Home News Patch Now! Researchers Find Zero-Day Flaws in Google and Microsoft

Patch Now! Researchers Find Zero-Day Flaws in Google and Microsoft

A critical zero-day vulnerability in Microsoft’s Desktop Window Manager (DWM) allows threat actors to take complete control over the victim’s device.

Microsoft Azure App, Zero-Day Vulnerability

The risks from cybercriminals exploiting zero-day vulnerabilities have become a continuous threat for organizations, globally. Recently, security experts from Kaspersky found a zero-day vulnerability tracked as CVE-2021-28310 in Microsoft Windows component known as Desktop Window Manager (DWM). The researchers stated that threat actors have likely exploited the flaw.

Microsoft immediately released a security patch to fix the vulnerability after Kaspersky reported the issue. Users and businesses were urged to apply the fix as early as possible to avoid any risks.

What is a Zero-Day Vulnerability?

A zero-day vulnerability is a flaw in a piece of software that is unknown to the programmer or vendor responsible for the application. Because the vulnerability isn’t known, there is no patch available. And hence, zero-day vulnerabilities pose a higher risk to users and businesses.

However, the vulnerability is known to the attacker who exploits the vulnerability to attack the system. The software vendor might eventually issue a patch to fix the vulnerability once it becomes known. A third-party researcher or individual could expose this zero-day vulnerability.

It is not uncommon to see organizations failing to update their security applications after the vendor issues a patch/fix. And those organizations become victims of the attack, even though there is a patch available for that vulnerability.

Zero-Day Flaw in Desktop Window Manager

The CVE-2021-28310 flaw is a privilege escalation vulnerability that allows a remote attacker to gain admin privileges and execute arbitrary code on victims’ devices. The privilege escalation flaw gives extended rights to cybercriminals to compromise sensitive data from the victim’s computer. Kaspersky researchers suggest that threat actors may have already abused this flaw along with other loopholes in the users’ systems by evading the detection from security tools.

Desktop Window Manager (DWM) is a critical component responsible for rendering the windows that use the operating system. The DWM controls all the required information from the buffer of each program and formulates the composite view of the overall interface that the user perceives.

“A program can trick Desktop Window Manager into giving it access that it shouldn’t have. In this case, the vulnerability allowed the attackers to execute arbitrary code on victims’ machines — it essentially gave them full control over the computers,” Kaspersky said.

How to Fix the Flaw

  • The security researchers urged users to immediately apply the security update released by Microsoft to prevent intrusions from threat actors.
  • It is recommended to implement a robust endpoint security solution and patch management capabilities.
  • Employ an enterprise-grade security solution to identify and advanced network-layer cyber threats.

Zero-Day Flaw Affecting Google Chrome

In a similar vulnerability investigation, Indian security researcher Rajvardhan Agarwal discovered a new zero-day vulnerability affecting new versions of popular web browsers, including Google Chrome, Microsoft Edge, and other Chromium-powered browsers like Opera and Brave.

Commenting on the vulnerability disclosure, Satnam Narang, Staff Research Engineer at  Tenable said, “An attacker cannot compromise the underlying operating system or access confidential information without combining this vulnerability with a second vulnerability to escape the sandbox. Zero-days may garner most of the attention but known yet unpatched vulnerabilities enable most breaches and have become favored by advanced attackers. Despite the limited impact from the public disclosure of another Google Chrome vulnerability, we continue to encourage users and organizations alike to ensure they are patching their browsers like Chrome and Edge as soon as possible.”