CVE-2018-8611 is one the vulnerabilities addressed in December 2018’s Patch Tuesday. The flaw is a kernel zero-day which was just patched but appears to be exploited by several threat actors, Kaspersky Lab researchers report.
CVE-2018-8611 Kernel Zero-Day Bug Recently Exploited in Attacks
More specifically, CVE-2018-8611 is a privilege escalation vulnerability which is caused by the failure of the Windows kernel to properly handle objects in memory. And as explained in Microsoft’s advisory, an attacker who successfully exploited the flaw could run arbitrary code in kernel mode. Kaspersky Lab researchers were the first to detect the zero-day, and they were the ones who reported it to Microsoft and detected the active malicious campaigns exploiting the flaw.
“Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat”, Kaspersky researchers said. The zero-day was caught in action with the help of a behavioral detection engine and an advanced sandboxing anti-malware engine.
The thing with this vulnerability is that it successfully bypasses modern process mitigation policies, such as Win32k System call Filtering used in the Microsoft Edge Sandbox and the Win32k Lockdown Policy used in the Google Chrome Sandbox, among others. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers, the researchers noted.
According to Kaspersky, the vulnerability was used in attacks against targets in the Middle East and Africa. The researchers also believe that there are some connections to the security flaw patched by Microsoft a couple of months ago, CVE-2018-8589. The vulnerability became known as “Alice” by malware developers, and CVE-2018-8611 was dubbed as “Jasmine.”The CVE-2018-8589 vulnerability which was classified as an elevation of privilege, affects the Windows Win32k component. It is crucial to note that threat actors first need to infect the system prior to exploiting CVE-2018-8589 to gain elevated privileges.