“More importantly, we were able to change the address for the window procedure that was executed immediately after our hook,” researchers said. “By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.”ĭuring that WM_NCCREATE callback, the Function ID is set to 0, which allows an adversary to set extra data for the window. “During execution, CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created,” the researchers said in an analysis on Monday. The bug allows an attacker to manipulate the process of creating a window by sending specially crafted data sets to the Function ID field. In the win32k.sys kernel, the Function ID field is used to define the class of a window, such as “ScrollBar,” “Menu,” “Desktop” and others. An attacker could then install programs view, change or delete data or create new accounts with full user rights.įortunately, there’s a patch, which Microsoft pushed out in the most recent Patch Tuesday last week, so users should update their systems as soon as possible. The attackers are using the bug to establish persistent backdoors to targeted machines, gaining the ability to run arbitrary code in kernel mode. It’s being used in advanced persistent threat (APT) campaigns, the researchers said, targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10). Patrick’s Day this year, the flaw (CVE-2019-0859) is a use-after-free issue in the Windows kernel that allows local privilege escalation (LPE). A just-patched vulnerability in the Windows operating system that was previously unknown up until last week is being actively exploited in the wild it opens the door for full system takeover.ĭiscovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab on St.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |