Another Windows 10 Zero-Day Bug Could Allow Overwriting Files With Random Data
(Jan 4, 2019)
A Windows 10 zero-day vulnerability was discovered by a security researcher, "Sandboxescaper," that could allow an unauthorized user to modify files and execute arbitrary data without administrative privileges. An example of this vulnerability was shown to overwrite the "pci.sys" file that is responsible for proper operating system (OS) boot, causing a Denial-of-Service (DoS) state on the affected machine without administrative privileges. While this is a zero-day vulnerability, it may not work on some CPUs. Microsoft is aware of the vulnerability but has not yet released patch, as of this writing.
Recommendation: Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.