CVE-2019-0859
published 2019-04-09CVE-2019-0859: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
4.15%
89.6th percentile
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0803.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for DarkPulsar injecting into lsass.exe via Secur32.AddSecurityPackage, registering itself as a Security Support Provider (SSP/AP) by calling SpLsaModeInitialize. ↗
- →Monitor hooks placed on SpAcceptLsaModeContext within msv1_0.dll, kerberos.dll, schannel.dll, wdigest.dll, and lsasrv.dll inside lsass.exe — DarkPulsar hooks these to bypass authentication. ↗
- →Detect a pair of bound sockets appearing in lsass.exe on port 445 as an indicator of EDFStagedUpload execution and active DarkPulsar C2 connection. ↗
- →DarkPulsar encapsulates its malicious network traffic into standard system protocols (NTLM/Kerberos/TLS/Digest/Negotiate); network activity will appear attributed to the System process rather than a suspicious process. ↗
- ·DarkPulsar supports SMB, NBT, SSL, and RDP as delivery protocols; the port number is configurable per deployment, so port 445 is not the only possible C2 channel. ↗
- ·Both 32-bit and 64-bit versions of the DarkPulsar backdoor exist; detection and forensic tooling must cover both architectures. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2019-0859 [HIGH] Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel mode.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-0859
Remediation Due Date: 2022-05-03
Microsoft
Win32k Elevation of Privilege Vulnerability
vendor_msrc·2019-04-09·CVSS 7.8
CVE-2019-0859 [HIGH] Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Windows Kernel: Windows Kernel
Impact: Elevation of Privilege
Exploit Status: Publ
GHSA
GHSA-vgp9-2hhf-fp9r: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2019-0859 [HIGH] GHSA-vgp9-2hhf-fp9r: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0803.
GHSA
GHSA-6h99-5j8v-7r3p: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2019-0803 [HIGH] GHSA-6h99-5j8v-7r3p: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0859.
GHSA
GHSA-95q5-9858-rcxm: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2019-0685 [HIGH] GHSA-95q5-9858-rcxm: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0803, CVE-2019-0859.
Project0
Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
project_zero·2020-07-01
CVE-2016-5195 Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
Posted by Maddie Stone, Project Zero
In May 2019, Project Zero released our tracking spreadsheet for 0-days used “in the wild” and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we’ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another blog post today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing 8 root cause analyses that we have done for in-the-wild 0-days from 2019.
When I had the idea for this “Year in Review” blog post, I immedi
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-0859 [HIGH] Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel mode.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2019-Apr; https://blog.sonicwall.com/en-us/2019/12/top-cves-exploited-in-the-wild-in-the-year-2019/; https://cdn.pathfactory.com/assets/10753/contents/298161/03f15d14-01bb-462b-a8d4-d8c6149f5604.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: htt
No detection rules found.
No public exploits indexed.
Securelist
Lazarus APT updates its toolset in watering hole attacks
blogs_securelist·2025-04-24
Lazarus APT updates its toolset in watering hole attacks
Table of Contents
- Background
- Initial vector
- Execution flow
- First-phase malware
- Second phase malware
- The evolution of Lazarus malware
- Discoveries
- Infrastructure
- Attribution
- Victims
- Conclusion
- Indicators of Compromise
Authors
- Sojun Ryu
- Vasily Berdnikov
We have been tracking the latest attack campaign by the Lazarus group since last November, as it targeted organizations in South Korea with a sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software. The campaign, dubbed “Operation SyncHole”, has impacted at least six organizations in South Korea’s software, IT, financial, semiconductor manufacturing, and telecommunications industries, and we are confident that many more companies have actually been compr
Securelist
The EAGERBEE backdoor may be related to the CoughingDown actor
blogs_securelist·2025-01-06
The EAGERBEE backdoor may be related to the CoughingDown actor
Table of Contents
- Introduction
- Initial infection and spread
- Malware components
- Attribution
- Conclusions
- IOC
Authors
- Saurabh Sharma
- Vasily Berdnikov
## Introduction
In our recent investigation into the EAGERBEE backdoor, we found that it was being deployed at ISPs and governmental entities in the Middle East. Our analysis uncovered new components used in these attacks, including a novel service injector designed to inject the backdoor into a running service. Additionally, we discovered previously undocumented components (plugins) deployed after the backdoor’s installation. These enabled a range of malicious activities such as deploying additional payloads, exploring file systems, executing command shells and more. The key plugins can be categorized in terms of their fun
Securelist
Lazarus targets nuclear-related organization with new malware
blogs_securelist·2024-12-19
Lazarus targets nuclear-related organization with new malware
Table of Contents
- Never giving up on their goals
- CookiePlus capable of downloading both DLL and shellcode
- Infrastructure
- Conclusion
- Indicators of compromise
Authors
- Vasily Berdnikov
- Sojun Ryu
Over the past few years, the Lazarus group has been distributing its malicious software by exploiting fake job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. This attack campaign is called the DeathNote campaign and is also referred to as “Operation DreamJob”. We have previously published the history of this campaign.
