Vulnerability exploited in the wild by attackers prior to release of patch by Microsoft
Positive Technologies expert Mikhail Tsvetkov has analyzed a previously unknown security flaw in the Windows operating system and reported the issue to Microsoft. The zero-day vulnerability, which was quickly patched by Microsoft, enabled attackers to remotely obtain maximum system privileges on PCs running Windows 10, 8.1, 7, Server 2008, Server 2012, and Server 2016.
Local Privilege Escalation (LPE) vulnerability CVE-2017-0263 related to incorrect handling by the Win32k driver of context menus, which could be used to run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with system privileges.
“This use-after-free vulnerability arises when the window of a context menu is collapsed. The memory occupied by the menu is freed up, but the pointer to this memory is not zeroed out, meaning that it can be reused,” explained Mikhail Tsvetkov, application analyst at Positive Technologies.
To exploit this issue, an attacker would need to obtain system access such as with vulnerability CVE-2017-0262, which involved incorrect handling of EPS files by Microsoft Office. As reported by the Positive Technologies Expert Security Center (PT ESC), these two vulnerabilities had been packaged in a phishing message sent to potential targets.
To fix these vulnerabilities, users should install the Microsoft monthly security updates issued back on 9 May. Users who have installed Microsoft's April security updates are already protected from vulnerability CVE-2017-0262, since the April release disabled EPS file handling in Microsoft Office.
Verification of these vulnerabilities has already been added to the MaxPatrol knowledge base.