More details have surfaced about the two Windows zero-days that Microsoft patched this Tuesday as part of its regular Patch Tuesday batch of security updates.
Proof-of-concept (PoC) code has also been published for one, making the zero-day attractive for even a broader audience of cyber-criminals.
PoC for first Windows zero-day now available
The PoC was published earlier today by Chinese cyber-security vendor Qihoo 360 Core. The PoC is for a Windows 7 zero-day (CVE-2019-0808) that Google discovered at the end of February.
Google’s security team said the zero-day was part of a Windows 7 and Chrome zero-day combo that was being abused in the wild.
Google patched the Chrome zero-day (CVE-2019-5786) two weeks ago, and Microsoft patched the Windows 7 zero-day (CVE-2019-0808) this week.
Microsoft said the zero-day affected the Win32k component in Windows 7 and Windows Server 2008 operating systems to allow attackers to run code with admin rights.
In a report published today, Qihoo 360 researchers broke then the Windows 7 zero-day’s exploitation chain with examples that could be assembled into a working exploit.
The Chinese company also revealed that this zero-day had been used for “APT attacks,” where APT stands for Advanced Persistent Threat, a cyber-security technical term used to describe nation-state cyber-espionage groups.
Second Windows zero-day also abused in APT attacks
The other zero-day that Microsoft patched on Tuesday was also abused for APT attacks, according to a blog post published yesterday by Russian cyber-security firm Kaspersky Lab.
This zero-day (CVE-2019-0797) is almost identical with the one impacting Windows 7 but also has the added benefit of working on all Windows OS versions as well. Just like the windows zero-day discovered by Google, this also affected the Win32k component and was, too, an elevation of privilege that let attackers run code with admin rights.
Kaspersky said this zero-day was being abused by not one, but two APT groups –namely FruityArmor and SandCat.
This is the fourth Windows zero-day that Kaspersky has discovered being abused in the wild by the FruityArmor APT. The group seems to be an expert in finding new Windows elevation of privilege exploits.
The November zero-day (CVE-2018-8589) was also abused by SanndCat, a new group on the APT scene about which Kaspersky has few details –such as its use of the March (CVE-2019-0797) and November (CVE-2018-8589) zero-days, the CHAINSHOT exploit, and the FinFisher/FinSpy hacking framework.
What all this tells experts is that there’s at least some type of connection between these two APTs –FruityArmor and SandCat. They are either managed by the same intelligence service, or they’re buying Windows zero-days from the same exploit vendor.
More vulnerability reports: