November 2, 2016 at 14:47

Attackers use 0day vulnerabilities in cyber attacks on users

    Microsoft has released information about the sensational vulnerabilities that Google had previously pointed out in a post . Attackers used a bunch of two RCE + LPE vulnerabilities to remotely execute code via Flash Player and bypass sandbox in a browser using win32k.sys. Vulnerability in Flash Player with identifier CVE-2016-7855 was closed by Adobe update APSB16-36 . An update for win32k.sys has not yet been released, although the vulnerability is relevant for all supported versions of Windows.

    Earlier, we wrote several times about the mechanisms for blocking exploit actions in the Google Chrome and Microsoft Edge web browsers .(Windows 10). Both of these web browsers, in addition to using sandbox based on AppContainer isolation, use restrictions on the use of system services of the win32k.sys driver. Chrome and Edge also successfully block the attempt to exploit the LPE vulnerability in this driver, however, when used only on Windows 10.

    Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google's Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.

    A source

    Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.

    The

    Edge source uses a special method for blocking Win32k.sys in the context of sandboxed processes called Win32k syscalls filtering . It allows the kernel to block the execution of certain Win32k.sys system calls that were specified by the application (only on Windows 10). Unlike Edge, Chrome uses full blocking of Win32k.sys calls based on the built-in mitigation mechanism of Windows 8+ SetProcessMitigationPolicy with the ProcessSystemCallDisablePolicy parameter . Thus, on Windows 7 and Windows Vista, neither of the two web browsers can completely block the exploit. The well-known Microsoft EMET tool also cannot block the action of such an LPE exploit.

    We recommend that users wait for the appropriate Windows update to be released and install it.
    Tags:

    Also popular now: