Threat Intelligence Report: Microsoft Zero-Day Bug Under Active Attack

Date: 15/MAY/2019

Summary: Microsoft has released a patch for an elevation-of-privileges vulnerability rated important, which is being exploited in the wild.

An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges to use after without raising suspicion.

To exploit the vulnerability, an attacker must first gain unprivileged execution on a victim system.

The bug fix is part of Microsoft’s May Patch Tuesday Security Bulletin. The security update addresses the vulnerability by correcting the way WER handles files. The vulnerability (CVE-2019-0863) is one of 79 vulnerabilities patch released, including 23 rated critical and 56 identified as important in severity.

Conclusions: Attackers would need to first gain access to run code on a target system, but malware often uses elevations like this one to go from user-to-admin code execution. Intelligence suggests that this vulnerability is being actively exploited in the wild.

More generally speaking, the latest patch Tuesday represents a very large number of critical security fixes. This highlights the ongoing need for organisations to have mature patching processes to rapidly deploy these fixes to avoid falling victim to widespread disruption such as that caused by recent high profile campaigns such as NotPetya.

Tactics, techniques and procedures: Details about these attacks are still being withheld to give users more time to patch before other threat actors catch-on and start abusing the same vulnerability for their own attacks.

Microsoft said it addressed this issue by “correcting the way WER handles files,” and has made fixes available for all supported Windows OS versions.

Vulnerable Software Versions:

  • Windows 8.1
  • Windows 7
  • Windows 10
  • Windows RT 8.1
  • Windows 10 1607
  • Windows 10 1703
  • Windows 10 1709
  • Windows 10 1803
  • Windows 10 1809
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 1803

Recommendations: CVE-2019-0863 has been exploited in the wild. This patch should be prioritized for all supported versions of Windows, as well as the wider content of the latest Microsoft security updates.

For Windows versions that have already dropped out of support, tpatches are available manually.

  • Users of Windows XP and Windows Server 2003 can find the corresponding variants for the update KB4500331 in Microsoft Update Catalog for manual download. KB article KB4500331 provides information about these operating system versions.
  • Users of Windows Vista can download the updates (Monthly Rollup or Security Online) of Windows Server 2008 from the Update Catalog and install them manually.

In the Security Advisory, Microsoft also suggests workarounds if you cannot install the security update on Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Leave a Reply