Security Experts:

Details of Actively Exploited Windows Flaw Made Public

Researchers from Chinese cybersecurity firm Qihoo 360 have made public technical details that can be used to construct a proof-of-concept (PoC) exploit for CVE-2019-0808, a recently patched Windows vulnerability that has been involved in targeted attacks.

The existence of CVE-2019-0808 was brought to light a week ago when Google’s Threat Analysis Group revealed that it had been exploited alongside CVE-2019-5786, a Chrome vulnerability that the browser’s developers patched on March 1.

Google released limited technical information about the Windows vulnerability before Microsoft managed to release a patch. A fix was made available to users on March 12, when Microsoft released its Patch Tuesday updates.

The security hole affects the Win32k component in Windows and allows an authenticated attacker to elevate privileges and execute arbitrary code in kernel mode. It can also be used to escape sandboxes if combined with a web browser vulnerability.

The flaw only appears to affect Windows 7 and Windows Server 2008 as Windows 10 includes some additional mitigations that prevent exploitation.

A blog post published on Thursday by the Chengdu Security Response Center of 360 Core Security discloses not only the root cause of the vulnerability, but also explains how it can be triggered and how Microsoft has addressed it.

The Chinese researchers say they have created a PoC exploit, but they have not made it public in its entirety. Instead, they have published several images showing the relevant code and step-by-step instructions on how the flaw can be triggered.

No information has been shared on the targeted attacks involving CVE-2019-0808, but now that more technical details are available it will likely be used in more attacks.

“Considering that some users are still using Windows 7 and this vulnerability combined with Chrome RCE (CVE-2019-5786) has been used for real APT attacks, this 0day is very likely to be exploited to perform large-scale attacks and pose a real threat,” the researchers said.

Another Windows zero-day patched by Microsoft this week has been exploited in targeted attacks by at least two threat actors. The flaw was spotted by Kaspersky Lab after it had been leveraged in attacks by groups tracked by the security firm as SandCat and FruityArmor.

Related: Exploit Published for Windows Task Scheduler Zero-Day

Related: Exploit for New Windows Zero-Day Published on Twitter

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.