Windows Zero-Day Bug Lets Attackers Read Any File Gets Micropatch (Jan 21, 2019)
The Proof-of-Concept (PoC) code for a Microsoft zero-day vulnerability that was published on GitHub approximately one month ago has been issued a micropatch by the Slovenia-based company, “Acros Security.” At the time of this writing, the vulnerability does not have a registered Common Vulnerabilities and Exposures (CVE) number nor a patch, however, this is likely because the patch is a complex fix. The United States Computer Emergency Readiness Team (US-CERT) issued a joint alert with Carnegie Mellon University that stated the “Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files.” The alert also notes that they are “unaware of a practical solution to this problem” as of the publication of the article (December 20, 2018).
Recommendation: This vulnerability as a high probability of attempted exploitation by threat actors because of the publicly available of the PoC code. Microsoft is likely working on a patch for their “MsiAdvertiseProduct” software, which is a function used to generate an advertise script by enabling the “installer to write a script to the registry and shortcut information used to assign or publish a product,” according to Microsoft’s description. Users and administrators should be aware of this potential risk affecting proprietary information, and could avoid using MsiAdvertiseProduct until a proper patch has been issued by Microsoft. Additional information about this vulnerability can be found on the US-CERT/CC alert located here: “https://www.kb.cert.org/vuls/id/228297/”.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.