Home > Cyber News > CVE-2018-8589 Zero-Day Affected Windows Win32k Component

CVE-2018-8589 Zero-Day Affected Windows Win32k Component

Microsoft’s November 2018 Patch Tuesday’s has rolled out, and it contains one particular zero-day vulnerability that needs special attention. CVE-2018-8589 was reported to Microsoft by Kaspersky Lab in October, and was quickly confirmed and assigned a CVE number.

The CVE-2018-8589 flaw was discovered by two Kaspersky Lab researchers – Igor Soumenkov and Boris Larin. The sad part is that the zero-day has been exploited by some cyber-espionage groups in the wild. The attacks are described as “limited”, with victims being located in the Middle East.

CVE-2018-8589 Technical Resume

The vulnerability which has been classified as an elevation of privilege, affects the Windows Win32k component. It is crucial to note that threat actors first need to infect the system prior to exploiting CVE-2018-8589 to gain elevated privileges.

How was the zero-day discovered? Apparently, Kaspersky Lab AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Microsoft’s Windows operating system. After analyzing this attempt, the researchers came to the conclusion that a zero-day resides in win32k.sys.

As explained by the researchers, the exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. More specifically:

CVE-2018-8589 is a race condition present in win32k!xxxMoveWindow due to improper locking of messages sent synchronously between threads. The exploit uses the vulnerability by creating two threads with a class and associated window and moves the window of the opposite thread inside the callback of a WM_NCCALCSIZE message in a window procedure that is common to both threads.

Evidently, CVE-2018-8589 had been used to elevate privileges on 32-bit Windows 7 versions. Microsoft recently patched another elevation of privilege zero-day flaw which was also reported to them by Kaspersky Lab.

Related: [wplinkpreview url=”https://sensorstechforum.com/powerpool-hackers-exploit-newly-identified-windows-zero-day-vulnerability/”]PowerPool Hackers Exploit Newly Identified Windows Zero-Day Vulnerability

This zero-day was quickly patched by Microsoft but another one was not. The [wplinkpreview url=”https://sensorstechforum.com/windows-zero-day-vulnerability-twitter/”]unpatched zero-day was made public via Twitter last month.

Information about the bug was posted on Twitter, where it became known that the Microsoft Data Sharing service was affected. This is an important part of the operating system as it allows data sharing between the applications.

An in-depth look at the issue showед that hackers can use it to gain elevated privileges when running malicious code. The proof-of-concept code posted was devised to remove files from the machine which normally requires elevated privileges — these are usually system files or protected data.

It seems that, because of the way the zero-day was disclosed, Microsoft didn’t have enough time to patch the flaw in this month’s Patch Tuesday, so a patch is expected in the near future.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree