25 December 20, 09:11
Quote:A high-severity Windows zero-day that could lead to complete desktop takeover remains dangerous after a “fix” from Microsoft failed to adequately patch it.
The local privilege-escalation bug in Windows 8.1 and Windows 10 (CVE-2020-0986) exists in the Print Spooler API. It could allow a local attacker to elevate privileges and execute code in the context of the current user, according to Microsoft’s advisory issued in June. An attacker would first have to log on to the system, but could then run a specially crafted application to take control of an affected system.
“The issue arises because the Windows kernel fails to properly handle objects in memory,” the firm said. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The bug rates 8.3 out of 10 on the CVSS vulnerability-severity scale.
From a more technical perspective, “the specific flaw exists within the user-mode printer driver host process splwow64.exe,” according to an advisory from Trend Micro’s Zero Day Initiative (ZDI), which reported the bug to Microsoft last December. “The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer.”
The issue remained unpatched for six months. In the meantime, Kaspersky observed it being exploited in the wild in May against a South Korean company, as part of an exploit chain that also used a remote code-execution zero-day bug in Internet Explorer. That campaign, dubbed Operation Powerfall, was believed to be initiated by the advanced persistent threat (APT) known as Darkhotel.
Read more: https://threatpost.com/windows-zero-day-...ix/162610/