Researchers Discover Vulnerability in Win32k OS Component
New information has surfaced regarding a recently patched security vulnerability in Microsoft Windows that was actively exploited by threat actors to gain elevated privileges on affected systems.
The vulnerability, identified as CVE-2023-29336, has a severity rating of 7.8 and pertains to an elevation of privilege flaw in the Win32k component.
According to Microsoft's advisory released as part of the Patch Tuesday updates last month, successful exploitation of this vulnerability could grant an attacker SYSTEM privileges.
The discovery and reporting of this flaw were credited to Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra.
Win32k.sys, a kernel-mode driver crucial to the Windows architecture, is responsible for managing graphical device interfaces (GUI) and windows.
Exact Route of Attack Not Clear
Although the precise details of how threat actors exploited this vulnerability in the wild are not yet known, Numen Cyber, a cybersecurity company based in Singapore, has reverse-engineered the Microsoft patch and developed a proof-of-concept (PoC) exploit for Windows Server 2016.
Numen Cyber highlighted that the vulnerability relied on a leaked kernel handle address in the heap memory, ultimately allowing for a read-write primitive.
While Win32k vulnerabilities have been known in the past, Numen Cyber noted that Microsoft attempted to refactor this section of the kernel code using Rust in the latest Windows 11 preview version. This effort aims to mitigate such vulnerabilities in the new system going forward.
Numen Cyber distinguishes itself from traditional Web3 security companies by prioritizing advanced security capabilities, particularly focusing on OS-level security attack and defense capabilities. Their products and services provide cutting-edge solutions to address the unique security challenges of Web3.