Hackers Exploited Windows 0-day for 6 Months After Microsoft Knew of It

Hackers backed by the North Korean government gained a major win when Microsoft left a Windows zero-day unpatched for six months after learning it was under active exploitation. From a report: Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don't represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability.

"When it comes to Windows security, there is a thin line between admin and kernel," Jan Vojtesek, a researcher with security firm Avast, explained last week. "Microsoft's security servicing criteria have long asserted that '[a]dministrator-to-kernel is not a security boundary,' meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel." The Microsoft policy proved to be a boon to Lazarus in installing "FudModule," a custom rootkit that Avast said was exceptionally stealthy and advanced. Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself and at the same time control the deepest levels of the operating system. To work, they must first gain administrative privileges -- a major accomplishment for any malware infecting a modern OS. Then, they must clear yet another hurdle: directly interacting with the kernel, the innermost recess of an OS reserved for the most sensitive functions.

Thank goodness

[JustAnotherOldGuy]

Thank goodness no Bad Actors took advantage of this.

What's that you say? Tens of thousands of deployments to unsuspecting users?

Not to worry, friend, I'm sure that Microsoft will do whatever it takes to make it right, such as issuing a press release that downplays the severity and damage of their negiligence.

Re:

[jenningsthecat]

Late Stage capitalism.

With striking similarities to Late Stage cancer...

Re:

[Seven Spirals]

Corporate fascism with significant protections by the state bears little resemblance to anything like free markets or capitalism, but hey keep taking shots. It shows the rest of us how little clue you actually possess. It'd be nice to try capitalism sometime, though.

Re:

[dryeo]

Capitalism is at odds with a free market as a free market negatively affects profits.

Re:

[Seven Spirals]

Capitalism is at odds with a free market

Not as much as Communism, but I take your meaning and I tend to agree for my own reasons. I think capitalism with giant oligarchs turns to fascism pretty quick.

as a free market negatively affects profits.

Well sure. If you cannot stomp out your competition, get the government to "license" any newcomers (thus thinning them out), and dominate the consumers with the MSM, you'll end up losing profits to upstarts and competitors. The consumers win and so do businesses that add real value, but the monoliths who simply use the force of government to keep the

Re:

[dryeo]

Yes, buying government is often one of the cheapest ways to maintain/enhance profits. Without government, they still strive for monopoly and will lie and cheat in pursuit of profit.

Microsoft has a point

[FeelGood314]

If someone already has admin level privileges then the game is pretty much over. There are likely millions of ways to modify the kernel at that point so patching one way is pointless.

Re:Microsoft has a point

[DarkOx]

That attitude might come as a surprise to the Digital Rights Management, we gotta have secure boot crowd.

However I agree is admin->Kernel is NOT a security boundary ordinary users should even want. As a practical mater its probably "anti" security in that it just means its more difficult to actually audit anything that is happening in kernel land.

Re:

[sjames]

Agreed. I'm going to gave to agree with Microsoft's position on this. Now the floor feels chilly...

Re:

[NoWayNoShapeNoForm]

That attitude might come as a surprise to the Digital Rights Management, we gotta have secure boot crowd.

Totally agree.

Re:

[mikeebbbd]

And ... in the non-corporate world nearly everybody with Windows 10 or later probably has admin access. That's how Windows insists on setting up computers. All you get when installing something is a box asking if you want to make changes - yes or no - no special password or other authentication required. With the typical reaction to such a question for most people being "Yes" Bob's Your Uncle for the malware installers.

Re:Microsoft has a point

[Ed Tice]

What else would you propose? That users not get local admin on their personally-owned machines? I like the Apple walled garden on my phone and even on consoles but for a general-purpose computer, somebody has to be the admin. If a user clicks yes to a permissions prompt, that's social engineering not software exploit.

Re:

[Midnight_Falcon]

If someone already has admin level privileges then the game is pretty much over. There are likely millions of ways to modify the kernel at that point so patching one way is pointless.

As hard as it is to agree with Microsoft in general, you're absolutely right. I see other posters talking about how this is downplaying the severity, and all is woe..but that's just not the case. If the threat actor already has persistent administrator-level access to your server, it's game over. Upgrading to kernel just gives them a little extra wiggle room to do things like defeat kernel-level antivirus and achieve greater persistence. By design, admin-level users need to be able to apply kernel patc

Re:

[Qwertie]

Normally I would think the same way, but the North Koreans going to the trouble of discovering a new vulnerability and exploiting it suggests that their goal could not be accomplished with ordinary admin rights. This implies that administrator-to-kernel is, empirically, a security boundary against rootkits, even if it officially isn't.

Re:

[wildstoo]

Let's say you're right. What's the potential mitigation here? Just never allow admins to install drivers just in case they're vulnerable?

The sole difference in this case is that the driver in question is bundled with the OS, so the vector exists on all copies of Windows. Sure, that's not ideal, but if you find a vulnerability in a ubiquitous, signed, 3rd-party driver the result is exactly the same. Realtek audio? Intel nic? Those drivers are on hundreds of millions of machines already, so no need to install

What's 6 months?

[93 Escort Wagon]

On a geologic scale, that's but an instant - nothing at all!

is that really a "zero-day"?

[v1]

I thought "zero-day" meant it was a new, previously unknown vulnerability? Once it's been discovered and reported to microsoft, doesn't that make it NOT a zero-day anymore?

Sure, it WAS a "zero-day", but so is every other vulnerability - until it's noticed and reported.

Calling a vulnerability that was reported six months ago a "zero-day" seems to fall somewhere between click-bait and outright dishonest reporting.

