Today is the Microsoft June Patch Tuesday. In particular, the patch includes two kernel exploitable vulnerabilities that enSilo researchers had reported to Microsoft just less than two weeks ago. Both vulnerabilities were filed together under CVE-2015-2360, ranked as IMPORTANT. These two vulnerabilities date back to the old – yet already unsupported – Windows XP, and up to Windows 8.1 (including).
According to market research, the May 2015 market share of Windows XP and Windows 7 together is more than 72%. With this market share, we find it important to share details on these vulnerabilities and understand their severity and implications.
A threat actor exploiting any one of these two vulnerabilities can:
- Receive root privileges, cause a system-level compromise or escape sandbox defense measures.
- Run kernel code on the victim’s machines.
To put it bluntly, a threat actor can take complete control of the victim’s machine.
The Exploitability Factor
This vulnerability is an exploitable one. This means that we know that there isn’t just a hole in the Windows Operating System. Our researchers were able to demonstrate how a threat actor can actually take advantage of the vulnerability to run a piece of malware as if it were seemingly part of the operating system
Threat actors will require access to the victim’s Windows machine in order to run their exploitable code.
- Microsoft Windows XP professional 32 bit (All Service Packs)
- Microsoft Windows Vista
- Microsoft Windows 7
- Windows 8 and Windows 8.1
- Microsoft Windows Server 2003
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Windows Server 2012 and Windows Server 2012 R2
- Windows RT and Windows RT 8.1
Vulnerability in a Nutshell: Use-After-Free
These two vulnerabilities are of type Use-After-Free. What this means is that the program uses a section of kernel memory that was already potentially reset and used by a different program. Threat actors typically exploit this type of vulnerability by tinkering with the memory of a running program so that it runs malicious code.
Unfortunately, uncovering vulnerabilities should not surprise us researchers any longer. Code was written by humans, and to err is human. Systems will continue to include holes, and threat actors will continue to find ways to exploit them.
On this ending note, I’d like to call out that it is time that we learn to deal with vulnerabilities by admitting to their existence and focusing on finding ways to defend our systems once they are already exploited.