Skip to content

Search the site

"MysterySnail" 0day in Win32k used to hit IT, defence firms

Kaspersky, NSA report critical vulns, one used in a major campaign.

Microsoft has patched 71 CVEs for October's Patch Tuesday: two rated Critical, 68 rated Important, and one rated Low in severity. Among the more notable was Win32k Elevation of Privilege (EOP) vulnerability CVE-2021-40449, reported by Kaspersky. This has been used by a Chinese APT in a widespread campaign against defence and IT firms, the Russian security firm said, highlighting its use of a previously unknown remote access trojan (RAT). Dubbed MysterySnail, that campaign gets a detailed write-up from Kaspersky's team here.

The MysterySnail exploit is a use-after-free vulnerability in Win32k’s NtGdiResetDC function, Kaspersky said, adding that it believed the 0day was was developed specifically to target servers: "As with many other Win32k vulnerabilities, the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during execution of those callbacks. The CVE-2021-40449 is triggered when the function ResetDC is executed a second time for the same handle during execution of its own callback."

See also: First malware found escaping Windows containers to attack Kubernetes clusters

Other patches to note include a Remote Code Execution (RCE) bug CVE-2021-40486 in Microsoft Word (it requires some user interaction), two Windows Hyper-V RCEs (CVE-2021-38672 and CVE-2021-40461) and another bug in vulnerability-riddled Exchange Server (CVE-2021-26427), reported by the NSA. (Few details were given about the Hyper-V bugs. As the ZDI notes in its Patch Tuesday blog: "One of these bugs could allow a guest OS to execute code on the host OS if the guest can cause a memory allocation error within the guest VM. Microsoft provides no details on the other bug, but it could also be used for a guest-to-host escape.")

Adobe meanwhile pushed out six patches covering 10 CVEs in Adobe Campaign Standard, Commerce, Ops-CLI, and Adobe Connect, Adobe Reader, and Acrobat Reader for Android. Two are rated critical and could allow for RCE, but both require some user interaction still to exploit. Patching, as ever, is suggested.

Intel also pushed out two security updates this October Patch Tuesday, both requiring local access but worth patching to avoid unwanted escalation of privilege by the maliciously minded.

One (CVE-2021-0186, with a CVSS score of 8.2) was in its Software Guard Extensions (SGX) Software Development Kit (SDK) and affects applications compiled for SGX2-enabled processors; the other lower rated bug (CVE-2021-0180, CVSS 6.2) is in its Hardware Accelerated Execution Manager (HAXM) software.

Follow The Stack on LinkedIn