Microsoft Patch Actively Exploited Admin-to-Kernel Vulnerability


Cybersecurity researchers have disclosed that the Lazarus Group, a North Korean hacking group, discovered a significant rootkit vulnerability in Windows last year. The vulnerability, described as the "holy grail" of rootkit vulnerabilities, was brought to Microsoft's attention by Avast in August of last year. It involved an admin-to-kernel exploit in a driver associated with AppLocker, a built-in app whitelisting software in Windows.

Avast's researchers found that the vulnerability is located in the input/output control dispatcher applied.sys, allowed user-space attackers to trick the kernel into calling an arbitrary pointer. This flaw enabled the Lazarus Group to obtain read/write primitive on the Windows kernel and install their FudModule rootkit. However, Microsoft delayed patching the vulnerability until February's patch Tuesday, despite being informed six months prior.

Microsoft's stance on the severity of admin-to-kernel exploits may have influenced its decision not to prioritize the patch. The company states that some Windows components and configurations are not intended to provide a robust security boundary, leaving it to its discretion to patch such vulnerabilities. Unfortunately, this delay allowed the Lazarus Group to exploit victims' kernels for months without intervention.

Even after patching the vulnerability, Microsoft reportedly did not disclose that it was under active exploitation until Avast published its report. This disclosure prompted Microsoft to update its patch bulletin.

Meanwhile, the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have shared ten tips to mitigate security risks in cloud computing. These tips include proper identity and access management, network segmentation, encryption, and defence of CI/CD environments.

In a separate initiative, the White House National Security Council, Linux Foundation Training and Certification, Open Source Security Foundation (OpenSSF), and Cloud Native Computing Foundation (CNCF) have joined forces to offer cybersecurity training to Jordanian women. This pilot program aims to provide access to free security courses and certifications to help women in Jordan enter the cybersecurity workforce, addressing challenges in workforce diversity and inclusion.