Google recently reported on a critical win32k.sys security flaw in Windows. This is a severe vulnerability as it allows cybercriminals to bypass typical security features of all versions of the Windows OS and infect the system with malware.
This vulnerability is being actively exploited by a group called as STRONTIUM by Microsoft Threat Intelligence. Microsoft claims that the attack is quite low in volume. STRONTIUM had initiated a spear-phishing campaign to target specific customers of Microsoft by exploiting two zero-day vulnerabilities in Adobe Flash and also the down-level Windows kernel. This malicious attack had been identified by Google’s Threat Analysis Group.
Windows Kernel Vulnerability
In technical parlance, the vulnerability can be considered to be a ‘security hole’ in the Windows kernel, which exists in all versions of the Windows OS till now (even Windows 10). According to Google the vulnerability “can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”
Through this “hole”, cyber criminals would gain elevated privileges for their malicious code that would help it escape a web browser’s sandbox, and then install the malware on the system. This would create a backdoor allowing access to the infected computer.
Microsoft reports: “Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.” It is also coordinating with Google and Adobe to develop patches to fix the issues.
STRONTIUM leveraged a “use-after-free issue affecting ActionScript runtime code” vulnerability in Adobe Flash. Adobe has released a patch update to address this vulnerability.
The STRONTIUM group suspected to be behind this attack usually targets high-value targets such as military organizations, defense contractors, government agencies, large private sector organizations, and diplomatic institutions. They typically initiate their attack through spearphishing emails. They send emails from an already compromised victim’s computer to the target victim’s email id. They continue these attempts persistently for months together till they are able to infect the victim’s computer. From there on it spreads through the network and settles itself in very deep areas from where it can steal confidential, sensitive and valuable data.
Steps to protect the system from the win32k.sys vulnerability?
- Update to the latest version of Flash.
- Upgrade to the latest version of Windows 10 OS. Microsoft recommends upgrading to Windows 10 and using Edge browser and Windows Defender
- Update Windows 10 OS to Windows 10 Anniversary edition
- Update the web browser – Edge, Chrome, etc..,
- Users of earlier Windows versions who do not yet want to upgrade to Windows 10 must utilize a robust Antivirus for Windows10 and also keep it well updated.