Recently, we observed a similar attack in which the Lazarus group delivered archive files containing malicious files to at least two employees associated with the same nuclear-related or
Securelist
Modern Asia APT groups TTPs
blogs_securelist·2023-11-09
Modern Asia APT groups TTPs
Authors
- Nikita Nazarov
- Kirill Mitrofanov
- Alexander Kirichenko
- Vladislav Burtsev
- Natalya Shornikova
- Vasily Berdnikov
- Sergey Kireev
Almost every quarter, someone publishes major research focusing on campaigns or incidents that involve Asian APT groups. These campaigns and incidents target various organizations from a multitude of industries. Likewise, the geographic location of victims is not limited to just one region. This type of research normally contains detailed information about the tools used by APT actors, the vulnerabilities that they exploit and sometimes even a specific attribution. Despite the large number of these types of reports, companies often remain unprepared to face these kinds of attackers. With the advanced tools and techniques used by threat actors tod
Securelist
Minas — a multi-stage cryptocurrency miner infection
blogs_securelist·2023-05-17
Minas — a multi-stage cryptocurrency miner infection
Table of Contents
- The infection chain
- Technical description
- Conclusion
- Minas indicators of compromise
Authors
- Ilya Borisov
- Vasily Berdnikov
Sometimes when investigating an infection and focusing on a targeted attack, we come across something we were not expecting. The case described below is one such occurrence.
In June 2022, we found a suspicious shellcode running in the memory of a system process. We decided to dig deeper and investigate how the shellcode was initially placed into the process and where on the infected system the threat was hidden.
## The infection chain
We were unable to reproduce the whole infection procedure, but we were able to reconstruct it from the point at which PowerShell was executed, as shown in the sceme below.
General attack execution flo
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Securelist
Magnitude exploit kit – evolution
blogs_securelist·2020-06-24·CVSS 7.5
[HIGH] Magnitude exploit kit – evolution
Table of Contents
Introduction
Infection vector
Shellcode
Elevation of privilege exploit
Ransomware
Conclusions
Authors
Boris Larin
Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it’s just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there’s a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with o
Securelist
Magnitude exploit kit – evolution
blogs_securelist·2020-06-24·CVSS 7.5
[HIGH] Magnitude exploit kit – evolution
Table of Contents
- Introduction
- Shellcode
- Elevation of privilege exploit
- Ransomware
- Conclusions
Authors
- Boris Larin
Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it’s just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there’s a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with open stand
Securelist
The zero-day exploits of Operation WizardOpium
blogs_securelist·2020-05-28·CVSS 8.8
[HIGH] The zero-day exploits of Operation WizardOpium
Table of Contents
- Google Chrome remote code execution exploit
- Microsoft Windows elevation of privilege exploit
- Conclusions
Authors
- Boris Larin
- Alexey Kulaev
Back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we’ve already published blog posts briefly describing this operation (available here and here), in this blog post we’d like to take a deep technical dive into the exploits and vulnerabilities used in this attack.
