{"id":17137,"date":"2020-08-12T03:05:01","date_gmt":"2020-08-12T07:05:01","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/cve-2020-1380-vulnerability\/17137\/"},"modified":"2020-08-12T11:14:19","modified_gmt":"2020-08-12T07:14:19","slug":"cve-2020-1380-vulnerability","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/cve-2020-1380-vulnerability\/17137\/","title":{"rendered":"Operation PowerFall: Two zero-day vulnerabilities"},"content":{"rendered":"<p>Our technologies prevented an attack on a South Korean company recently. That\u2019s just your average Wednesday, you might say \u2014 but while analyzing the cybercriminals\u2019 tools, our experts discovered two whole zero-day vulnerabilities. They found the first in Internet Explorer 11\u2019s JavaScript engine. That one enabled the attackers to remotely execute arbitrary code. The second, detected in an operating system service, let the attackers escalate privileges and perform unauthorized actions.<\/p>\n<p>The exploits for these vulnerabilities operated in tandem. First, the victim was slipped a malicious script that a hole in Internet Explorer 11 allowed to run; and then a flaw in the system service further escalated the malicious process\u2019s privileges. As a result, the attackers were able to take control of the system. Their goal was to compromise the computers of several employees and penetrate the organization\u2019s internal network.<\/p>\n<p>Our experts have dubbed this malicious campaign Operation PowerFall. At present, researchers have found no inarguable link between this campaign and known actors. However, judging by the similarity of the exploits, they haven\u2019t ruled out involvement by <a href=\"https:\/\/www.kaspersky.com\/blog\/the-dark-story-of-darkhotel\/15022\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">DarkHotel<\/a>.<\/p>\n<p>When our researchers informed Microsoft of their findings, the company said it already knew about the second vulnerability (in the system service) and had even made a patch for it. But until we informed them about the first vulnerability (in IE11), they considered its exploitation unlikely.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2020\/08\/12111416\/CVE-2020-1380_list.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2020\/08\/12111416\/CVE-2020-1380_list.png\" alt=\"CVE-2020-1380 Acknowledgements\" width=\"918\" height=\"100\" class=\"aligncenter size-full wp-image-17142\"><\/a><\/p>\n<h2>How is CVE-2020-1380 dangerous?<\/h2>\n<p>The first vulnerability is in the library jscript9.dll, which all versions of Internet Explorer since IE9 use by default. In other words, the exploit for this vulnerability is dangerous for modern versions of the browser. (\u201cModern\u201d is perhaps a slight misnomer given that Microsoft stopped developing Internet Explorer after the release of Edge, with Windows 10). But along with Edge, Internet Explorer is still installed by default in the latest Windows, and it remains an important component of the operating system.<\/p>\n<p>Even if you don\u2019t willingly use IE, and it is not your default browser, that doesn\u2019t mean your system cannot be infected through an IE exploit \u2014 some applications do use it from time to time. Take Microsoft Office, for example: It uses IE to display video content in documents. Cybercriminals can also call and exploit Internet Explorer through other vulnerabilities.<\/p>\n<p>CVE-2020-1380 belongs to the <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/use-after-free\/\" target=\"_blank\" rel=\"noopener noreferrer\">Use-After-Free<\/a> class \u2014 the vulnerability exploits the incorrect use of dynamic memory. You can read a detailed technical description of the exploit with indicators of compromise in the post \u201c<a href=\"https:\/\/securelist.com\/ie-and-windows-zero-day-operation-powerfall\/97976\/\" target=\"_blank\" rel=\"noopener noreferrer\">Internet Explorer 11 and Windows 0-day exploits full chain used in Operation PowerFall<\/a>\u201d on the Securelist website.<\/p>\n<h2>How to protect yourself<\/h2>\n<p>Microsoft <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0986\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">released a patch for CVE-2020-0986<\/a> (in the Windows kernel) on June 9, 2020. The second vulnerability, <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-1380\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">CVE-2020-1380, was patched on August 11<\/a>. If you update your operating systems regularly, they should already be protected against Operation PowerFall\u2013type attacks.<\/p>\n<p>However, zero-day vulnerabilities pop up all the time. To keep your company safe, you need to use a solution with anti-exploit technologies, such as <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Security for Business<\/a>. One of its components, the Exploit Prevention subsystem, identifies attempts to exploit zero-day vulnerabilities.<\/p>\n<p>In addition, we recommend using modern browsers that receive regular security updates.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Our technologies prevented an attack. Expert analysis revealed the exploitation of two previously unknown vulnerabilities. What you need to know.<\/p>\n","protected":false},"author":2581,"featured_media":17140,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[477,268],"class_list":{"0":"post-17137","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-apt","11":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cve-2020-1380-vulnerability\/17137\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cve-2020-1380-vulnerability\/21674\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cve-2020-1380-vulnerability\/23004\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cve-2020-1380-vulnerability\/21195\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/cve-2020-1380-vulnerability\/19890\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/cve-2020-1380-vulnerability\/23630\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/cve-2020-1380-vulnerability\/22527\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cve-2020-1380-vulnerability\/28892\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/cve-2020-1380-vulnerability\/8697\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cve-2020-1380-vulnerability\/36698\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/cve-2020-1380-vulnerability\/15437\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/cve-2020-1380-vulnerability\/15897\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/cve-2020-1380-vulnerability\/13846\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/cve-2020-1380-vulnerability\/24867\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/cve-2020-1380-vulnerability\/11794\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/cve-2020-1380-vulnerability\/28981\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/cve-2020-1380-vulnerability\/25845\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cve-2020-1380-vulnerability\/22717\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cve-2020-1380-vulnerability\/27964\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cve-2020-1380-vulnerability\/27794\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/17137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=17137"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/17137\/revisions"}],"predecessor-version":[{"id":17143,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/17137\/revisions\/17143"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/17140"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=17137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=17137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=17137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}