Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 flaws, including a Windows zero-day exploited in Chrome zero-day attacks.
The Windows zero-Day patch is CVE-2019-1458, a privilege escalation flaw in the handling of objects in the storage of the Win32k component. Microsoft said an attacker can use the security hole to execute arbitrary code in kernel mode.
Microsoft thanked Kaspersky for disclosing the bug and acknowledged that the regression against older Windows versions has been exploited.
According to Kaspersky, the zero day was used in Operation WizardOpium. The first public reference to the project by the security company took place on November 1, shortly after Google revealed it had fixed a Chrome flaw exploited during attacks.
Kaspersky claims the Chrome exploit even embeds a bug exploit patched by Microsoft this week. This allows attackers to raise permissions on the affected machine and escape the Chrome sandbox process.
The company believes that the malware has been created by a person known as “Volodya,” who has both sold exploits to cybercrime organizations and advanced persistent threats.
Kaspersky found that Windows 7 and Windows 10 builds are being abused for privilege, but Windows 10 versions latest are not affected.
“Windows switching functions (for example, the one activated using the Alt-Tab key combination) are linked to the vulnerability itself. This is why the exploit code uses a couple of WinAPI calls (GetKeyState / SetKeyState) to mimic a key press action, “explained Kaspersky.
The CVE-2019-1458 exploit report was compiled on 10 July.
Kaspersky noted in November that it had found a few software similarities suggesting a possible connection to the threat actor named Lazarus, connected to North Korea. The researchers of the organization assumed that this could be a false flag which would make identification more difficult.
We had also noticed parallels with the attacks of DarkHotel, which is known to threaten North Korean-interested individuals and which some claim South Korea might support. DarkHotel used false flags like the ones found in Operation WizardOpium before.
None of this month’s vulnerabilities patched by Microsoft were publicly disclosed. Seven of the remaining bugs were graded as “serious,” affecting Git for Visual Studio, Windows, HyperV and allowing remote code execution.