Critical vulnerability under CVE-2019-0797 has been recently patched by Microsoft in order to lessen the chances of two Advanced Persistent Threat groups, SandCat, and FruityArmor from taking advantage of it. The former zero-day exploit was being exploited by the two groups extensively, with many of their victims unaware of it. This is given since only advanced threat protection that uses heuristics scans can monitor the operation of the attack, while damage against the target can only be minimized if the host system is using a sandboxing system to isolate apps from one another.
“SandCat is a relatively new APT group; we first observed them in 2018, although it would appear they have been around for some time. They use both FinFisher/FinSpy [spyware] and the CHAINSHOT framework in attacks, coupled with various zero-days. Targets of SandCat have been mostly observed in Middle East, including but not limited to Saudi Arabia,” explained Costin Raiu, Kaspersky Lab’s Director of Global Research.
Meanwhile, FruityArmor is involved with espionage campaigns against Middle Eastern nations. CVE-2019-0797 affects 64-bit variants of Windows 8 and Windows 10, it is not usable against 32-bit Windows systems.
“The earliest publication from our side on them is from 2016, when we identified another zero day (CVE-2016-3393) being used by this group. Victims of FruityArmor are generally located in Middle East, but they are known to target journalists and activists in other regions as well. We observed very few attempts to exploit this vulnerability, in targeted attacks. This is generally the case with high-profile zero-days, which are used only for high-value targets in what can be considered surgical campaigns.,” added Raiu.
CVE-2019-0797 existed by exploiting an unpatched version of Win32k, a system file in Windows 64-bit that deals with memory handling of objects. Privilege escalation can be gained by using an undocumented system call in the Win32k system file, this can be done by forcing the system to perform two actions concurrently. By calling NtDCompositionDestroyConnection and NtDCompositionDiscardFrame at the same time creates a memory-corruption condition.
“The exploitation process for all those operating systems does not differ greatly and is performed using heap spraying palettes and accelerator tables with the use of GdiSharedHandleTable and gSharedInfo to leak their kernel addresses. In exploitation of Windows 10 build 14393 and higher windows are used instead of palettes. Besides that, that exploit performs a check on whether it’s running from Google Chrome and stops execution if it is because vulnerability CVE-2019-0797 can’t be exploited within a sandbox,” said Vasily Berdnikov, Kaspersky Labs Researcher.
The problem every time Microsoft provides a patch against a CVE is the principle of a delayed update. People are not comfortable with force updates, hence they turn-off automatic updates from the Windows Settings page. By delaying installation of an update means a time period when a computer is exposed to vulnerability. Microsoft has treated Windows updates as critical functions of a Windows PC, hence the company has modeled Windows 10 Home versions without the capability to disable updates. Only Windows Professional and Enterprise versions can allow users to set delays to updates in a more granular fashion. This is because Professional and Enterprise versions of Windows are usually handled professionally by an IT team inside an enterprise.