Vulnerability detected in Kernel Transaction Manager

December 14, 2018

Cybercriminals continue to stress-test Windows, and our protective technologies continue to detect their attempts and prevent exploitation. It is not the first or even the second discovery of this kind over the past three months. This time, our systems detected an attempt to exploit the vulnerability in Windows Kernel Transaction Manager.

The new zero-day exploit was used against several victims in the Middle East and Asia. The vulnerability it exploited, CVE-2018-8611, allowed an elevation of privilege in cases where the Windows kernel fails to handle objects in memory properly. As a result, malefactors can run arbitrary code in kernel mode.

In practice, that means malefactors can install programs, change or view data, or even create new accounts. According to our experts, the exploit can also be used to escape the sandbox in modern Web browsers, including Chrome and Edge. For technical details, see this Securelist post. Even more information about CVE-2018-8611 and the actors who tried to exploit it is available to customers of Kaspersky Intelligence Reports; contact intelreports@kaspersky.com

Our experts reported this vulnerability to developers, and Microsoft just released a corresponding patch that corrects how the Windows kernel handles objects in memory.

How to stay safe

Again, here is our general advice for vulnerabilities:

  • Do not feel safe just because the exploit has found few victims at this point. Since its disclosure, more cybercriminals may try to exploit it, so install the patch immediately.
  • Regularly update all software your company uses.
  • Use security products with automated vulnerability assessment and patch management capabilities.
  • Use a security solution equipped with behavior-based detection capabilities for effective protection against unknown threats including zero-day exploits.

Note again, before our protective technologies encountered the exploit, this vulnerability was unknown. Therefore, we can recommend specific products that can help keep you safe. The first is our solution made specifically to protect against APT threats — Kaspersky Anti Targeted Attack Platform, with its advanced sandboxing and antimalware engine. The second, Kaspersky Endpoint Security for Business, has built-in automatic exploit prevention technology, which is the technology that detected the CVE-2018-8611 vulnerability.