alphaspirit - Fotolia

Experts question Microsoft's Windows zero-day response

A Windows zero-day disclosed by Google caught Microsoft between patch cycles, and experts questioned whether Microsoft downplayed the severity of the vulnerability.

Microsoft has come under fire for its response to a Windows zero-day vulnerability, which has yet to be patched and is currently being exploited.

Google earlier this week disclosed a Windows kernel zero-day vulnerability that was actively being exploited as part of an attack chain, along with an Adobe Flash zero-day, which Adobe patched on Oct. 26. Microsoft hasn't issued a patch for the Windows kernel flaw, and experts think the company's response may have downplayed the severity of the issue too much.

Jerome Segura, lead malware intelligence analyst at Malwarebytes, based in Santa Clara, Calif., described the Windows zero-day as a privilege escalation flaw.

"The Flash and Windows zero-days are two separate exploits, but they can indeed be chained to successfully infect a user," Segura told SearchSecurity. "The attacker would start by targeting the browser, escaping out of the sandbox, thanks to the Flash exploit, before proceeding with the Windows exploit that enables privilege escalation."

Microsoft criticized Google for publicly disclosing the flaw just 10 days after reporting it to Microsoft and Adobe. Microsoft claimed "the attack scenario [Google described] is fully mitigated by the deployment of the Adobe Flash update released last week," and noted this specific exploit was "never effective" on the Windows 10 Anniversary Update.

Willis McDonald, senior threat researcher at Core Security, based in Roswell, Ga., said the fact that Adobe patched its flaw "has nothing to do with mitigating the privilege escalation vulnerability in Windows."

"Microsoft was attempting to divert attention to this fact by pointing out that Chrome and Microsoft Edge browsers are not vulnerable," McDonald told SearchSecurity. "This is because both browsers take advantage of Win32k syscall mitigation available in Windows 10. However, any user-mode application that does not take advantage of the Win32k syscall mitigation is able to make calls to win32k.sys and possibly exploit the vulnerability."

Brian Laing, vice president of products and business development at Lastline Inc., based in Redwood City, Calif., agreed with McDonald.

"The attack is not fully mitigated simply by applying the Adobe Flash update.  Attackers could very likely have other zero-day vulnerabilities that would allow them to exploit the Windows vulnerability," Laing told SearchSecurity. "From my experience, any vulnerability that allows privilege escalation is a high priority, as attackers will keep looking for new ways to exploit that vulnerability."

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., had stronger words, telling SearchSecurity by direct message: "It's a kernel mode zero-day accessible from user-mode applications. Basically, a worst-case scenario for Microsoft."

Paul Calatayud, CTO at FireMon, based in Overland Park, Kan., said it can be dangerous to assess the risk of a vulnerability based on mitigating factors.

"Microsoft states this exploit is mitigated with updates to Flash. This assumes the computer in question has properly updated Flash," Calatayud told SearchSecurity. "Focusing on the attack scenario is important, but it's dangerous, as you have to make assumptions across the threat modeling being conducted. Is the system fully patched? Are third-party applications fully patched, etc.?"

Unnecessary attribution?

Microsoft's response also included a claim that a Russian state-sponsored advanced persistent threat group -- known alternatively as STRONTIUM, FANCY BEAR, APT28 and Sofacy, among others -- was responsible for "a low-volume spear-phishing campaign" in the wild, taking advantage of the Flash and Windows zero-days "to target a specific set of customers."

Calatayud said, for most people, there is very little value in this type of attribution and "probably confuses the situation."

"Microsoft should focus on the kernel in this situation," Calatayud said. "This information has little bearing; if there is a known exploit, the threat actors will only increase over a rapid period of time. Soon enough, it's found in an update on tools used by script kiddies and it's mainstream."

McDonald said by attributing responsibility to the Sofacy group, "Microsoft may be trying to give the appearance that they have been on top of the situation and monitoring exploitation."

"Sofacy has a reputation for taking advantage of zero-day exploits in Adobe Flash and Microsoft Windows to target specific individuals and organizations. So, by attributing Sofacy to the exploitation of CVE-2016-7855, they are essentially minimizing the exploitation footprint to just this group and only the specific targets that they were after," McDonald said. "However, this is no solace to the enterprises anxiously awaiting a patch for the privilege escalation vulnerability now that other attackers essentially have a roadmap to discover how to take advantage of the flaw."

Next Steps

Learn more about how FANCY BEAR was reportedly behind the Clinton campaign email hacks

Find out why the DNC hack raised questions about cyber attribution methods

Get info on how cyber attribution uses human intelligence in addition to technical info

Dig Deeper on Microsoft Patch Tuesday and patch management