Microsoft’s Patch Tuesday was a particularly big one this week: It included two actively-exploited Windows zero-day vulnerabilities. The first, impacting Windows 7 users, was brought to public attention by Google last week. Google security engineer, Clement Lecigne, warned the zero-day vulnerability could be used together with a Chrome exploit to take over Windows systems and advised people to upgrade to Windows 10.
The second flaw was found by Kaspersky Lab. The security firm says it has detected a new exploited vulnerability in Windows, which it believes has been used in targeted attacks by at least two threat actors.
The exploit targets OS versions Windows 8 to Windows 10, using a vulnerability in Microsoft Windows’ graphic subsystem to achieve local privilege escalation. This provides the attacker with full control over a victim’s computer.
The latest zero-day
The exploited vulnerability was detected by Kaspersky Lab’s Automatic Exploit Prevention technology.
Kaspersky Lab products detect the exploit as:
The Kaspersky researchers who discovered the bug, Vasiliy Berdnikov and Boris Larin, say in a blog: “In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys.”
They add: “CVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection.”
This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows recently discovered by Kaspersky.
Who has used it?
The researchers believe the detected exploit could have be used by several threat actors including FruityArmor and SandCat.
Active since around 2016, FruityArmor is known to have used zero-days in the past on people linked with various government organizations. SandCat is a new threat actor discovered only recently by Kaspersky. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.
What should you do?
After the security firm reported vulnerability, which is allocated CVE-2019-0797 to Microsoft, it released a patch. Of course, it goes without saying that you should install this ASAP and in future, ensure you regularly patch to take advantage of all updates.
Indeed, software should be updated regularly and always when a new security patch is released. “Security products with vulnerability assessment and patch management capabilities may help to automate these processes,” Kaspersky says.
In addition, it helps if security teams have access to the most recent cyber threat intelligence. David Emm at Kaspersky adds that collaboration between the security industry and software developers is “important”.
It’s also important to continue to be vigilant. Zero-day vulnerabilities can be exploited by attackers to breach a victim’s device and network. Organizations and individuals need to ensure they employ the right tools and practices to ensure they are secure. Basic “security hygiene” such as strong, unique passwords are key.
This article originally appeared on Forbes