CVE-2018-8611 é uma das vulnerabilidades corrigidas no Patch Tuesday de dezembro de 2018. A falha é um kernel zero-day que acabou de ser corrigido, mas parece ser explorado por vários agentes de ameaças, Relatório de pesquisadores da Kaspersky Lab.
CVE-2018-8611 Kernel Zero-Day Bug Recently Exploited in Attacks
Mais especificamente, CVE-2018-8611 is a privilege escalation vulnerability which is caused by the failure of the Windows kernel to properly handle objects in memory. And as explained in Microsoft’s advisory, an attacker who successfully exploited the flaw could run arbitrary code in kernel mode. Kaspersky Lab researchers were the first to detect the zero-day, and they were the ones who reported it to Microsoft and detected the active malicious campaigns exploiting the flaw.
“Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat”, pesquisadores da Kaspersky disse. The zero-day was caught in action with the help of a behavioral detection engine and an advanced sandboxing anti-malware engine.
The thing with this vulnerability is that it successfully bypasses modern process mitigation policies, such as Win32k System call Filtering used in the Microsoft Edge Sandbox and the Win32k Lockdown Policy used in the Google Chrome Sandbox, entre outros. Combined with a compromised renderer process, por exemplo, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers, os pesquisadores notaram.
De acordo com a Kaspersky, the vulnerability was used in attacks against targets in the Middle East and Africa. The researchers also believe that there are some connections to the security flaw patched by Microsoft a couple of months ago, CVE-2018-8589. The vulnerability became known as “Alice” by malware developers, and CVE-2018-8611 was dubbed as “Jasmine.”[wplinkpreview url =”https://sensorstechforum.com/cve-2018-8589-zero-day-win32k/”]The CVE-2018-8589 vulnerability which was classified as an elevation of privilege, afeta o componente Windows Win32k. É crucial observar que os atores de ameaças precisam primeiro infectar o sistema antes de explorar o CVE-2018-8589 para obter privilégios elevados.