Online muggers make serious moves on unpatched Microsoft bugs
Win32k and Visual Studio flaws are under attack
Two flaws in Microsoft software are under attack on systems that haven't been patched by admins.
Redmond issued fixes for the vulnerabilities – one affecting Visual Studio and the other the Win32k subsystem – in April and May, but in separate reports this week, security researchers with Varonis Threat Labs and Numen Cyber warned that unpatched systems are already being exploited.
Numen analysts noted that the privilege escalation Win32k.sys flaw – tracked as CVE-2023-29336 with a CVS severity rating of 7.8 out of 10 – has been exploited by miscreants, adding that while it does not affect Windows 11, older versions of Windows 10, Windows 8, and Windows Server are at risk.
"It poses a significant risk to earlier systems," the researchers wrote. "Exploitation of such vulnerabilities has a notorious track record."
Win32k.sys is a kernel-mode driver that is responsible for management, acting as the GUI for Windows. Miscreants exploiting the vulnerability can gain system privileges and greater control over a compromised system. Avast Systems first wrote about the flaw in May, when Microsoft issued the fix during that month's Patch Tuesday, but neither company elaborated on the details of the problem.
That same month, the Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its list of vulnerabilities that were being exploited. It seems many didn't listen.
Starting with the patch and working back
The Numen analysts analyzed the vulnerability by deconstructing the patch and created a proof-of-concept (PCO) exploit on Windows Server 2016. They said the problem was that while Win32k locks a window object, it doesn't do the same for the menu object nested within it.
Attackers could exploit the vulnerability by taking control of the menu object to escalate their access privileges and link to other vulnerabilities. In creating its POC, Numen developed a method for reaching the system privilege level, noting that there were no significant challenges.
- Two Microsoft Windows bugs under attack, one in Secure Boot with a manual fix
- April Patch Tuesday: Ransomware gangs already exploiting this Windows bug
- Clop ransomware crew sets June extortion deadline for MOVEit victims
- Five Eyes and Microsoft accuse China of attacking US infrastructure again
"Apart from diligently exploring different methods to gain control over the first write operation using the reoccupied data from freed memory, there is typically no need for novel exploitation techniques," the researchers wrote. "This type of vulnerability heavily relies on leaked desktop heap handle addresses."
There were some modifications, but they wrote that "if this issue is not thoroughly addressed, it remains a security risk for older systems."
Microsoft in the most recent Windows 11 preview version used the Rust language to address the specific portion of the kernel code that Numen researchers took advantage of, which could eliminate such vulnerabilities going forward.
And then there's Visual Studio
The other report deals with a user interface bug in Microsoft's Visual Studio installer that can cause an application developer to inadvertently apply malicious extensions to their work.
"A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis security researcher Dolev Taler wrote. "Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system."
Taler discovered the flaw, with Microsoft issuing a patch in April. Redmond rated the bug, tracked as CVE-2023-28299, as important rather than critical.
However, Taler wrote that it isn't difficult to exploit the flaw, and that combined with the high risks that come if a system is compromised and the popularity of Visual Studio makes it important for organizations to apply the patch. He noted that Visual Studio is the second most popular IDE, with a 26 percent market share and more than 30,000 customers.
In addition, Taler wrote that there are hundreds of Visual Studio extensions "that allow users to do anything from integrating GitHub and SQL servers to simple productivity tools like spell checks and code snipping. The most popular extensions routinely have millions of downloads."
Visual Studio keeps newline control characters – which represent the end of a line of text and the start of a new line – from the name of an extension by not allowing users to add information into the "product name" extension, property, he wrote.
The problem is a miscreant can bypass the restriction by opening a VSIX package as a ZIP file and the miscreant can then manually add newline characters to the <displayname> tag under the "extension.vsixmanifest" file.</displayname>
If enough newline characters are added to the "name,all" extension, other text in Visual Studio installation prompt is pushed down, which essentially hides the "Digital Signature: None" warning to developers, he opined.
The miscreant can then send a phishing email dressed up as a legitimate software update with the fake VSIX extension that apes a real one. A victim who doesn't see that the malicious extension isn't a true signed on, they may install it, deploying a payload within the extension and enabling the attacker to gain initial access.
From there it's all about lateral movement through the organization's network, with the miscreant being able to steal confidential data and corporate IP. ®