- Jul 22, 2014
- 2,525
Without making too much fuss about it, Microsoft patched a zero-day vulnerability used in live attacks by a cyber-espionage group named Zirconium.
The zero-day, tracked as CVE-2017-0005, affects the Windows Win32k component in the Windows GDI (Graphics Device Interface), included in all Windows OS versions.
According to Microsoft, a successful exploit would have resulted in a memory corruption and elevation of privileges (EoP) for the attacker's code, allowing him to escalate access to the machine and execute code with SYSTEM privileges.
Exploit code didn't target newer Windows versions
Microsoft says the vulnerability was present in all Windows versions, but attackers crafted their zero-day exploit code with great care, making sure the exploit only executed on computers running a Windows version between Windows 2000 and Windows 8.
The OS maker says the attacker intentionally wanted to avoid security features introduced in Windows 8.1 and Windows 10, such as ASLR improvements, Supervisor Mode Execution Prevention (SMEP), and virtualization-based security (VBS), which would have blocked the attack and only exposed his zero-day to unwanted attention.
Despite targeting the Win32k component, the zero-day's exploit routine also contained code that targeted 64-bit systems.
.....
The zero-day, tracked as CVE-2017-0005, affects the Windows Win32k component in the Windows GDI (Graphics Device Interface), included in all Windows OS versions.
According to Microsoft, a successful exploit would have resulted in a memory corruption and elevation of privileges (EoP) for the attacker's code, allowing him to escalate access to the machine and execute code with SYSTEM privileges.
Exploit code didn't target newer Windows versions
Microsoft says the vulnerability was present in all Windows versions, but attackers crafted their zero-day exploit code with great care, making sure the exploit only executed on computers running a Windows version between Windows 2000 and Windows 8.
The OS maker says the attacker intentionally wanted to avoid security features introduced in Windows 8.1 and Windows 10, such as ASLR improvements, Supervisor Mode Execution Prevention (SMEP), and virtualization-based security (VBS), which would have blocked the attack and only exposed his zero-day to unwanted attention.
Despite targeting the Win32k component, the zero-day's exploit routine also contained code that targeted 64-bit systems.
.....
