Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Windows IT

Hackers Exploited Windows 0-day for 6 Months After Microsoft Knew of It (arstechnica.com) 46

Hackers backed by the North Korean government gained a major win when Microsoft left a Windows zero-day unpatched for six months after learning it was under active exploitation. From a report: Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don't represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability.

"When it comes to Windows security, there is a thin line between admin and kernel," Jan Vojtesek, a researcher with security firm Avast, explained last week. "Microsoft's security servicing criteria have long asserted that '[a]dministrator-to-kernel is not a security boundary,' meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel." The Microsoft policy proved to be a boon to Lazarus in installing "FudModule," a custom rootkit that Avast said was exceptionally stealthy and advanced. Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself and at the same time control the deepest levels of the operating system. To work, they must first gain administrative privileges -- a major accomplishment for any malware infecting a modern OS. Then, they must clear yet another hurdle: directly interacting with the kernel, the innermost recess of an OS reserved for the most sensitive functions.

This discussion has been archived. No new comments can be posted.

Hackers Exploited Windows 0-day for 6 Months After Microsoft Knew of It

Comments Filter:
  • Thank goodness no Bad Actors took advantage of this.

    What's that you say? Tens of thousands of deployments to unsuspecting users?

    Not to worry, friend, I'm sure that Microsoft will do whatever it takes to make it right, such as issuing a press release that downplays the severity and damage of their negiligence.

  • by FeelGood314 ( 2516288 ) on Tuesday March 05, 2024 @10:06AM (#64291114)
    If someone already has admin level privileges then the game is pretty much over. There are likely millions of ways to modify the kernel at that point so patching one way is pointless.
    • by DarkOx ( 621550 ) on Tuesday March 05, 2024 @10:35AM (#64291198) Journal

      That attitude might come as a surprise to the Digital Rights Management, we gotta have secure boot crowd.

      However I agree is admin->Kernel is NOT a security boundary ordinary users should even want. As a practical mater its probably "anti" security in that it just means its more difficult to actually audit anything that is happening in kernel land.

      • by sjames ( 1099 )

        Agreed. I'm going to gave to agree with Microsoft's position on this. Now the floor feels chilly...

      • That attitude might come as a surprise to the Digital Rights Management, we gotta have secure boot crowd.

        Totally agree.

    • And ... in the non-corporate world nearly everybody with Windows 10 or later probably has admin access. That's how Windows insists on setting up computers. All you get when installing something is a box asking if you want to make changes - yes or no - no special password or other authentication required. With the typical reaction to such a question for most people being "Yes" Bob's Your Uncle for the malware installers.

      • by Ed Tice ( 3732157 ) on Tuesday March 05, 2024 @12:38PM (#64291692)
        What else would you propose? That users not get local admin on their personally-owned machines? I like the Apple walled garden on my phone and even on consoles but for a general-purpose computer, somebody has to be the admin. If a user clicks yes to a permissions prompt, that's social engineering not software exploit.
    • If someone already has admin level privileges then the game is pretty much over. There are likely millions of ways to modify the kernel at that point so patching one way is pointless.

      As hard as it is to agree with Microsoft in general, you're absolutely right. I see other posters talking about how this is downplaying the severity, and all is woe..but that's just not the case. If the threat actor already has persistent administrator-level access to your server, it's game over. Upgrading to kernel just gives them a little extra wiggle room to do things like defeat kernel-level antivirus and achieve greater persistence. By design, admin-level users need to be able to apply kernel patc

    • by Qwertie ( 797303 )
      Normally I would think the same way, but the North Koreans going to the trouble of discovering a new vulnerability and exploiting it suggests that their goal could not be accomplished with ordinary admin rights. This implies that administrator-to-kernel is, empirically, a security boundary against rootkits, even if it officially isn't.
      • Let's say you're right. What's the potential mitigation here? Just never allow admins to install drivers just in case they're vulnerable?

        The sole difference in this case is that the driver in question is bundled with the OS, so the vector exists on all copies of Windows. Sure, that's not ideal, but if you find a vulnerability in a ubiquitous, signed, 3rd-party driver the result is exactly the same. Realtek audio? Intel nic? Those drivers are on hundreds of millions of machines already, so no need to install

  • On a geologic scale, that's but an instant - nothing at all!

  • by v1 ( 525388 ) on Tuesday March 05, 2024 @10:16AM (#64291148) Homepage Journal

    I thought "zero-day" meant it was a new, previously unknown vulnerability? Once it's been discovered and reported to microsoft, doesn't that make it NOT a zero-day anymore?

    Sure, it WAS a "zero-day", but so is every other vulnerability - until it's noticed and reported.

    Calling a vulnerability that was reported six months ago a "zero-day" seems to fall somewhere between click-bait and outright dishonest reporting.

    I don't think we have a tidy name for a vulnerability that's been languishing for months waiting for a patch though - and that's exactly what this is. Just a vendor dragging their feet about patching a reported hole in their system. (and in this case, trying to down-play the severity)

    I also think the down-play is pretty disappointing - don't most Windows users run as admins? So for example. this would affect 98% of users that were sent an attachment? I don't buy "this only affects 98% of our users, so its not urgent"?

