Today, Microsoft released its monthly batch of security updates known as Patch Tuesday. This month's security release addresses 74 vulnerabilities in a wide range of Microsoft products, including two actively exploited zero-days.
This is the second month in a row that Microsoft has patched two zero-days, after patching two similar issues last month.
The Windows zero-days
The two zero-days patched this month are both the same kind of vulnerability. Both are elevation of privilege vulnerabilities impacting Win32k, a core component of the Windows operating system.
They are CVE-2019-0803[2] and CVE-2019-0859[3]. Despite being discovered by two separate security teams -Alibaba Cloud Intelligence Security Team, and Kaspersky Lab, respectively- Microsoft describes the two zero-days in the same manner.
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.
At the time of writing, no details are available about the two vulnerabilities, except the fact that they've been under active exploitation.
However, if we take into account that Kaspersky has reported to Microsoft six Windows Win32k elevation of privilege zero-days in the past six months, we can safely assume that CVE-2019-0859 is another zero-day exploited