This month, Microsoft engineers eliminated as much as 77 vulnerabilities in the company’s products, 14 of which were rated critical, and another 62 as important. Hackers have already used two of these problems (CVE-2019-0880 and CVE-2019-1132). Both bugs allowed increasing privileges in the system.
The most important among two fixed 0-day vulnerabilities is definitely CVE-2019-1132, allowing for privilege escalation through the Win32k component.ESET experts discovered the problem when hackers used it for targeted attacks on various targets in Eastern Europe.
Researchers believe that the well-known Russian-speaking hack group Buhtrap, first seen back in 2014, was behind these attacks. Interestingly, until recently, Buhtrap did not use exploits for zero-day vulnerabilities in Windows and only applied solutions developed by other attackers when the vulnerabilities themselves were already closed.
Read also: Cisco fixed number of vulnerabilities, including a dangerous bug in Unified Communications Manager
Now, IB experts are actively building theories about how exactly the information about the 0-day problem fell into the hands of Buhtrap.
The second zero-day vulnerability fixed this month is CVE-2019-0880.
The problem also allows increasing privileges in the system, but through the splwow64.exe component. Researchers have discovered this vulnerability, but currently there are still no details about who and how exactly exploited this bug. It is only known that the vulnerability poses a threat to Windows 10, 8.1, Server 2012, Server 2016, Server 2019, Server 1803 and 1903.
In addition to the above-mentioned zero-day problems, Microsoft fixed six other vulnerabilities, details of which became well known before the release of the patches, and theoretically these bugs could be used by attackers (but so far no such attacks have been recorded).
- CVE-2018-15664 (escalation of privileges in Docker);
- CVE-2019-0865 (SymCrypt DoS);
- CVE-2019-0887 (RDP RCE);
- CVE-2019-0962 (escalation of privileges in Azure Automation);
- CVE-2019-1068 (Microsoft SQL Server RCE);
- CVE-2019-1129 (privilege escalation in Windows).