This vulnerability is called CVE-2019-0895 and uses a use-after-free attack. The exploit is located at win32k.sys and provides Local Privilege hackers with the ability to access resources that users do not usually have.
How does vulnerability work?
- It locates the memory
- It loads the program into memory
- Adds a pointer to memory
When the process is complete, the connection between the pointer and memory stops and the program inside the memory is deleted.
The anomaly occurs when the pointer is converted into a dangling pointer, which continues to point to a specific memory even when the job is completed. Hackers take advantage of these pointers to install custom programs, replacing the existing program in that malicious code memory.
Who are affected?
Use-after-free attack is a type of buffer overflow attack, and operating systems have security to deal with such issues. Windows uses the Address Space Layout Randomization (ASLR) for this purpose.
However, the exploitation targeted Windows 7, 8 and earlier versions of 10, with 64 bit processors, using the HMValidateHandle technique and bypassing the ASLR.
Windows zero-day vulnerability, in a nutshell, allows hackers to run code in the kernel, giving them increased access.
Since it was reported by Kaspersky Labs, Microsoft has taken action against this vulnerability and has promoted an update.