Today, Microsoft released its monthly security patches --known as the Patch Tuesday updates. This month the Redmond-based company fixed 38 vulnerabilities across a large set of products.
For the fourth month in a row, Microsoft patched a Windows OS zero-day vulnerability that was being exploited in the wild.
Just like in the last two months, and for the third month in a row, this zero-day was being (ab)used in nation-state cyber-espionage operations. Just like last month, there were two cyber-espionage groups abusing this zero-day, and not just one, suggesting some sort of infrastructure sharing, or common leadership.
CVE-2018-8611 --the zero-day
This zero-day, which Microsoft is tracking as CVE-2018-8611[1], is an elevation of privilege in the Windows Kernel.
According to Microsoft, "[the] vulnerability exists when the Windows kernel fails to properly handle objects in memory."
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," the company said today. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Microsoft says an attacker will first need a foothold on an infected computer, but this is not as hard as it sounds, especially when you're being targeted by a nation-state group.
Responsible for discovering this new zero-day are, once again, security researchers from Kaspersky Lab. A Kaspresky Lab spokesperson told ZDNet that the same two cyber-espionage groups who were abusing the Windows zero-day patched in November[2] (CVE-2018-8589) were also behind the attacks with this one.
Kaspersky Lab experts also discovered the zero-day abused a month prior, in October[3]. That zero-day (CVE-2018-8453) was also an elevation of privilege, and was abused by the FruityArmor cyber-espionage group.