This month has seen Microsoft release its latest round of security and system updates, and it’s quite an important one!
In the updates, Microsoft have revealed that they have patched 89 issues, 9 of which were zero-day exploits (a fix for a 10th zero-day is still being worked on, and will be released in due course).
The 89 patches address a wide number of vulnerabilities, as described below:
- 36 Elevation of Privilege Vulnerabilities
- 4 Security Feature Bypass Vulnerabilities
- 28 Remote Code Execution Vulnerabilities
- 8 Information Disclosure Vulnerabilities
- 6 Denial of Service Vulnerabilities
- 7 Spoofing Vulnerabilities
With regards to the zero days, 6 are known to have been actively exploited by threat actors – including the LNK stomping exploit I posted about in my post about “The Mark of the Web” – read that post here.
The 6 zero-days actively being exploited are:
- CVE-2024-38178 – Scripting Engine Memory Corruption Vulnerability
Successful exploitation leads to remote code execution on the target, which could lead to further exploitation of target device - CVE-2024-38193 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Successful exploitation leads to a threat actor gaining system privileges. - CVE-2024-38213 – Windows Mark of the Web Security Feature Bypass Vulnerability
Successful exploitation allows for remote code execution without triggering the SmartScreen protection utility - CVE-2024-38106 – Windows Kernel Elevation of Privilege Vulnerability
Successful exploitation leads to a threat actor gaining system privileges. - CVE-2024-38107 – Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
Successful exploitation leads to a threat actor gaining system privileges. - CVE-2024-38189 – Microsoft Project Remote Code Execution Vulnerability
Successful exploitation leads to remote code execution on the target, which could lead to further exploitation of target device
What is a zero-day?
A zero-day (0-day) is defined as a vulnerability in a hardware or software product which the vendor / manufacturer is not aware of, but which has been described in public, and/or has been actively exploited. As such, the vendor has 0-days to provide a fix to the issue.
Typically, when a new vulnerability is discovered in a system, the individual or team who identify the vulnerability report their findings to the vendor via a process known as responsible disclosure.
Typically, this process gives the vendor a defined timeline to fix the issue before the vulnerability is disclosed to the wider public – Depending on the potential impact of the vulnerability, this time may vary between a few days and several months.
Big money
The act of identifying vulnerabilities attracts some large fees, with zero-days fetching (in some cases) millions of dollars.
The website – Zerodium is one of the most well-known platforms for buying zero-day knowledge – the charts below shows the payout scales for zero-days on different platforms.
Who buys Zero-days?
There are three main types of buyers of zero-days
The vendors
Vendors will commonly pay hackers and security researchers for the knowledge of vulnerabilities in their products & services. Typically this is done through a bug-bounty program.
Bug bounty programs are offered by many companies where they give approval for security researchers to test their systems (within the rules of engagement) – and will agree to offer financial reward to those who uncover new issues.
Some companies offer bug bounties direct via their own website (s seen above), whereas others offer bounties through affiliated platforms such as HackerOne.
Governments / Intelligence agencies
Governments and intelligence agencies will research systems for zero-days and in some cases purchase zero-days to either use them as assets in their own intelligence missions, stop them from falling into the hands of others, or to work with vendors in finding a fix.
Many such organisations actively engage in the purchase of zero-days, with the US government being the largest buyer.
The UK’s National Cyber Security Agency operates a process known as the equities process which actively looks for vulnerabilities and when they find any decide to either tell the vendor, or use as an advantage against adversaries.
Criminal threat actors
Criminals will often trade exploits on the dark web which target zero-days, or “half-days” – A half-day is a new vulnerability which has been recently patched by the vendor, but most-likely hasn’t been implemented by many organisations, so offering a number of potential victims.
Rather than selling knowledge of the vulnerability, criminals will trade in exploits that have been proven to be able to leverage a vulnerability – thus allowing quick access to victims.
