Microsoft patched two zero-day vulnerabilities in Windows that were being exploited by Korean hackers, according to Moscow-based cybersecurity firm Kaspersky.
A post to the company's SecureList security blog said that Kaspersky stopped an attack against a South Korean company in May. The attackers used two zero-day exploits leveraging previously unknown software flaws: "a remote-code-execution exploit for Internet Explorer 11" and "an elevation-of-privileges (EoP) exploit for Windows."
- Best VPN: add an extra layer of security with a virtual private network
- Get yourself secure online with the best password managers
- Just in: Windows 10 update just reinvented copy and paste for millions of users
Kaspersky reported the new vulnerabilities to Microsoft, which patched the elevation-of-privilege bug on June 9 and the Internet Explorer flaw yesterday (Aug. 11).
The first, assigned the catalog number CVE-2020-0986, could have given extra powers to an attacker who had already logged into a Windows system. Using those elevated privileges, the attacker could have installed, deleted or alerted existing software or system settings. That's bad but not terrible, and Microsoft labeled it as "important."
The second, catalogued as CVE-2020-1380, would let an attacker controlling a malicious website gain user privileges on a system that opened a page on the website in Internet Explorer.
With the second zero-day, the attacker's privileges would match only those of the user whose browser opened the web page. If the user was running as a limited user without administrator privileges, then the attacker wouldn't be able to do much.
However, if the user was running as an administrator, then the impact would be much worse, and the attacker could do pretty much anything on the victim's computer. This combined with the fact that the attack happens over the internet got it a severity ranking of "critical."
(Such attacks are why we advise everyone to do their day-to-day computing business in a limited account. Staying logged in as an administrator is too risky.)
If the two flaws were combined, the impact could be devastating. The attacker could use the Internet Explorer flaw to gain a foothold on the system, however limited. The elevation-of-privileges flaw would give the attacker administrative powers to escape the boundaries of a limited account.
Kaspersky said the company wasn't yet able to definitively link these attacks to known threat actors, but added that there were indications that a Korean group named DarkHotel may be involved.
DarkHotel has been active for more than a decade and got its name when Kaspersky researchers spotted it tracking hotel guests around East Asia in 2014. The group has also broken into defense-industry targets in the U.S.
Interestingly, while most highly sophisticated cyberattacks on the Korean peninsula come from North Korean state-sponsored hackers, DarkHotel is thought to be a South Korean group, possibly backed by the South Korean government itself.
Microsoft also patched another zero-day vulnerability yesterday. Catalog number CVE-2020-1464 is described as a spoofing issue that could cause Windows to improperly authenticate file signatures.
This vulnerability, too, is being exploited, but Microsoft didn't say how or by whom. It has a severity ranking of "important."
To make sure you're protected against all these flaws, run this month's Patch Tuesday updates in Windows Update.
Hefty Patch Tuesday
In total, Microsoft released security patches for 120 different flaws yesterday, affecting Windows, Edge, Microsoft Scripting Engine, the .NET Framework, SQL Server, Dynamics, Office and many other products.
Out of these, 17 of them were categorized as “critical”. This is the most severe rating that a security flaw can be given, putting users at immediate risk of attack.
Don't be a privacy procrastinator
“When updates are rated, the super-security-conscious patch them all instantly, but the procrastinators among us may skip the less important ones," Jake Moore, a security specialist at ESET, told Tom’s Guide. "It can be very dangerous to think you are not at risk to certain attacks but some people and even businesses keep their heads firmly in the sand.
He added: “However, whether the rating is critical or not, it is always worth patching at the earliest convenience to help protect where you can. Rating such vulnerabilities could even cause damage to not only the organisation patching but also Microsoft too.
“There is the potential that you could see companies argue with Microsoft that a notably 'important' patch may have actually been more critical to them over a particular threat so autonomous updates are the best way of staying protected.”
- More: Stay anonymous on your PC with a top WIndows 10 VPN