Security Market Segment LS
Wednesday, 09 June 2021 10:43

Kaspersky trio spots Vista-era zero-days exploited through Chrome Featured

Kaspersky trio spots Vista-era zero-days exploited through Chrome Pixabay

Global security firm Kaspersky has revealed that targeted attacks against a number of companies, which it noticed in April, initially used a vulnerability in Google's Chrome browser and then linked this to two zero-days in the Microsoft Windows 10 kernel.

Researchers Costin Raiu, Boris Larin and Alexey Kulaev said in a detailed blog post that they had been unable to find the exploit used for remotely exploiting Chrome.

This is not surprising as Google's Project Zero team has rarely revealed full details about zero-days in its own products.

The Kaspersky trio said the two Windows zero-days had been in the operating system since the days of Windows Vista, which means they have been there for more than 14 years.

Patches for both were issued on Tuesday by Microsoft, along with patches for another five zero-days, four of which have been reported as being exploited in the wild.

Additionally, Microsoft issued patches for some 50 other flaws in its various products.

Despite being unable to zero in on the Chrome vulnerability, the Kaspersky researchers said they suspected the flaw used had been demonstrated at the Pwn2Own hacking competition in April.

The bug was used by Bruno Keith and Niklas Baumstark of Dataflow Security to target Chrome and Edge in the Web browser category.

The pair used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge, using the same exploit for both browsers as they both use the same JavaScript engine.

Satnam Narang, staff research engineer at security shop Tenable, said: Microsoft had addressed 49 CVEs, five of which were rated critical. "This is the third time in 2021 that Microsoft has patched less than 60 CVEs and this month's release contains the lowest number of patches in a month so far this year," he added.

He said six zero-day vulnerabilities that have been exploited in the wild were patched, including four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution vulnerability.

"CVE-2021-33742 is a remote code execution vulnerability in the Microsoft Windows MSHTML Platform. While this vulnerability does not require special privileges, the attack complexity for exploiting this vulnerability is high, which means an attacker would need to perform additional legwork to successfully exploit this flaw. It appears that was the case, though details of in-the-wild exploitation are not yet known," Narang said.

"CVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. Details about the in-the-wild exploitation of these vulnerabilities are not yet known. While both vulnerabilities require the attacker to be authenticated to the target system, it is likely that they have been leveraged either post-compromise by the attackers directly or through the use of a malicious file opened by a local user.

"CVE-2021-33739 is an elevation of privilege zero-day vulnerability in the Microsoft Desktop Window Manager (DWM) Core Library. For context, Microsoft patched two elevation of privilege vulnerabilities in February (CVE-2021-1732) and April (CVE-2021-28310) which appear to be linked to a threat actor known as BITTER APT. In the case of CVE-2021-28310, researchers linked the flaw to the dwmcore.dll file. Given that CVE-2021-33739 is credited to the same researchers who found CVE-2021-1732 in February, and was discovered in the same core library as CVE-2021-28310, it is feasible this is another zero-day being leveraged by the same BITTER APT group.

"While these vulnerabilities have already been exploited in the wild as zero-days, it is still vital that organisations apply these patches as soon as possible. Unpatched flaws remain a problem for many organisations months after patches have been released."

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News