What is the threat?
A new, zero-day exploit was discovered targeting several victims in the Middle East and Asia. The vulnerability affects Microsoft Windows and Microsoft server. The Microsoft Windows Kernel Transaction Manager(KTM)is vulnerable to a race condition because it fails to properly handle objects in memory, which can result in local privilege escalation. Microsoft Windows DNS servers are vulnerable to heap overflow attacks, allowing unauthenticated attackers to send malicious requests to affected servers.
Why is this noteworthy?
According to Microsoft, the Windows kernel fails “to properly handle objects in memory”. A successful attacker could run arbitrary code in kernel mode, and then “install programs; view, change, or delete data; or create new accounts with full user rights.” Microsoft Windows Domain Name System (DNS) server are vulnerable to heap overflow attacks and when successfully exploited, can run arbitrary code.
What is the exposure or risk?
Carefully crafted malicious applications could exploit the race condition allowing them to elevate their local privileges, create user accounts, install new programs or change, view, or delete data. According to security researches, “the exploit can also be used to escape the sandbox in modern Web browsers, including Chrome and Edge.” Windows servers that are configured as DNS server are vulnerable and a successful attack could allow the execution of arbitrary code. Unsuccessful attacks result in a denial-of-service.
What are the recommendations?
SKOUT recommends installing the latest Microsoft security update and ensure that all software/applications are updated. We recommend ensuring that anti-malware solution is installed and are up to date with the latest signatures. We also recommend behavior-based detection capabilities such as Cylance for effective protection against future unknown threats including zero-day exploits.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.