Latest Windows zero-day exploited by DNC hackers

Due to Google’s public release of information about an actively exploited Windows zero-day, Microsoft was forced to offer its own view of things and more information about the attack.

The vulnerability is just one part of the attack chain leveraged by the Strontium (aka Fancy Bear, aka APT28) hacker group, which is widely believed to be behind the DNC and John Podesta email hacks, and backed by the Russian government.

“This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers,” Terry Myerson, Windows and Devices Group EVP, explained in a blog post.

The attackers used the Flash exploit to gain control of the browser process, and then the Windows exploit to elevate privileges in order to escape the browser sandbox, so that they could install a backdoor on the victim’s computer.

The attack took the form of a low-volume spear-phishing campaign directed at specific targets, and not Windows users in general, and that’s one of the reasons Microsoft is disappointed with Google’s decision to disclose the existence of the flaw before Microsoft had the chance to push out a patch.

Another reason is that this specific attack has already been mitigated through the implementation of the latest Flash Player update Adobe pushed out last week (apparently they take it for granted that everybody implements all security updates as soon as they are released).

Finally, the exploit for the Windows zero-day doesn’t work on Windows 10.

“Prior to this attack, Microsoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component. These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit,” Myerson pointed out, and explained how the implementation of strict Code Integrity policies, the use of Windows Device Guard, and Windows Defender ATP would also help detect and block this particular attack.

Still, the majority of Windows users still do not use Windows 10 or any of these defensive mechanisms.

In fact, Duo Security researchers found that 65 percent of all Windows devices are running Windows 7, and tens of thousand of devices are still running Windows XP 15 years after its release. All these computers sport a several hundred vulnerabilities, so this latest one should be the least of their worries.

Myerson has concluded by saying that the fix for the zero-day for all Windows versions will be released on November 8.