As part of a new patch Tuesday, Microsoft has patched a leak that appeared on Twitter at the end of August and that gives an attacker elevated rights to Windows systems. In total, Microsoft closed 61 vulnerabilities, 17 of which were ‘critical’.
The now patched Windows vulnerability is labeled CVE-2018-8440 and is under active attack, according to Microsoft. Security company ESET warned about this last week. According to the company, a group that refers to it as PowerPool used the exploit code posted on GitHub in a malware campaign. The code was adapted by the group. The distribution was done through a spam campaign with malicious attachments.
After an initial infection, if the group determined that a PC might contain sensitive files, the malware installed a backdoor that took advantage of the Windows exploit to gain higher privileges. It is therefore a privilege escalation vulnerability that is present in the so-called ALPC interface of Windows.
Among the other critical vulnerabilities patched is CVE-2018-8475, which allows remote code execution, including on systems running Windows versions from Windows 7. Microsoft reports that the vulnerability is exploitable via an image, which could create a attacker only needs to get a target to view an image. According to security company Talos, it was enough to load a malicious image on a web page. Microsoft says the vulnerability was not actively attacked.