Researchers have discovered a zero-day vulnerability (CVE-2018-8589) within win32k.sys affecting 32-bit versions of Windows 7. The vulnerability was reported to Microsoft on October 17th and is a privilege escalation vulnerability. It exists due to “improper locking of messages sent synchronously between threads.” If exploited successfully, it could allow an attacker to view or alter data, install programs, or create new user accounts by “running arbitrary code in the context of the local system.” At the time of writing this article, the delivery method remains unknown, however according to researchers, “the exploit was executed by the first stage of a malware installer, in order to gain the necessary privileges for persistence on the victim’s system.” The zero-day is currently being used by at least one APT actor but if an attacker attempts to exploit the zero-day on machines that are up to date with security updates, the system will crash.
Analyst Notes
The zero-day is currently being used to target 32-bit versions of Windows 7. If users are running Windows 7 with the prior security updates, the exploit will cause the system to crash entirely. Users are advised to patch their systems with the most recent patch that was released on November 13th to prevent from being vulnerable to the zero-day.