## Google Chrome remote code execution exploit
In the original blog post we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser explo
Securelist
The zero-day exploits of Operation WizardOpium
blogs_securelist·2020-05-28·CVSS 8.8
[HIGH] The zero-day exploits of Operation WizardOpium
Table of Contents
Google Chrome remote code execution exploit
Microsoft Windows elevation of privilege exploit
Conclusions
Authors
Boris Larin
Alexey Kulaev
Back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we’ve already published blog posts briefly describing this operation (available here and here ), in this blog post we’d like to take a deep technical dive into the exploits and vulnerabilities used in this attack.
## Google Chrome remote code execution exploit
In the original blog post we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The
Krebs
Patch Tuesday, December 2019 Edition
blogs_krebs·2019-12-11·CVSS 7.8
CVE-2019-1458 [HIGH] Patch Tuesday, December 2019 Edition
Microsoft today released updates to plug three dozen security holes in its Windows operating system and other software. The patches include fixes for seven critical bugs — those that can be exploited by malware or miscreants to take control over a Windows system with no help from users — as well as another flaw in most versions of Windows that is already being exploited in active attacks.
By nearly all accounts, the chief bugaboo this month is CVE-2019-1458 , a vulnerability in a core Windows component (Win32k) that is present in Windows 7 through 10 and Windows Server 2008-2019. This bug is already being exploited in the wild, and according to Recorded Future the exploit available for it is similar to CVE-2019-0859 , a Windows flaw reported in April that was found being sold in undergrou
Securelist
IT threat evolution Q2 2019
blogs_securelist·2019-08-19
IT threat evolution Q2 2019
Table of Contents
- Targeted attacks and malware campaigns
- Other security news
Authors
- David Emm
## Targeted attacks and malware campaigns
### More about ShadowHammer
In March, we published the results of our investigation into a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added a backdoor to the utility and then distributed it to users through official channels.
ASUS was not the only company used by the attackers. Other targets included several gaming companies, a conglomerate holding company and a pharmaceutical company – all located in South Korea. Either the attackers had access to the source code of the victims’ projects or they injected malware at the t
Securelist
IT threat evolution Q2 2019
blogs_securelist·2019-08-19
IT threat evolution Q2 2019
Table of Contents
Targeted attacks and malware campaigns
More about ShadowHammer
The ongoing activities of Roaming Mantis
The muddy waters of Middle East APTs
ScarCruft continues to evolve
The Zebrocy multi-language malware salad
Platinum returns
The Gaza Cybergang SneakyPastes campaign
TajMahal: a sophisticated new APT framework
FIN7 cybercrime operations continue
Zero-day vulnerability in win32k.sys
Plurox: a modular backdoor
Other security news
Digital doppelgangers
Potential problems with third-party plugins
Game of threats
Large-scale SIM-swap fraud
The problems with legal spyware
The WhatsApp call that opens up a device to surveillance
High severity bugs in VLC media player
Smart speakers listeners
Privacy matters
Authors
David Emm
## Targeted attacks and mal
Securelist
Platinum is back
blogs_securelist·2019-06-05
Platinum is back
Authors
- Andrey Dolgushev
- Vasily Berdnikov
- Ilya Pomerantsev
In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels. The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.
