Information security bods at Trustwave have found a zero-day exploit affecting all versions of Microsoft’s OS Windows, all the way from Windows 2000 up to a fully patched version of Windows 10 including all server editions.
It estimates that this affects 1.5 billion computers around the world.
The company provides threat intelligence services and regularly monitors several forums, and it is through this it discovered the exploit which was found on a Russian speaking forum and is currently being offered for sale for £62,000 ($
Trustwave cautioned that there is currently no fix for the exploit and has recommended Windows users stay vigilant for phishing emails. In addition, it has also issued a more general warning about the rise of malware-as-a-service (MaaS).
Ziv Mador, VP of security research at Trustwave, told SCMagazineUK.com, “This is a very serious exploit. From what we’ve seen in the past, exploits of this type tend to have somewhere in the region of a 10 percent success rate which spells bad news all around.”
According Trustwave, Microsoft has been notified of the zero day offering and is continuing to monitor the situation.
In a blog post, the company highlighted that, “This specific forum serves as a collaboration platform where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose. However, finding a zero day listed in between these fairly common offerings is definitely an anomaly. It goes to show that zero days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.”
Trustwave said it did not buy the exploit, so could not offer technical details on how it works. However, Mador explained, “The exploit found circumvents the Local Privilege Escalation security feature of Windows which asks you to enter an admin password to make changes to the computer. This is a crucial part of the malware infection being successful.”
A translation of the original Russian post says, “The vulnerability exists in the incorrect handling of Windows objects, which have certain properties.”
It goes on to explain, “The vulnerability is of ‘write-what-where’ type, and as such allows one to write a certain value to any address [in memory], which is sufficient for a full exploit. The exploit successfully escapes from ILL/appcontainer (LOW), bypassing (more precisely: doesn’t get affected at all [by]) all existing protection mechanisms such as ASLR, DEP, SMEP, etc. [The exploit] relies solely on the KERNEL32 and USER32 libraries [DLLs].”
The seller provided two proof videos for any potential buyers that might be concerned with the validity of the offer. The first video shows a fully updated Windows 10 machine being exploited successfully, by elevating the CMD EXE process to the SYSTEM account. It is interesting to note that the video was actually recorded on “Patch Tuesday” and the author made sure the latest updates were installed.
Trustwave highlighted, “It’s important to mention that despite the indications that the offer is authentic, there’s no way to know this with absolute certainty without taking the risk of purchasing the exploit or waiting for it to appear in the wild.”
Due to all the “unknowns” associated with zero days, it’s hard to provide specific advice for protection. However Trustwave said that if you keep your software up-to-date, take a layered approach to security, and use common sense you should be OK.
This article originally appeared at scmagazineuk.com