New Zero-day Vulnerability CVE-2019-0859 in win32k.sys (Apr 15, 2019)
A new zero-day vulnerability, registered as “CVE-2019-0859,” in Windows’ “win32k.sys” has been discovered by researchers from Kaspersky Lab. The vulnerability is a use-after-free flaw that lies in the “CreateWindowEx” function, specifically the “WM_NCCREATE” callback. A threat actor could exploit the callback flaw which could then allow them control over the free memory block and then execute PowerShell code that ultimately makes an HTTP reverse shell to gain access to the entire infected system.
Recommendation: A patch has been released to address this vulnerability so it is crucial to apply it immediately. Your organisation should consider establishing policies and procedures to setup automatic updates so patches are applied right after the release of new updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.