Microsoft Issues Emergency Patch for Recently Found Kernel Vulnerability

Microsoft has released an out-of-band patch for Windows 7 and Server 2008 systems to fix a recently identified vulnerability that allows attackers or malware to take full control of computers.

The flaw (CVE-2018-1038) was introduced in January along with the patches for the Meltdown CPU flaw and was spotted this month by a security researcher named Ulf Frisk. The researcher noticed that the permission bit for the system’s topmost page table, which is used for memory management and separation between user-space and kernel, was set to User instead of Supervisor. This meant that any user-mode program with limited permissions could read and write protected kernel memory, achieving privilege escalation.

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” Microsoft said in an advisory Thursday. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The flaw cannot be used to remotely compromise systems so, to exploit it, attackers need to already have limited code execution rights on affected computers. This means the vulnerability is useful for the second stage of an attack, to gain complete control over the target.

Frisk went public with information about the flaw earlier this week because he was told by Microsoft’s security team that the issue had already been fixed by the monthly security updates released on March 13. However, it turns out that those patches were incomplete, so the company decided to push out a new update for affected systems outside of its regular patch cycle, which is something the company rarely does and is only reserved for very serious issues.

“Please apply this patch if you are running an affected OS,” Jessica Payne, a member of Microsoft’s Windows Defender security research team, said on Twitter. “It is likely to be exploited in the wild soon and should be patched immediately.”

Frisk was impressed with Microsoft’s quick response. “Huge Thank You to every hero at Microsoft scrambling to keep everyone still on Win7/2008R2 out there safe and secure!” he said.

The availability of a standalone fix for this issue is also important because some companies might have held back from deploying Microsoft’s patch bundle this month after it caused networking issues on certain system configurations. This gives those companies a way to now protect their systems from this vulnerability while they wait for Microsoft to address the networking issues.

Android Cryptomining Malware Can Kill Devices

The number of attacks that install cryptocurrency mining malware on computers and servers has surged over the past several months, but mobile devices aren’t free from such threats.

Security researchers from antivirus vendor Trend Micro have recently come across a malicious app for Android that hides and mines Monero in the background. In fact, the mining is so aggressive that it could damage devices.

“HiddenMiner uses the device’s CPU power to mine Monero,” the researchers said in a blog post. “There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted. Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.”

A very similar Monero-mining Android malware app called Loapi was found in December and researchers reported that it caused the batteries to bloat on some devices due to the heat generated by the CPU while mining over extensive periods of time.

So far, HiddenMiner has been found in third-party app marketplaces and not on the official Google Play store, but the attack campaign is still active so it’s possible the malware’s creators will expand their methods of distribution.

During installation, HiddenMiner poses as Google Play update app and asks users to enable it as a device administrator, a special privilege that allows apps to lock the device screen, among other things. Once installed, it hides itself by using a transparent icon and an empty application label, which makes it invisible in the applications drawer.

Apps with administrator permissions cannot be uninstalled until their privilege is revoked first. HiddenMiner blocks users from doing this by locking the device’s screen if they attempt to remove it from the administrator list.

“HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave,” the Trend Micro researchers said. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”

Sponsored Content
Upcoming Webinar
Security at the Speed of Software Development

Security at the Speed of Software Development

There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or ... Read More
May 8, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 131 posts and counting.See all posts by lucian-constantin