{"id":1347,"date":"2016-12-02T12:30:31","date_gmt":"2016-12-02T12:30:31","guid":{"rendered":"https:\/\/antivirus.comodo.com\/blog\/?p=1347"},"modified":"2020-08-18T23:17:34","modified_gmt":"2020-08-18T17:47:34","slug":"google-discloses-critical-security-flaw-windows","status":"publish","type":"post","link":"https:\/\/antivirus.comodo.com\/blog\/computer-safety\/google-discloses-critical-security-flaw-windows\/","title":{"rendered":"Google Discloses Critical Security Flaw in Windows"},"content":{"rendered":"

Google recently reported on a critical win32k.sys security flaw in Windows. This is a severe vulnerability as it allows cybercriminals to bypass typical security features of all versions of the Windows OS and infect the system with malware.<\/p>\n

This vulnerability is being actively exploited by a group called as STRONTIUM by Microsoft Threat Intelligence<\/a>. Microsoft claims that the attack is quite low in volume. STRONTIUM had initiated a spear-phishing campaign to target specific customers of Microsoft by exploiting two zero-day vulnerabilities in Adobe Flash and also the down-level Windows kernel. This malicious attack had been identified by Google\u2019s Threat Analysis<\/a> Group.<\/p>\n

\"windows<\/p>\n

 <\/p>\n

Windows Kernel Vulnerability<\/strong><\/p>\n

In technical parlance, the vulnerability can be considered to be a \u2018security hole\u2019 in the Windows kernel, which exists in all versions of the Windows OS till now (even Windows 10). According to Google the vulnerability \u201ccan be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.\u201d
\nThrough this “hole”, cyber criminals would gain elevated privileges for their malicious code that would help it escape a web browser’s sandbox, and then install the malware on the system. This would create a backdoor allowing access to the infected computer.<\/p>\n

Microsoft reports: “Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.” It is also coordinating with Google and Adobe to develop patches to fix the issues.<\/p>\n

STRONTIUM leveraged a “use-after-free issue affecting ActionScript runtime code” vulnerability in Adobe Flash. Adobe has released a patch update<\/a> to address this vulnerability.<\/p>\n

The STRONTIUM group suspected to be behind this attack usually targets high-value targets such as military organizations, defense contractors, government agencies<\/a>, large private sector organizations, and diplomatic institutions. They typically initiate their attack through spearphishing emails. They send emails from an already compromised victim’s computer to the target victim’s email id. They continue these attempts persistently for months together till they are able to infect the victim’s computer. From there on it spreads through the network and settles itself in very deep areas from where it can steal confidential, sensitive and valuable data.<\/p>\n

Steps to protect the system from the win32k.sys vulnerability?<\/strong><\/p>\n