Internet Explorer and Windows zero-day exploits used in Operation PowerFall

guest · Aug 12, 2020

Operation PowerFall: Two zero-day vulnerabilities
August 12, 2020
https://www.kaspersky.com/blog/cve-2020-1380-vulnerability/36698/

They found the first in Internet Explorer 11’s JavaScript engine. That one enabled the attackers to remotely execute arbitrary code. The second, detected in an operating system service, let the attackers escalate privileges and perform unauthorized actions.

The exploits for these vulnerabilities operated in tandem. First, the victim was slipped a malicious script that a hole in Internet Explorer 11 allowed to run; and then a flaw in the system service further escalated the malicious process’s privileges.
Our experts have dubbed this malicious campaign Operation PowerFall.

However, judging by the similarity of the exploits, they haven’t ruled out involvement by DarkHotel.
Click to expand...

How is CVE-2020-1380 dangerous?
The first vulnerability is in the library jscript9.dll, which all versions of Internet Explorer since IE9 use by default. In other words, the exploit for this vulnerability is dangerous for modern versions of the browser.
Even if you don’t willingly use IE, and it is not your default browser, that doesn’t mean your system cannot be infected through an IE exploit — some applications do use it from time to time.
Click to expand...

Microsoft released a patch for CVE-2020-0986 (in the Windows kernel) on June 9, 2020. The second vulnerability, CVE-2020-1380, was patched on August 11. If you update your operating systems regularly, they should already be protected against Operation PowerFall–type attacks.
Click to expand...

Kaspersky: Internet Explorer and Windows zero-day exploits used in Operation PowerFall

guest · Sep 2, 2020

mood said: ↑

Kaspersky: Internet Explorer and Windows zero-day exploits used in Operation PowerFall
Click to expand...

Operation PowerFall: CVE-2020-0986 and variants
September 2, 2020
https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/

In August 2020, we published a blog post about Operation PowerFall. This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit targeting the latest builds of Windows 10.
While we already described the exploit for Internet Explorer in the original blog post, we also promised to share more details about the elevation of privilege exploit in a follow-up post.

Let’s take a look at vulnerability CVE-2020-0986, how it was exploited by attackers, how it was fixed and what additional mitigations were implemented to complicate exploitation of many other similar vulnerabilities.
Click to expand...

CVE-2019-0880
Analysis of CVE-2020-0986 reveals that this vulnerability is the twin brother of the previously discovered CVE-2019-0880.
The write-up for CVE-2019-0880 is available here. It’s another vulnerability that was exploited as an in-the-wild zero-day.

It seems hard to believe that the developers didn’t notice the existence of a variant for this vulnerability, so why was CVE-2020-0986 not patched back then and why did it take so long to fix it?
Click to expand...

Microsoft fixed CVE-2020-0986, but also implemented a mitigation aimed to make exploitation of OutputBuf vulnerabilities as hard as possible. [...]
So, it’s safe to assume that this bug class was properly mitigated.
Click to expand...

guest · Dec 23, 2020

Windows zero-day with bad patch gets new public exploit code
December 23, 2020
https://www.bleepingcomputer.com/ne...-with-bad-patch-gets-new-public-exploit-code/

Back in June, Microsoft released a fix for a vulnerability in the Windows operating system that enabled attackers to increase their permissions to kernel level on a compromised machine. The patch did not stick.

The issue, which advanced hackers exploited as a zero-day in May, is still exploitable but by a different method as security researchers demonstrate with publicly available proof-of-concept code.
Old new vulnerability
Google Project Zero security researcher Maddie Stone discovered that Microsoft’s patch in June did not fix the original vulnerability (CVE-2020-0986) and it can still be leveraged with some adjustments.
Click to expand...

In a short, technical report today, she explains how to trigger the vulnerability, now identified as CVE-2020-17008: [...]
To show that exploitation is still possible after Microsoft’s patch, Stone published proof-of-concept (PoC) code adapted from the original one from Kaspersky, along with instructions on how to run it properly.

Microsoft received a report on September 24 and confirmed the issue a day later, assigning it the tracking number CVE-2020-17008. The company planned a patch for November 2020, but problems identified during the testing stage pushed the release to the next Patch Tuesday, on January 12, 2021.
Click to expand...

Furthermore, as Stone says, attackers have exploited the bug in the past, are familiar with it, and could leverage it again when an incorrect fix is available.
Click to expand...

Log in or Sign up

Internet Explorer and Windows zero-day exploits used in Operation PowerFall

guest Guest

guest Guest

guest Guest

Log in or Sign up

Internet Explorer and Windows zero-day exploits used in Operation PowerFall

guest Guest

guest Guest

guest Guest

Useful Searches