Maksim Kabakou - Fotolia
Google's Threat Analysis Group revealed an actively exploited Windows zero-day vulnerability just 10 days after the search giant notified Microsoft, which has simultaneously downplayed the severity of the flaw and claimed the Russian state actors behind the DNC hack are actively exploiting the bug.
Google reported zero-day vulnerabilities to Microsoft and Adobe on Oct. 21, and Adobe responded by pushing a fix out for its flaw in Adobe Flash on Oct. 26. Exploits in the wild were found chaining the Adobe and Windows zero-days where the Flash bug was used to escape the application sandbox and the Windows kernel flaw was then used to escalate to administrator privileges.
Ordinarily, Google's policy is to wait 60 days from the time of disclosure to the software vendor before publicly reporting vulnerabilities, but when the vulnerability is being actively exploited Google may publish as soon as seven days after reporting it to the vendor. In this case, Google waited 10 days.
"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape," wrote Neel Mehta and Billy Leonard of Google's Threat Analysis Group, on the Google Security blog. "It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
Microsoft did not agree with Google's contention that public disclosure of the unpatched vulnerability was in its customers' best interests. "We believe in coordinated vulnerability disclosure, and yesterday's disclosure by Google could put customers at potential risk," a Microsoft spokesperson told SearchSecurity by email.
"We disagree with Google's characterization of a local elevation of privilege as 'critical' and 'particularly serious,' since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week. Additionally, our analysis indicates that this specific attack was never effective in the Windows 10 Anniversary Update due to security enhancements previously implemented."
Microsoft appeared to be calling foul over Google's disclosure because they believe the vulnerability in Windows is fully mitigated by the already-released Adobe Flash update -- and that the attack described by the Google researchers was not possible against a patched version of Flash.
Although users of the Windows 10 Anniversary Update should be protected, Microsoft said it worked with both Google and Adobe to fix the vulnerability in older versions of Windows, and "patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next update, Tuesday, Nov. 8."
John Bambenek, manager of threat systems at Fidelis Cybersecurity in Waltham, Mass., told SearchSecurity by email that the disclosure of an actively exploited vulnerability could indeed be an important step to protect users. "Once attackers start abusing vulnerabilities the risk shifts. The temptation to not discuss weaknesses is to avoid giving attackers ideas," he said. "In this case, they not only have the idea but a fully weaponized exploit. Now we need something to protect our constituencies."
The vulnerability Google reported "is a local privilege escalation, which means that if a user is able to execute compromised code (for instance a Flash game or ad), that code could be used to run commands as the administrator and more deeply embed itself into a system," Bambenek said. "In a typical infection chain, privilege escalation is the second step beyond exploiting something with 'user' permissions. Malware embedded with enhanced permissions is more dangerous as a rule."
The Microsoft spokesperson offered this advice for Windows users: "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Risk and attribution
In a blog post, Terry Myerson, executive vice president at Microsoft's Windows and Devices Group, wrote, "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."
While Microsoft said Adobe patch eliminates the attack scenario, Jerome Segura, lead malware intelligence analyst at Malwarebytes, said there is still risk in the Windows kernel vulnerability.
"Indeed Adobe has patched the zero-day, so this exact delivery mechanism seems to be thwarted now (for those who have applied to fix), but there could be other ways to achieve the same result by exploiting flaws in other pieces of software (Internet Explorer, Reader, Silverlight, Office, etc.)," Segura told SearchSecurity by email. "Since many users and enterprises do not patch, an attacker could leverage the Windows zero-day with -- in theory -- any other browser plug-in or internet-facing application."
Microsoft also updated the blog post to place blame for the Windows zero-day exploits on a Russian state hacker group, which Microsoft calls Strontium but is called APT28, Fancy Bear and other names by other security firms. Fancy Bear is widely considered the group behind the hack of the Democratic National Committee.
"The activity group that Microsoft Threat Intelligence calls Strontium conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild," Myerson wrote. "This attack campaign, originally identified by Google's Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers."
Vishal Gupta, CEO of Seclore, said the involvement of Fancy Bear is "extremely troublesome, especially since a patch won't be available until Election Day."
"Though Microsoft hasn't named the targets of the attacks, the fact that the group previously hit the DNC makes me wonder whether the latest hacks are also politically motivated. I expect that more light will be shed on the incident in the coming week, but this incident currently has the signs of a last ditch effort made by the Russians to seed unrest ahead of the election," Gupta told SearchSecurity. "Whether that turns out to be the case or not, the damage caused by this hack will ultimately depend on if the target had measures in place capable of securing data regardless of where it travels."
Find out more about another vulnerability disclosure for the Badlock bug.
Learn about overcoming some of the challenges of patch management.
Read about Microsoft's support for "coordinated disclosure" of vulnerabilities.