I don't think we have a tidy name for a vulnerability that's been languishing for months waiting for a patch though - and that's exactly what this is. Just a vendor dragging their feet about patching a reported hole in their system. (and in this case, trying to down-play the severity)

I also think the down-play is pretty disappointing - don't most Windows users run as admins? So for example. this would affect 98% of users that were sent an attachment? I don't buy "this only affects 98% of our users, so its not urgent"?

Re:

[DarkOx]

A 0-Day traditionally referred to the number of days administrators/operators have had to apply a patch or official workaround.

a vulnerability is a 0-day until there is a known fix.

Re: is that really a "zero-day"?

[MobyDisk]

It originally referred to the number of days between public disclosure or active exploitation in the wild, and the patch. If one defined it as defined the number of days between private discovery and the patch, then every vulnerability is a zero-day vulnerability and the term becomes useless.

Re:

[saloomy]

Isnt there a customary 90 day grace period to develop and mass-deploy a patch?

Re:

[sjames]

Zero day is a temporary status. Vulnerability is discovered by a bad actor and exploited. The victims are the victims of a zero day. Vendor releases a patch a week later, the vulnerability loses it's zero day status. Anyone exploited in the mean while was the victim of a zero day. Someone gets hit after the patch came out. They are NOT victims of a zero day.

Re:

[Tony Isaac]

Maybe it's a 180-day exploit in this case.

Re:

[v1]

In my opinion, "zero-day" should be reserved for security holes that the Bad Guys found first and are actively exploiting, that the developers have just been informed about and are rushing to develop, test, and release a patch for, but haven't had enough tiime yet, leaving a *short* window of opportunity for the bad actors to take advantage of the opening before it gets closed on them. The "zero" in "zero-day" was intended to represent the amount of NOTICE a developer has gotten that the hole exits, highli

Re:

[Tony Isaac]

Zero-day sounds way more "cool" than just "vulnerability." It makes it seem somehow more urgent, like the movie scenes with the good hackers trying to type faster than the bad hackers, with screens full of random lists popping up everywhere, in a race to save the entire city from a computer meltdown. Compared to all that urgency, a "vulnerability" is very, very boring!

Re:

[v1]

that's why I said it smells like "click-bait"

could not pick a better name

[jmccue]

Everytime M/S says the new Windows will be the most secure, like Lazarus, a new zero day comes back. Glad to see M/S is very consistent.

Re:

[NoWayNoShapeNoForm]

Everytime M/S says the new Windows will be the most secure, like Lazarus, a new zero day comes back. Glad to see M/S is very consistent.

Using the words "microsoft" and "security" in the same breath much less sentence just makes me laugh.

The details

[laughingskeptic]

This article gives an excellent breakdown of how the exploit works: https://decoded.avast.io/janvo... [avast.io]

Summary: a kernel ioctl takes a call back function allowing, under the right constraints, execution of an arbitrary kernel function. A second callback provides control of data to the first. So it is a Bring Your Own Vulnerable Device (BYOVD) situation where one feeds crafted data to a vulnerable kernel function.

This is one of Window's biggest security problems: all the ancient cruft it ships with, much written by third parties for devices most people have never heard of but are sitting on the hard drive "just in case".

I Wonder

[RitchCraft]

I wonder who at MS will be held accountable by the government for the treasonous act? Bwahaha LOL

Is M$ serious?

[mendax]

Microsoft has long said that such admin-to-kernel elevations don't represent the crossing of a security boundary

How can anyone at Microsoft actually say that and keep a straight face? Can we say "negligence", children? Can we say "laziness", children? Can we say "incompetence", children? Good, I knew you could.

Re:Is M$ serious?

[Ed Tice]

They say it because it's accurate. If an adversary has gained administrative access to a machine, the ability to execute kernel functions doesn't really give them much more. They used this vulnerability to install a rootkit. But there are other ways to get a rootkit installed if you already have admin access to the machine. Hence why this weakness shouldn't be the focus but rather how those machines got compromised in the first place.

Re:

[gweihir]

It is accurate. Anybody that is admin already has everything, including the crown jewels. The problem is not that anybody with admin access has won. The problem is that it is far too easy to get admin access on Windows. Toy-level security.

The Lazarus Group

[jd]

This lot were the subject of a coue of series of BBC podcasts, due to the mayhem they were wrecking.

They were linked to a massive Sony hack, a billion dollar bank heist, a scam involving a vast number of people using fake ATM cards, the Heartbleed attack, amongst others.

They're also apparently linked to a quasi-legal casino in China.

They're a particularly nasty lot, and giving them any kind of assistance is a Bad Thing.

Windows is used heavily by the US government. Not a group you want the North Koreans pwni

Re:

[Ed Tice]

I would recommend that you spell out British Broadcasting Corporation. Anything on the internet can be used to train AIs. And the likely result of your above post will be for the AIs to conclude that you have certain NSFW interests..

Re:

[jd]

Good point.

Microshit 2024

[gweihir]

They still do not get it. The never will. Anybody using their crap for anything critical is asking to get hacked.

Re:

[Seven Spirals]

The government, who you seem to adore, loves M$. You guys should work that out.

Re:

[gweihir]

You seem to have me confused with somebody else. Or maybe you are just stupid. Or both?

Re:

[Seven Spirals]

You're constantly arguing for Socialism or Communism. Just a word to the wise, these are government-heavy systems. You don't get to talk about freedom out of both sides of your mouth, fuck face.

Re:

[gweihir]

I have never once argued for Socialism or Communism. You are deeply confused. Maybe the difference is that I actually know what "Socialism" and "Communism" means. I also know that both systems are deeply flawed, same as unregulated capitalism.

Re:

[Seven Spirals]

You are deeply confused.

Nope, you are deeply gaslighting, badly.

Remove Windows Now

[sizzlinkitty]

Things like this is why no organization should use Windows in their environment.