Malefactors use 0day vulnerabilities in cyber attacks on users

Microsoft has released information about the high-profile vulnerabilities that Google previously pointed out in its post . The attackers used a bunch of two RCE + LPE vulnerabilities to remotely execute code through Flash Player and bypass the sandbox in the browser using win32k.sys. A vulnerability in Flash Player with the identifier CVE-2016-7855 has been closed by Adobe update APSB16-36 . The update for win32k.sys has not yet been released, although the vulnerability is relevant for all supported versions of Windows.

Previously, we have already written several times about the mechanisms for blocking actions of exploits in Google Chrome and Microsoft Edge web browsers (Windows 10). Both of these web browsers, in addition to using the sandbox based on AppContainer isolation, use restrictions on the use of system services of the win32k.sys driver. Chrome and Edge also successfully block attempts to exploit the LPE vulnerability in this driver, however, when using them only on Windows 10.

If you are on the fly, you can see the wild. This is an attack, it has been used by the users of the Adobe Flash Player to use.

A source
')

Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigator on Windows 10, which allows you to access this sandbox.

A source

Edge uses a special method of blocking Win32k.sys in the context of sandboxed processes called Win32k syscalls filtering . It allows the kernel to block the execution of certain Win32k.sys system calls that were specified by the application (Windows 10 only). Unlike Edge, Chrome uses full blocking of Win32k.sys calls based on the built-in mitigation mechanism of Windows 8+ SetProcessMitigationPolicy with the ProcessSystemCallDisablePolicy parameter. Thus, on Windows 7 and Windows Vista, none of the two web browsers will be able to completely block the action of the exploit. The well-known Microsoft EMET tool also cannot block the action of such a LPE exploit.

We recommend that users wait for the release of the corresponding Windows update and install it.