Yesterday Microsoft released 17 security bulletins, finally fixing the last 0day flaw exploited by Stuxnet malware which had been left open up until now. In all, 7 out of 38 flaws fixed by Microsoft were already disclosed publicly and they allowed both remote code execution and elevation of privilege.
Microsoft patched some of their software which was vulnerable to the flaw disclosed in last August, relative to the insecure DLL loading exploit. We talked about this vulnerability in a specific blog post in August, where we already said this shouldn't be considered as a vulnerability of the operating system itself, but a coding error by the software developers.
Finally, Microsoft patched the long discussed and well known Windows Task Scheduler exploit used by Stuxnet malware to gain administrative privileges. With this update, all the 0day exploits used by Stuxnet have been definitely fixed.
The task scheduler exploit was known since September and a working proof of concept exploit had been released publicly in November, allowing malware writers to use it in their malware code, evading by limited account and UAC restrictions.
In a Microsoft blog post written on 9th December 2010, Mike Reavey from Microsoft Security Response Center wrote that the 0day exploit affecting the Windows Task Scheduler had not been used anywhere else aside by the Stuxnet malware. Contrary to this we have had reports of the infamous TDL4 rootkit exploiting the same flaw since first days of December 2010. We have covered this topic in a previous blog post. Anyway, now the exploit has been fixed and TDL4 will need to other ways to elevate its privileges when dropped on the victims PC.
With this massive security update Microsoft patched a lot of flaws that could be exploited by malware. Is that all? Actually not. This massive update still leaves open a security flaw that allows privilege escalation, the one we talked about in a blog post written here, relative to the win32k.sys stack overflow flaw.
This is bad, and it becomes even more dangerous due to the fact that the exploit code for this vulnerability has been already disclosed publicly. In fact we should expect malware starting to use it for malicious purpose very soon. Now that the Windows Task Scheduler flaw has been successfully closed, this other exploit will probably be in the spotlight for a while until Microsoft releases a patch for it.
Looking at malware like TDL4 rootkit, its development trend suggests that their authors will use this exploit very soon, giving again the rootkit the ability to automatically elevate its privileges and infect both x86 and x64 versions of Microsoft Windows operating system, again.
Prevx customers are already protected by this Windows 0day exploit, so are the users of Prevx free version. So, while waiting for the Microsoft patch, why don't you just give Prevx a try and stay protected from this exploit?
没有评论:
发表评论