2020-6819 and CVE-2020-6820)

Detailed information about the attacks that used these 0-days has not yet been published, although cybersecurity researchers speculate that these problems could be part of a chain of exploits.

Vulnerabilities are fixed in Firefox 74.0.1, patches are available here.

8, 9, and 10. Microsoft (CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027)

Google experts found and reported about all three bugs to Microsoft engineers. As with most other Google Threat Analysis Group “discoveries”, the details of these issues are kept secret and nothing is known about the attacks. The vulnerabilities were fixed as part of the April “update Tuesday”, patches are available here.

11. Sophos XG Firewall (CVE 2020-12271)

Earlier in 2020, an unknown group of hackers discovered and exploited this vulnerability. Later Sophos experts said that using the bug, hackers tried to deploy the Ragnarok ransomware on infected hosts, but the company said that it blocked most of the attempts.

Patches are available here.

Let me remind you that in 2019, Google specialists discovered 20 zero-day vulnerabilities, 11 of which were found in Microsoft products.

At the same time, experts explain that Microsoft has the most bugs, as there are more security tools designed to detect bugs in Windows.

The post Google: 11 0-day vulnerabilities identified in the first half of 2020 appeared first on Gridinsoft Blog.

ZDI experts described five 0-day vulnerabilities in Windows

Vladimir Krasnogolovy — Wed, 20 May 2020 16:56:51 +0000

Researchers from the Trend Micro Zero Day Initiative (ZDI) team published information on five uncorrected 0-day vulnerabilities in Windows, four of which have high risk rate.

Three zero-day vulnerabilities, which received identifiers CVE-2020-0916, CVE-2020-0986 and CVE-2020-0915, scored 7 points out of 10 possible on the CVSS vulnerability rating scale.

“Essentially, these three problems can allow an attacker to increase their privileges in a vulnerable system to the level of the current user. Fortunately, attackers who decide to exploit these bugs will first have to gain low privileged access to the target system”, – report ZDI experts.

The root of these problems lies in the user-mode printer driver splwow64.exe host process: the user input provided does not pass validation before dereferencing of the pointer.

The same process, splwow64.exe, is subject to another, less serious problem, tracked as CVE-2020-0915. The vulnerability scored only 2.5 points on the CVSS scale and also occurs due to the lack of proper validation of user-provided data.

Experts write that they notified Microsoft about these problems in December 2019, and the company intended to include patches for them in the May “Update Tuesday.” However, the company’s engineers failed to meet this deadline, and so far, only beta versions of the patches for testing have been provided to the ZDI researchers, and the end users have not received corrections.

ZDI experts also discovered another vulnerability that does not have a CVE identifier. This bug allows attackers to increase their privileges and is related to how the system processes WLAN connection profiles. Researchers believe that this bug can be estimated at about 7 points on the CVSS scale. In this case, the hacker will also first have to gain access to the target system, and only then exploit the problem.

“By creating a malicious profile, an attacker can receive credentials for a computer account. An attacker can use this vulnerability to increase their privileges and execute code in the with the administrator rights”, — say the experts.

Interestingly, Microsoft engineers do not intend to fix this problem at all, at least not in the nearest future.
We have already talked about one such protracted 0-day fix in Internet Explorer, though it was eliminated when cybercriminals have been already actively exploiting the vulnerability.

The post ZDI experts described five 0-day vulnerabilities in Windows appeared first on Gridinsoft Blog.