Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability

PLUS: NSA shares cloud security tips; Infosec training for Jordanian women; Critical vulnerabilities

Infosec in brief Cybersecurity researchers informed Microsoft that Notorious North Korean hackers Lazarus Group discovered the "holy grail" of rootkit vulnerabilities in Windows last year, but Redmond still took six months to patch the problem.

Researchers at Avast said they informed Microsoft of a serious admin-to-kernel exploit in a driver associated with AppLocker, the app for whitelisting software built into Windows, in August of last year.

The vulnerability, found in the input/output control dispatcher of appid.sys, meant it was accessible from userspace while communicating with the Windows kernel.

"A user-space attacker could abuse it to essentially trick the kernel into calling an arbitrary pointer," Avast said. "This presented an ideal exploitation scenario, allowing the attacker to call an arbitrary kernel function with a high degree of control over the first argument."

Avast claims Lazarus Group used the vulnerability to obtain read/write primitive on the Windows kernel and install their FudModule rootkit, but Microsoft's opinion on the severity of admin-to-kernel exploits meant it didn't prioritize the matter, waiting until February's patch Tuesday to fix the issue, which it tagged as CVE-2024-21338, with a CVSS score of 8/10.

"Some Windows components and configurations are explicitly not intended to provide a robust security boundary," Microsoft states on its Security Servicing criteria page. What that means, Avast said, is that "Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion."

Of admin-to-kernel issues, Microsoft said administrative processes and users are part of Trusted Computing Base for Windows, and thus "not strong [sic] isolated from the kernel boundary."

Unfortunately in this case, that meant Lazarus Group was able to play in victims’ kernels for months without Microsoft doing a thing.

Even when it patched the vulnerability, Microsoft reportedly didn't disclose that the matter was under active exploitation when it issued a patch. That disclosure came when Avast published its report on the matter recently, which prompted Microsoft to update its patch bulletin.

We've asked Microsoft for an explanation, and will let you know if we get one.

Critical vulnerabilities of the week: Better update iOS

The leading critical vulnerabilities this week can be found in a long list of Apple security updates released for iOS and iPadOS versions 17.4 and 16.7.6, the former being the most recent version, and the latter being an older OS still used on some older devices.

Not all of the vulnerabilities in the list are critical, but several are – such as CVE-2024-23277, which would allow an attacker to spoof a keyboard and inject keystrokes, CVE-2024-23288, a privilege escalation bug and CVE-2024-23243, which we covered previously.

Note that two of the issues Apple patched this week - CVE-2024-23225 and CVE-2024-23296 - are under active exploitation, per CISA.

Apple also released security updates for all its other various OSes, and Safari, today, so get patching.

Elsewhere:

  • CVSS 10.0 - Multiple CVEs: Linear eMerge E3 series access control devices contain a number of flaws that could see a remote attacker gain full system access.
  • CVSS 9.1 - CVE-2024-2197: Chirp, also an access management product, is improperly storing credentials in its Chirp Access app.
  • CVSS 8.2 - CVE-2024-20337: Cisco Secure Client is insufficiently validating user input during the SAML authentication process, allowing an attacker to execute arbitrary code.

NSA shares its cloud security mitigation tips

Cloud computing can be great … or create serious security risks, which is why the US National Security Agency and the Cybersecurity and Infrastructure Security Agency have teamed to share ten tips on how to mitigate risks.

Among the tips are some you'd expect, like following proper identity and access management practices, managing logs, properly managing access keys, and the like. Others are … well, still pretty obvious, but might need to be pointed out.

Those include segmenting your networks and applying encryption in cloud environments, properly defending CI/CD environments, and remembering to account for complexities introduced by hybrid and multi-cloud environments.

"Using the cloud can make IT more efficient and more secure, but only if it is implemented right," said NSA cybersecurity director Rob Joyce. "This series provides foundational advice every cloud customer should follow to ensure they don't become a victim."

You can find the whole list of tips, each one pointing to a separate report and implementation tips, here.

White House, OSS groups offer cybersecurity training to Jordanian women

In honor of Women's History Month, the White House National Security Council, Linux Foundation Training and Certification, the Open Source Security Foundation (OpenSSF) and Cloud Native Computing Foundation (CNCF) have teamed up to help Jordanian women get trained up to join the cybersecurity workforce with a new pilot program.

The initiative will provide 250 Jordanian women access to more than 100 free security courses and around 25 certifications, including ones related to Kubernetes and cloud native security, the Linux Foundation told The Register.

"As cybersecurity continues to experience challenges in finding enough skilled workers, this program will help build capacity in the workforce," OpenSSF said.

According to USAID, fewer than one-fifth of Jordanian women are part of the workforce, and social norms in the country generally discourage women from working outside the home.

"By providing complementary security certifications, we aim to break down barriers and create opportunities for women in Jordan, fostering a more inclusive and diverse workforce," OpenSSF said.

The announcement comes as the US and Jordan held their second digital dialogue conference, which included discussion on upskilling Jordan's workforce, specifically women, to pursue cybersecurity careers.

Omkhar Arasaratnam, general manager at OpenSSF, told us that if the program is successful, similar initiatives may follow in other nations. ®

More about

TIP US OFF

Send us news


Other stories you might like