Microsoft’s November 2018 Patch Tuesday’s has rolled out, and it contains one particular zero-day vulnerability that needs special attention. CVE-2018-8589 was reported to Microsoft by Kaspersky Lab in October, and was quickly confirmed and assigned a CVE number.
The CVE-2018-8589 flaw was discovered by two Kaspersky Lab researchers – Igor Soumenkov and Boris Larin. The sad part is that the zero-day has been exploited by some cyber-espionage groups in the wild. The attacks are described as “limited”, with victims being located in the Middle East.
CVE-2018-8589 Technical Resume
The vulnerability which has been classified as an elevation of privilege, affects the Windows Win32k component. It is crucial to note that threat actors first need to infect the system prior to exploiting CVE-2018-8589 to gain elevated privileges.
How was the zero-day discovered? Apparently, Kaspersky Lab AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Microsoft’s Windows operating system. After analyzing this attempt, the researchers came to the conclusion that a zero-day resides in win32k.sys.
As explained by the researchers, the exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. More specifically:
CVE-2018-8589 is a race condition present in win32k!xxxMoveWindow due to improper locking of messages sent synchronously between threads. The exploit uses the vulnerability by creating two threads with a class and associated window and moves the window of the opposite thread inside the callback of a WM_NCCALCSIZE message in a window procedure that is common to both threads.
Evidently, CVE-2018-8589 had been used to elevate privileges on 32-bit Windows 7 versions. Microsoft recently patched another elevation of privilege zero-day flaw which was also reported to them by Kaspersky Lab.
This zero-day was quickly patched by Microsoft but another one was not. Theunpatched zero-day was made public via Twitter last month.
Information about the bug was posted on Twitter, where it became known that the Microsoft Data Sharing service was affected. This is an important part of the operating system as it allows data sharing between the applications.
An in-depth look at the issue showед that hackers can use it to gain elevated privileges when running malicious code. The proof-of-concept code posted was devised to remove files from the machine which normally requires elevated privileges — these are usually system files or protected data.
It seems that, because of the way the zero-day was disclosed, Microsoft didn’t have enough time to patch the flaw in this month’s Patch Tuesday, so a patch is expected in the near future.