Cyber researchers from the Trustwave SpiderLabs Internet Security uncovered zero-day vulnerability from a discussion on Russian underground malware forum Exploit.in.
It impacts all versions of Windows OS starting right from Win2000 up to the latest fully patched Win10.
Guess the price you’d have to pay for this exploit on the online black market?
User BuggiCorp was looking to sell it for $95,000. At least it was at the time the offer was spotted by internet security researchers, which then dropped down to $90,000 or £62,000; the sum that can cost Microsoft Windows upon putting its alleged 1.5 billion global user base at risk of a malware attack.
Zero-Day Vulnerabilities
In a hacking circle, zero-day vulnerability pertains to an internet security hole in software.
It is a much sought after code previously unknown to anyone that can be exploited, only to become a victim of infiltration or computer attack.
By itself, it won’t be able to compromise a system for primarily requiring admin access, but can be regarded as a critical puzzle piece in the entire infection process.
Hackers exploit the hole before the vendor is made aware and scrambles to fix it.
Reportedly, the vulnerability is an LPE or Local Privilege Escalation Windows bug.
The zero-day internet security flaw sits in the win32k.sys kernel driver, with its existence traced with the way Windows handles objects that have certain properties incorrectly.
BuggiCorp said that the zero-day internet security exploit escapes successfully from (LOW) ILL/appcontainer, bypasses or does not get affected at all by every existing protection mechanism including DEP, ASLR, SMEP, etc. and that it solely relies on KERNEL32 and USER32 DLL libraries.
The forum post stated his offering of a rare product of an exploit that’s implemented for OS x86 and x64 architectures from Windows XP and inclusive of Windows Server Versions and said to have been tested on at least 20 variants of the Windows OS.
He thereby proves his claim’s authenticity with the release of two exploit videos showing the bug in action that’s even working on the current Windows 10 build.
Internet security researchers comprised of a team of ethical hackers and penetration testers analyzed the flaw.
The internet security exploit up for grabs would allow attackers to upgrade any user level account on any Windows version to an administrator account.
Hence, they are granted access and thus empowered to run a malicious code to ultimately gain access to other machines and make changes on user settings.
Trustwave tells of other zero-day exploit capabilities such as a rootkit installation, utilization on POS systems and stealing credit card information, limited web server control, and system malware installation.
Microsoft Recommendation
SpiderLabs Internet Security stated that the forum post made on the 11th of May is frequently used by Russian-speaking cybercriminals to hire malware coders, buy or lease exploit kits or for acquiring access to compromised sites or renting botnets.
Failing to shift the exploit on the first go, the vendor updated it on May 23rd to a price slashed off by $5,000 along with the YouTube videos.
Microsoft has been alerted of the potential exploit throughout their Windows OS being traded online upon discovery of this post and defends its internet security measures.
The multinational tech company commented that Windows is the sole platform with customer commitment on investigating security issues that have been reported, and likewise proactively update affected devices in the soonest possible time.
Customers are recommended to use Windows 10 as well as the Microsoft Edge browser for their best protection.
Microsoft continues to abide by their company standard policy of providing solutions and updating software through their existing regular schedule.
The truth is, defending against this exploit is hard considering the accuracy of the exploit seller’s claims, and with the exploit bypassing all of Microsoft’s EMET enforced protections as seen in the demo videos.
With this in mind, users must observe typical precautions of ensuring up-to-date software and running a reliable internet security product.
By doing so can aid in breaking a link within an attack chain like an exploit that needs system access in the first place to prior to successfully performing a remote code execution.