After yesterdays Patch Tuesday, Microsoft’s monthly security patch day, the company released eight security bulletins patching dozens of vulnerabilities, since the patch, security firms have found two zero-day vulnerabilities that are being exploited in the wild, currently targeting Microsoft’s Windows Kernel.
According to FireEye security firm, one of the firms that researched both vulnerabilities, the flaws can lead to an elevation of privilege if left unpatched. Both of the zero-day vulnerabilities are currently being exploited in the wild targeting major corporations, according to the firm.
Attackers were able to exploit the first zero-day (CVE-2014-4148) in Windows True Type font (TTF) by embedding a malicious TTF into a Microsoft Office File. As soon as the victim executed the malicious TTF, the font is processed in kernel mode, and an attacker has the ability to call on an embedded DLL that’s actually a remote access tool. Researchers say the kernel-level exploit is sophisticated in the sense that it evades analysis, avoids running shellcode multiple times and is uniquely customized for each targeted environment.
“Since TTF exploits target the underlying operating system, the vulnerability can be exploited through multiple attack vectors, including web pages,” Dan Caselden, Matt Graebler and Lindsay Lack, the trio that disclosed this zero-day at FireEye, wrote in the company’s blog post.
The vulnerability being exploited in the wild only targets 32-bit systems, but has the ability to impact 64-bit systems according to FireEye researchers.
The second zero day vulnerability (CVE-2014-4113) has, according to FireEye, existed in some form or variation throughout the Windows lifetime, and relies on a 32-bit exploit that can only be used when coincided with another exploit. Once an attacker has access to a remote system, they can exploit CVE-2014-4113 if the system is running versions of Windows including Windows 7, Vista, XP, Windows 2000, Windows Server 2003/R2, Windows Server 2008/R2, Windows 8.x and Windows Server 2012/R2, the attacker could render the system vulnerable to an elevation of privilege attack.
Once the attacker has gained access to a remote system, they are able to execute code within the context of the Windows Kernel.
California-based security firm, Crowdstrike, also spotted the ongoing exploit of CVE-2014-4113. According to the company, over the past few months researchers noticed “suspicious activity” on a 64-bit Windows Server 2008 R2 machine.
The result was something Crowdstike has since dubbed, “Hurrican Panda,” a threat actor that has allegedly emerged from China and is abused the vulnerability to elevate the privileges of the SYSTEM user.
The vulnerability is being actively exploited in the wild and has been doing so since February, targeting infrastructure companies with the CVE-2014-4113 exploit, alongside with three other local privilege escalation vulnerabilities exploited to gather intelligence, according to researchers.
Once the exploit is successful, attackers can upload a webshell and carry out the rest of their attack moving forward.
“The actor will typically attempt to escalate privileges and use a variety of password dumping utilities to obtain legitimate credentials for use in access their intelligence objectives,” the company said on their blog.
FireEye has confirmed that Crowdstrike’s research was correct and that the flaw affects all 64-bit Windows variants “up to and including Windows 7 and Windows Server 2008 R2.”
Both zero-day vulnerabilities were patched by Microsoft in yesterdays MS14-058 bulletin, one of the three bulletins given a critical severity rating saying if left unpatched it could lead to remote code execution.