Security Week 03: Attack on Windows and Android in Detail

The Google Project Zero team has published a detailed study of the attack using zero-day vulnerabilities in Google Chrome and Windows. The main task of this department of Google is to find new vulnerabilities, so this study turned out to be unconventional for them, but no less useful. When a message appears about the closure of a particular vulnerability in the software, you always want to understand what threat these bugs pose, whether they are exploited by cybercriminals or will never be used by anyone. The publication of Project Zero, albeit half a year late, shows how the exploitation happens in practice.

In addition to Windows and the Chrome browser, the investigated group tried to attack Android smartphones. However, publicly known vulnerabilities were used there (but not necessarily closed on a specific device). In addition to how the exploits themselves work, this parts of the article consider actions after hacking a mobile device: gaining full access, attempts to hide functionality from researchers, communication with the C&C server, data output.

The publication is divided into six parts, where the key vulnerability in Google Chrome (in the JavaScript compiler), exploits for this browser, exploits for Android, and exploitation of vulnerabilities in Windows are sequentially considered. All vulnerabilities in the OS were closed in April last year, a patch for Chrome was released in February. Google does not disclose the details of the malicious campaign. We only know that the researchers managed to find two servers with a set of exploits for PCs and mobile phones (separately from each other), to which they lured users. Read the Project Zero researchers’ post to get started from here, there are also links to other parts.

What else happened:

On Tuesday January 12th, Microsoft posted the first set of patches this year. Fixed 10 critical vulnerabilities, including a major issue in the Microsoft Malware Protection Engine.

Adobe, in addition to permanently blocking the Adobe Flash plugin, closed a number of recent vulnerabilities in their products, including a serious bug in Photoshop.

Kaspersky Lab experts discovered similarities between the malicious code used in the Sunburst attack and the Kazuar backdoor, known since 2017.

Starting February 9th, Microsoft will force block unsecured connections to domain controllers to prevent Zerologon attacks. We wrote about this vulnerability in detail in August. Then the radical solution to the problem had to be postponed so that the administrators had time to prepare.

In the Orbit Fox WordPress Plugin discovered critical vulnerability. Multifunctional plugin allows you to generate registration forms, errors in which can be used to gain full control over the site.