As a first stage the operators used WMI subscriptions to run an initial PowerShell downloader which, in turn, downloaded another small PowerShell backdoor. We collected many of the initial WMI PowerShell scripts and noticed that they had different hardcoded comma
Securelist
New win32k zero day: CVE-2019-0859
blogs_securelist·2019-04-15·CVSS 7.8
CVE-2019-0859 [HIGH] New win32k zero day: CVE-2019-0859
Authors
- Vasily Berdnikov
- Boris Larin
- Anton Ivanov
In March 2019, our automatic Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies. The previous ones were:
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- A new exploit for zero-day vulnerability CVE-2018-8589
- Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)
- The fourth horseman: CVE-2019-0797 vulnerability
On March 17, 2019 we reported our discovery to Microsoft; the company confirmed the
Securelist
New zero-day vulnerability CVE-2019-0859 in win32k.sys
blogs_securelist·2019-04-15·CVSS 7.8
[HIGH] New zero-day vulnerability CVE-2019-0859 in win32k.sys
Authors
Vasily Berdnikov
Boris Larin
Anton Ivanov
In March 2019, our automatic Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies. The previous ones were:
Zero-day exploit (CVE-2018-8453) used in targeted attacks
A new exploit for zero-day vulnerability CVE-2018-8589
Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)
The fourth horseman: CVE-2019-0797 vulnerability
On March 17, 2019 we reported our discovery to Microsoft; the company confirmed the vulnerab
Trendmicro
Patch Tuesday: Fixes for Two Exploited Vulnerabilities
blogs_trendmicro·2019-04-10·CVSS 7.5
[HIGH] Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Sfruttamento vulnerabilità
## Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.
By: Trend Micro Research Apr 10, 2019 Read time: ( words)
Save to Folio
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office
Trendmicro
Patch Tuesday: Fixes for Two Exploited Vulnerabilities
blogs_trendmicro·2019-04-10·CVSS 7.5
[HIGH] Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Exploits & Vulnerabilities
## Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.
By: Trend Micro Research 2019/04/10 Read time: ( words)
Save to Folio
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Se
Trendmicro
Patch Tuesday: Fixes for Two Exploited Vulnerabilities
blogs_trendmicro·2019-04-10·CVSS 7.5
[HIGH] Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Ausnutzung von Schwachstellen
## Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.
By: Trend Micro Research Apr 10, 2019 Read time: ( words)
Save to Folio
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Offi
Trendmicro
Patch Tuesday: Fixes for Two Exploited Vulnerabilities
blogs_trendmicro·2019-04-10·CVSS 7.5
[HIGH] Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Exploits & Vulnerabilities
## Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.
By: Trend Micro Research Apr 10, 2019 Read time: ( words)
Save to Folio
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office
Krebs
Patch Tuesday Lowdown, April 2019 Edition
blogs_krebs·2019-04-10·CVSS 7.8
CVE-2019-0803 [HIGH] Patch Tuesday Lowdown, April 2019 Edition
Microsoft today released fifteen software updates to fix more than 70 unique security vulnerabilities in various flavors of its Windows operating systems and supported software, including at least two zero-day bugs. These patches apply to Windows , Internet Explorer (IE) and Edge browsers, Office, Sharepoint and Exchange . Separately, Adobe has issued security updates for Acrobat/Reader and Flash Player .
According to security firm Rapid 7 , two of the vulnerabilities — CVE-2019-0803 and CVE-2019-0859 — are already being exploited in the wild. They can result in unauthorized elevation of privilege, and affect all supported versions of Windows.
“An attacker must already have local access to an affected system to use these to gain kernel-level code execution capabilities,” Rapid7 researche
Trendmicro
Patch Tuesday: Fixes for Two Exploited Vulnerabilities
blogs_trendmicro·2019-04-10·CVSS 7.5
[HIGH] Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Exploits y vulnerabilidades
## Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.
By: Trend Micro Research Apr 10, 2019 Read time: ( words)
Save to Folio
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office
Trendmicro
Patch Tuesday: Fixes for Two Exploited Vulnerabilities
blogs_trendmicro·2019-04-10·CVSS 7.5
[HIGH] Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Exploits & Vulnerabilities
# Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.
By: Trend Micro Research
Apr 10, 2019
Read time: ( words)
Save to Folio
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office
Trendmicro
Patch Tuesday: Fixes for Two Exploited Vulnerabilities
blogs_trendmicro·2019-04-10·CVSS 7.5
[HIGH] Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Exploits & Vulnerabilities
## Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.
By: Trend Micro Research Apr 10, 2019 Read time: ( words)
Save to Folio
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office
Trendmicro
Patch Tuesday: Fixes for Two Exploited Vulnerabilities
blogs_trendmicro·2019-04-10·CVSS 7.5
[HIGH] Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Exploits & Vulnerabilities
# Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.