    • by DarkOx ( 621550 )

      A 0-Day traditionally referred to the number of days administrators/operators have had to apply a patch or official workaround.

      a vulnerability is a 0-day until there is a known fix.

      • It originally referred to the number of days between public disclosure or active exploitation in the wild, and the patch. If one defined it as defined the number of days between private discovery and the patch, then every vulnerability is a zero-day vulnerability and the term becomes useless.

        • Isnt there a customary 90 day grace period to develop and mass-deploy a patch?
        • by sjames ( 1099 )

          Zero day is a temporary status. Vulnerability is discovered by a bad actor and exploited. The victims are the victims of a zero day. Vendor releases a patch a week later, the vulnerability loses it's zero day status. Anyone exploited in the mean while was the victim of a zero day. Someone gets hit after the patch came out. They are NOT victims of a zero day.

    • Maybe it's a 180-day exploit in this case.

      • by v1 ( 525388 )

        In my opinion, "zero-day" should be reserved for security holes that the Bad Guys found first and are actively exploiting, that the developers have just been informed about and are rushing to develop, test, and release a patch for, but haven't had enough tiime yet, leaving a *short* window of opportunity for the bad actors to take advantage of the opening before it gets closed on them. The "zero" in "zero-day" was intended to represent the amount of NOTICE a developer has gotten that the hole exits, highli

    • Zero-day sounds way more "cool" than just "vulnerability." It makes it seem somehow more urgent, like the movie scenes with the good hackers trying to type faster than the bad hackers, with screens full of random lists popping up everywhere, in a race to save the entire city from a computer meltdown. Compared to all that urgency, a "vulnerability" is very, very boring!

  • Everytime M/S says the new Windows will be the most secure, like Lazarus, a new zero day comes back. Glad to see M/S is very consistent.
    • Everytime M/S says the new Windows will be the most secure, like Lazarus, a new zero day comes back. Glad to see M/S is very consistent.

      Using the words "microsoft" and "security" in the same breath much less sentence just makes me laugh.

  • The details (Score:5, Informative)

    by laughingskeptic ( 1004414 ) on Tuesday March 05, 2024 @11:35AM (#64291474)
    This article gives an excellent breakdown of how the exploit works: https://decoded.avast.io/janvo... [avast.io]

    Summary: a kernel ioctl takes a call back function allowing, under the right constraints, execution of an arbitrary kernel function. A second callback provides control of data to the first. So it is a Bring Your Own Vulnerable Device (BYOVD) situation where one feeds crafted data to a vulnerable kernel function.

    This is one of Window's biggest security problems: all the ancient cruft it ships with, much written by third parties for devices most people have never heard of but are sitting on the hard drive "just in case".
  • I wonder who at MS will be held accountable by the government for the treasonous act? Bwahaha LOL

  • Microsoft has long said that such admin-to-kernel elevations don't represent the crossing of a security boundary

    How can anyone at Microsoft actually say that and keep a straight face? Can we say "negligence", children? Can we say "laziness", children? Can we say "incompetence", children? Good, I knew you could.

    • Re:Is M$ serious? (Score:4, Insightful)

      by Ed Tice ( 3732157 ) on Tuesday March 05, 2024 @12:41PM (#64291710)
      They say it because it's accurate. If an adversary has gained administrative access to a machine, the ability to execute kernel functions doesn't really give them much more. They used this vulnerability to install a rootkit. But there are other ways to get a rootkit installed if you already have admin access to the machine. Hence why this weakness shouldn't be the focus but rather how those machines got compromised in the first place.
    • by gweihir ( 88907 )

      It is accurate. Anybody that is admin already has everything, including the crown jewels. The problem is not that anybody with admin access has won. The problem is that it is far too easy to get admin access on Windows. Toy-level security.

  • This lot were the subject of a coue of series of BBC podcasts, due to the mayhem they were wrecking.

    They were linked to a massive Sony hack, a billion dollar bank heist, a scam involving a vast number of people using fake ATM cards, the Heartbleed attack, amongst others.

    They're also apparently linked to a quasi-legal casino in China.

    They're a particularly nasty lot, and giving them any kind of assistance is a Bad Thing.

    Windows is used heavily by the US government. Not a group you want the North Koreans pwni

    • I would recommend that you spell out British Broadcasting Corporation. Anything on the internet can be used to train AIs. And the likely result of your above post will be for the AIs to conclude that you have certain NSFW interests..
  • They still do not get it. The never will. Anybody using their crap for anything critical is asking to get hacked.

    • The government, who you seem to adore, loves M$. You guys should work that out.
      • by gweihir ( 88907 )

        You seem to have me confused with somebody else. Or maybe you are just stupid. Or both?

        • You're constantly arguing for Socialism or Communism. Just a word to the wise, these are government-heavy systems. You don't get to talk about freedom out of both sides of your mouth, fuck face.
          • by gweihir ( 88907 )

            I have never once argued for Socialism or Communism. You are deeply confused. Maybe the difference is that I actually know what "Socialism" and "Communism" means. I also know that both systems are deeply flawed, same as unregulated capitalism.

  • Things like this is why no organization should use Windows in their environment.

FORTUNE'S FUN FACTS TO KNOW AND TELL: A guinea pig is not from Guinea but a rodent from South America.

Working...