Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Zero-day attackers exploit Windows kernel, Patch Tuesday brings fix

Two zero-day flaws have been used in separate, “unrelated” attacks against Microsoft Windows users, researchers at FireEye warn.

On Tuesday, just ahead of Microsoft's monthly security update, FireEye revealed details about the vulnerabilities in a blog post. The zero-day flaws were used to carry out “limited, targeted attacks against some major corporations,” before a fix was presented this Patch Tuesday.

One of Microsoft's three critical bulletins this month, MS14-058, plugs both vulnerabilities: CVE-2014-4148 and CVE-2014-4113. The bug in Microsoft Windows TrueType Font (TTF), CVE-2014-4148, was exploited via a phishing ruse delivered to victims, FireEye said.

“In the case of CVE-2014-4148, the attackers exploited a vulnerability in the Microsoft Windows TrueType Font (TTF) processing subsystem, using a Microsoft Office document to embed and deliver a malicious TTF to an international organization” the blog post said. “Since the embedded TTF is processed in kernel-mode, successful exploitation granted the attackers kernel-mode access. Though the TTF is delivered in a Microsoft Office document, the vulnerability does not reside within Microsoft Office.”

In a Tuesday interview with, Dan Caselden, a senior malware researcher at FireEye who co-authored the blog post, addressed the critical nature of Windows kernel exploits. Obtaining kernel-mode access gives attackers free rein in targeted systems, he explained.

“Once they've accessed the kernel mode, they've essentially accessed the entire system,” Caselden said. “[Attackers] can communicate with hardware, record keystrokes and install drivers, for instance.”

In its blog post, FireEye explained that the other zero-day bug, CVE-2014-4113, – which “rendered Microsoft Windows 7, Vista, XP, Windows 2000, Windows Server 2003/R2, and Windows Server 2008/R2 vulnerable to a local Elevation of Privilege (EoP) attack” – can't be used on its own to compromise victims.

“An attacker would first need to gain access to a remote system running any of the above operating systems before they could execute code within the context of the Windows Kernel,” the firm said.

FireEye reported both zero-day vulnerabilities to Microsoft late last month and assisted the tech giant in creating a fix. The company also noted that it could not provide information on the targeted firms, or the attack groups behind exploitation.

“We have no evidence of these exploits being used by the same actors,” FireEye said in the blog post. “Instead, we have only observed each exploit being used separately, in unrelated attacks.”

In his interview with, Caselden added that it was “too early” to draw any links between attackers using the aforementioned zero-days and an attack group, dubbed “Sandworm Team” by iSIGHT Partners, which used a third zero-day bug, CVE-2014-4114, to exploit users.

The zero-day uncovered by iSIGHT impacts all supported versions of Microsoft Windows and Windows Server 2008 and 2012, and was also plugged on Patch Tuesday. According to iSIGHT, the vulnerability was used by a Russian cyber espionage group targeting NATO, European telecommunications firms, academic organizations in the U.S. and other entities across the globe.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.