
Windows 0-day exploit used in Operation WizardOpium - peter_d_sherman
https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/
======
acqq
It's from 10 December, and more information, like what the .. is that
"Operation" is here:

[https://www.bleepingcomputer.com/news/security/windows-
chrom...](https://www.bleepingcomputer.com/news/security/windows-chrome-zero-
days-chained-in-operation-wizardopium-attacks/)

"Last month, Kaspersky revealed that they discovered a zero-day Google Chrome
vulnerability that was actively being used in online attacks called Operation
WizardOpium.

The attackers had hacked a Korean-language news site and injected a JavaScript
tag into the site that would execute malicious scripts in the visitor's
browser."

------
saagarjha
Related discussion for a different exploit a couple months ago:
[https://news.ycombinator.com/item?id=21425804](https://news.ycombinator.com/item?id=21425804)

> At the same time, it tries to leak a few kernel pointers using well-known
> techniques to leak kernel memory addresses (gSharedInfo, PEB’s
> GdiSharedHandleTable).

Wait, Windows exports kernel address to userspace?!

~~~
lawl
> _Wait, Windows exports kernel address to userspace?!_

Dont know about these particular calls. But info leaks where a kernel address
is leaked are apparently quite common. They're usually fixed when found. But
this is the reason OpenBSD relinks the kernel every boot in a random order.
[0]

Its's too easy to leak a pointer and invalidate KASLR, because now you can
calculate the KASLR offset.

The 'well known' part does seem a bit weird though.

[0]
[https://security.stackexchange.com/questions/163565/openbsd-...](https://security.stackexchange.com/questions/163565/openbsd-
is-implementing-karl-how-does-this-improve-security)

Edit:
[https://github.com/sam-b/windows_kernel_address_leaks/blob/m...](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/notes/gSharedInfo.md)

Seems windows patches them too, sometimes. Checking the rest of the repo they
don't seem to care much though.

~~~
badrabbit
Windows doesn't have a monolithic kernel like *nix so it's not an apples to
apples comparison iirc

------
RustyRussell
Couldn't figure out what "operation wizardopium" is. Google simply points back
to this article or other reflections of it. Can anyone clue me in please?

~~~
badrabbit
[https://securelist.com/chrome-0-day-exploit-
cve-2019-13720-u...](https://securelist.com/chrome-0-day-exploit-
cve-2019-13720-used-in-operation-wizardopium/94866/)

First link in the article. It's a codename Kaspersky is using for this attack
campaign.

------
djmips
To me it feels like Windows Task Scheduler is often exploited by malware. It
seems it's too easy to add something here once you manage to get remote
execution.

------
ydb
> Operation WizardOpium

Life is no longer distinct from a William Gibson novel.

------
karmakaze
The title is a bit misleading, it's a Chrome on Windows exploit. I realize
many people use Chrome but the 0-day is mis-attributed.

~~~
inimino
It's not. The first paragraph mentions an earlier discovered exploit for
Chrome, and the rest is about a Windows 0-day that was also used in the same
attack.

------
dfc
"Successfully detected" is an awkward phrase. Can you unsuccessfully detect
something?

~~~
mrspeaker
C'mon - a super interesting technical article on how an exploit gets an
arbitrary kernel read/write primitive... and you have to take it down because
of an "awkward phrase" in the first paragraph? What's the point of such a
comment?

~~~
dfc
It was a legitimate question about the use of language. You are correct it was
an interesting article; someone clearly spent a lot of time and effort writing
it. Which is why I thought it was strange that it started put so awkwardly and
was curious if there was more to the phrase than I realized.

------
crankylinuxuser
Damnit. They're going to make me patch during Xmas.

Bah.

~~~
jve
[https://portal.msrc.microsoft.com/en-US/security-
guidance/ad...](https://portal.msrc.microsoft.com/en-US/security-
guidance/advisory/CVE-2019-1458)

Published 13 days ago. You can subscribe for securuty bulletin.

