The risks from cybercriminals exploiting zero-day vulnerabilities have become a continuous threat for organizations, globally. Recently, security experts from Kaspersky found a zero-day vulnerability tracked as CVE-2021-28310 in Microsoft Windows component known as Desktop Window Manager (DWM). The researchers stated that threat actors have likely exploited the flaw.
Microsoft immediately released a security patch to fix the vulnerability after Kaspersky reported the issue. Users and businesses were urged to apply the fix as early as possible to avoid any risks.
What is a Zero-Day Vulnerability?
A zero-day vulnerability is a flaw in a piece of software that is unknown to the programmer or vendor responsible for the application. Because the vulnerability isn’t known, there is no patch available. And hence, zero-day vulnerabilities pose a higher risk to users and businesses.
However, the vulnerability is known to the attacker who exploits the vulnerability to attack the system. The software vendor might eventually issue a patch to fix the vulnerability once it becomes known. A third-party researcher or individual could expose this zero-day vulnerability.
It is not uncommon to see organizations failing to update their security applications after the vendor issues a patch/fix. And those organizations become victims of the attack, even though there is a patch available for that vulnerability.
Zero-Day Flaw in Desktop Window Manager
The CVE-2021-28310 flaw is a privilege escalation vulnerability that allows a remote attacker to gain admin privileges and execute arbitrary code on victims’ devices. The privilege escalation flaw gives extended rights to cybercriminals to compromise sensitive data from the victim’s computer. Kaspersky researchers suggest that threat actors may have already abused this flaw along with other loopholes in the users’ systems by evading the detection from security tools.
Desktop Window Manager (DWM) is a critical component responsible for rendering the windows that use the operating system. The DWM controls all the required information from the buffer of each program and formulates the composite view of the overall interface that the user perceives.
“A program can trick Desktop Window Manager into giving it access that it shouldn’t have. In this case, the vulnerability allowed the attackers to execute arbitrary code on victims’ machines — it essentially gave them full control over the computers,” Kaspersky said.
How to Fix the Flaw
- The security researchers urged users to immediately apply the security update released by Microsoft to prevent intrusions from threat actors.
- It is recommended to implement a robust endpoint security solution and patch management capabilities.
- Employ an enterprise-grade security solution to identify and advanced network-layer cyber threats.
Zero-Day Flaw Affecting Google Chrome
In a similar vulnerability investigation, Indian security researcher Rajvardhan Agarwal discovered a new zero-day vulnerability affecting new versions of popular web browsers, including Google Chrome, Microsoft Edge, and other Chromium-powered browsers like Opera and Brave.
The previous vulnerability has been patched in the latest release. However, one more vulnerability was patched on the latest v8 version but not chrome. The latest chrome version is STILL affected. I have however decided to not publish the exploit. 7000a23fd345f6c41e234ab4ac8f7ffc https://t.co/cmL2CILGGZ pic.twitter.com/qGSTPWQJBt
— Rajvardhan Agarwal (@r4j0x00) April 14, 2021
Commenting on the vulnerability disclosure, Satnam Narang, Staff Research Engineer at Tenable said, “An attacker cannot compromise the underlying operating system or access confidential information without combining this vulnerability with a second vulnerability to escape the sandbox. Zero-days may garner most of the attention but known yet unpatched vulnerabilities enable most breaches and have become favored by advanced attackers. Despite the limited impact from the public disclosure of another Google Chrome vulnerability, we continue to encourage users and organizations alike to ensure they are patching their browsers like Chrome and Edge as soon as possible.”