By: Trend Micro Research
2019/04/10
Read time: ( words)
Save to Folio
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Se
Qualys
April 2019 Patch Tuesday - 74 Vulns, 16 Critical, 2 Actively Attacked, 1 PoC Exploit, Adobe Vulns | Qualys
blogs_qualys·2019-04-09·CVSS 7.8
[HIGH] April 2019 Patch Tuesday - 74 Vulns, 16 Critical, 2 Actively Attacked, 1 PoC Exploit, Adobe Vulns | Qualys
This month’s Patch Tuesday addresses 74 vulnerabilities, with 16 labeled as Critical. Eight of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office, along with another 5 Critical vulns in MSXML. Two Critical remote code execution (RCE) vulnerabilities are patched in GDI+ and IOleCvt. Two privilege escalation vulns in Win32k are reported as Actively Attacked, while another in the Windows AppX Deployment Service has a public PoC exploit.
### Workstation Patches
Scripting Engine and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
### Actively Attacked Privileg
Qualys
April 2019 Patch Tuesday – 74 Vulns, 16 Critical, 2 Actively Attacked, 1 PoC Exploit, Adobe Vulns
blogs_qualys·2019-04-09·CVSS 7.8
[HIGH] April 2019 Patch Tuesday – 74 Vulns, 16 Critical, 2 Actively Attacked, 1 PoC Exploit, Adobe Vulns
This month’s Patch Tuesday addresses 74 vulnerabilities, with 16 labeled as Critical. Eight of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office, along with another 5 Critical vulns in MSXML. Two Critical remote code execution (RCE) vulnerabilities are patched in GDI+ and IOleCvt. Two privilege escalation vulns in Win32k are reported as Actively Attacked, while another in the Windows AppX Deployment Service has a public PoC exploit.
## Workstation Patches
Scripting Engine and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
## Actively Attacked Privilege
Securelist
DarkPulsar FAQ
blogs_securelist·2018-10-19
DarkPulsar FAQ
Authors
- Andrey Dolgushev
- Dmitry Tarakanov
- Vasily Berdnikov
## What’s it all about?
In March 2017, a group of hackers calling themselves “the Shadow Brokers” published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch. The Fuzzbunch framework contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. In pair, it is a very powerful platform for cyber-espionage.
## How was this implant discovered?
We always analyze all leaks containing malicious software to provide the best detection. The same happened after the “Lost in Translation” leak was revealed. We noticed that this leak contained a tool in the
Securelist
DarkPulsar
blogs_securelist·2018-10-19
DarkPulsar
Authors
- Andrey Dolgushev
- Dmitry Tarakanov
- Vasily Berdnikov
In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.
DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.
DanderSprit interface
Fuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. There are
Securelist
The Slingshot APT FAQ
blogs_securelist·2018-03-09
The Slingshot APT FAQ
Authors
- Alexey Shulmin
- Sergey Yunakovsky
- Vasily Berdnikov
- Andrey Dolgushev
While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.
The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.
- Vulnerabilities and exploits
Securelist
A simple example of a complex cyberattack
blogs_securelist·2017-09-25·CVSS 7.8
[HIGH] A simple example of a complex cyberattack
Authors
- Vasily Berdnikov
- Dmitry Karasovsky
- Alexey Shulmin
## How cyberspies achieve their goals by using cheap tools and careful aiming
We’re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it ‘Microcin’ after microini, one of the malicious components used in it.
We detected a suspicious RTF file. The document contained an exploit to the previously known and patched vulnerability CVE-2015-1641; however, its code had been modified considerably. Remarkably, the malicious document was delivered via
Zscaler
Zscaler found Multiple Security Vulnerabilities | 04-09-2019
blogs_zscaler·CVSS 7.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 04-09-2019
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
2019-04-09
Published
2021-11-03
Added to CISA KEV
Exploited in the wild