Microsoft released its October 2021 patch on Tuesday this week. We’ve covered the general release already, including a fix for a zero-day vulnerability in Win32K that is exploited in the wild. This bug is serious enough to merit further examination. And that’s why Kaspersky did in a blog post posted yesterday.
The security company calls the exploit MysterySnail and it was discovered by one of its researchers. Kaspersky previously informed Microsoft about the flaw, hence the company’s fix in the Patch Tuesday patch this week.
This zero-day exploit found in the Microsoft Windows platform allows malicious actors to create escalation of privilege attacks to take control of Windows servers. It appears that the MysterySnail is an extension of an Advanced Persistent Threat (APT) from Chinese speaking hackers.
While tracing the exploit, Kaspersky discovered a new type of Remote Access Trojan (RAT). The idea is that the exploit enters a vulnerable server and helps attackers steal data. Microsoft has already rolled out a patch as part of the October Patch Tuesday. It means that users need to install the update to avoid becoming a victim.
Kaspersky reports “The root cause of this vulnerability is the ability to set user-mode callbacks and perform unexpected API functions while performing those callbacks.” explains the blog. “CVE-2021-40449 is triggered when the ResetDC function is executed a second time for the same handle while performing its own callback.”
When this happens, there is a memory trace that leads to a Proactive Data Container (PDC) that is already destroyed. Hackers can use the faulty PDC to call an arbitrary kernel function. Attackers can then read and write to kernel memory. Using techniques already known, the next step would be to disclose the kernel addresses.
“The malware itself is not very sophisticated and has functionality similar to many other remote shells,” the researchers noted. “But it still stands out in one way or another, with a relatively large number of controls implemented and additional capabilities such as monitoring inserted disk drives and the ability to act as a proxy.”
Tip of the day: Windows Aero Shake is a handy feature that lets you quickly reduce screen clutter by shaking an app’s title bar. This minimizes all windows other than the focus one, allowing you to focus only on what’s at hand. Another move lets you undo Aero Shake, again maximizing the other windows so you can keep working.
Unfortunately, the functionality can also have unintended consequences. Those who move their windows or have dual monitors may notice that they accidentally turn on Windows Shake. Fortunately, turning Aero Shake on or off isn’t too difficult.