memory corruption Archives

Winsage

May 14, 2025

Microsoft Confirms Windows Is Under Attack — You Must Act Now

Microsoft has confirmed multiple zero-day vulnerabilities being actively targeted by malicious actors. One significant vulnerability is CVE-2025-30397, a memory corruption flaw in the Windows scripting engine that affects all versions of Windows and allows code execution over the network. It has a CVSS score of 7.8 and is considered critical. Successful exploitation requires the target to use Edge in Internet Explorer Mode and for the user to click a malicious link. Other vulnerabilities include: - CVE-2025-32709: An elevation of privilege vulnerability in the Windows ancillary function driver for WinSock, affecting Windows Server 12 and later. - CVE-2025-32701 and CVE-2025-32706: Vulnerabilities in the Windows Common Log File Driver System that could allow local attackers to gain system privileges, affecting all versions of Windows. - CVE-2025-30400: An elevation of privilege vulnerability in the Windows desktop window manager, affecting Windows 10, Server 2016, and later OS versions. Windows users are urged to update their systems with the latest security patches immediately.

Winsage

May 14, 2025

Microsoft Scripting Engine 0-Day Vulnerability Enables Remote Code Execution Over Network

Microsoft has identified a memory corruption vulnerability in its Scripting Engine, designated as CVE-2025-30397. This vulnerability allows unauthorized remote code execution and is classified as “Important” under CWE-843 (Type Confusion). It was disclosed in the May 2025 Patch Tuesday updates and arises from improper handling of resource types. Exploitation occurs when a user clicks a specially crafted URL in Microsoft Edge's Internet Explorer Mode, potentially compromising system confidentiality, integrity, and availability. Although the attack complexity is high, successful exploitation has been confirmed in the wild. Microsoft has issued patches for all supported Windows versions, and users are advised to apply these updates and consider disabling Internet Explorer Mode to reduce risk.

Winsage

May 14, 2025

Windows DWM 0-Day Vulnerability Allows Attackers to Escalate Privileges

Microsoft has addressed a zero-day vulnerability in the Windows Desktop Window Manager (DWM) Core Library, identified as CVE-2025-30400, which allows attackers to gain SYSTEM-level privileges on affected systems. This "Elevation of Privilege" vulnerability, arising from a "use-after-free" memory corruption issue, was actively exploited prior to the release of a patch on May 13, 2025. The vulnerability permits an authorized attacker to execute code with SYSTEM privileges by exploiting improper memory management within the DWM process. Microsoft classified the severity of this vulnerability as "Important" and assigned it a CVSS score of 7.8. Users and administrators are strongly advised to apply the latest updates to mitigate the risk of exploitation.

Winsage

May 12, 2025

Microsoft Defender Discovers Zero-Day Vulnerability in Windows CLFS

The deployment of PipeMagic preceded a sophisticated exploit targeting the Common Log File System (CLFS) kernel driver, initiated from a dllhost.exe process. The exploit began with the NtQuerySystemInformation API, which leaked kernel addresses to user mode. In Windows 11, version 24H2, access to specific System Information Classes within this API was restricted to users with SeDebugPrivilege, rendering the exploit ineffective on this version. The exploit then used a memory corruption technique with the RtlSetAllBits API to overwrite its process token with 0xFFFFFFFF, granting it all available privileges and enabling process injection into SYSTEM-level operations. A CLFS BLF file was created at C:ProgramDataSkyPDFPDUDrv.blf, marking the exploit's activity.

Winsage

April 22, 2025

Critical Windows Update Stack Vulnerability Allows Code Execution & Privilege Escalation

A security vulnerability identified as CVE-2025-21204 has been discovered in the Windows Update Stack, allowing local attackers to execute unauthorized code and escalate privileges to SYSTEM-level access. This vulnerability, with a CVSS score of 7.8 (High), affects Windows 10 versions 1507, 1607, and 1809, among likely other supported Windows 10/11 and Windows Server versions. The flaw arises from a design issue where Windows Update processes do not properly follow directory junctions, enabling attackers with limited user privileges to redirect trusted paths to locations containing malicious code. Microsoft has introduced a mitigation strategy in its April 2025 cumulative update, which includes creating a new folder at the root of system drives and implementing detection rules for suspicious junction creations. Organizations are advised to apply the April 2025 security updates, restrict ACLs on specific directories, prevent symbolic link creation, and monitor file creation activities in certain directories.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

March 5, 2025

Zero Day Initiative — CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy

Integer overflows and memory corruption errors have been identified during the encoding of the kerb-message OCTET STRING field in the KDC Proxy. The ASN1encoder.buf is allocated a buffer of size 1,024, while ASN1encoder.current points to ASN1_encoder.buf + 4. The KDC Proxy accepts Kerberos responses with a maximum size of 4,294,967,295. When a Kerberos response is sent with a length from 4,294,967,291 to 4,294,967,295, an overflow occurs due to the addition being stored in a 4-byte unsigned variable, leading to a heap buffer overflow when ASN1BEREncCharString() calls memcpy(). Similarly, for responses with lengths between 4,294,966,267 and 4,294,967,290, an overflow occurs during reallocation, causing an out-of-bounds write or heap buffer overflow. An edge case arises when passing 0 as the new size to LocalReAlloc(), leading to an access violation. A remote, unauthenticated attacker could exploit this vulnerability for arbitrary code execution. Detection involves monitoring traffic on UDP port 389 and TCP port 88, focusing on Kerberos responses. If a response exceeds 0x80000000 bytes, it should be flagged as suspicious. The vulnerability was patched in November, and only KDC servers are at risk; domain controllers are unaffected. Immediate patching of all instances of the KPSSVC server is recommended.