Microsoft fixes CVE-2019-1458 Windows Zero-Day exploited in NK-Linked attacks

Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 flaws, including CVE-2019-1458 Windows zero-day exploited in North Korea-linked attacks

Microsoft’s December 2019 Patch Tuesday updates address a total of 36 flaws, including a Windows zero-day, tracked as CVE-2019-1458 exploited in attacks linked to North Korea. The vulnerability could be exploited to execute arbitrary code in kernel mode.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

The CVE-2019-1458 vulnerability is a privilege escalation issue related to how the Win32k component handles objects in memory.

Microsoft addresses this vulnerability by correcting how Win32k handles objects in memory.

The vulnerability was reported by Kaspersky, experts at the security firm confirmed that the CVE-2019-1458 flaw has been exploited in a campaign called Operation WizardOpium.

“In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks.” reads the analysis published by Kaspersky. “The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as ‘Volodya’.”

The exploit was developed by an individual known as “Volodya,” who has been offering for sale exploit in the cybercrime underground.

The vulnerability has been exploited alongside the CVE-2019-13720 Chrome zero-day as part of a campaign tracked as Operation WizardOpium at the end of October.

The researchers pointed out that the campaign has very weak code similarities with past Lazarus‘s operations, but the evidence they collected doesn’t allow a certain attribution.

“We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag.” reads a post published by Kaspersky.

At least one of the websites targeted in Operation WizardOpium is in line with earlier attacks of the DarkHotel operation.

Kaspersky experts discovered that the Chrome exploit also embeds an exploit for the CVE-2019-1458 vulnerability that was used by attackers to escalate privileges on the compromised system and escape the Chrome process sandbox.

The privilege escalation exploit works against Windows 7 and some Windows 10 builds, according to the experts it doesn’t affect the latest Windows 10 builds.

“The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation,” Kaspersky explained.

The experts noticed that the compilation timestamp for the file containing the exploit for CVE-2019-1458 was “Wed Jul 10 00:50:48 2019” that is different from the other binaries, a circumstance that indicates it has been in use for some time.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase