Zero-day vulnerability in Windows

Privilege escalation

This vulnerability was used by Equation group in attacks, which involved Fanny malware. The exploit is later added to Stuxnet malware. Initially discovered by Kaspersky Lab in December 2008.

Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.

The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.

Known malware:

Exploit kits: Fanny, Stuxnet, Turla.

Vulnerability details

Advisory: SB2009060901 - Multiple priviledge escalation vulnerabilities in Microsoft Windows

Vulnerable component: Windows

CVE-ID: CVE-2009-1123

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-822 - Untrusted Pointer Dereference


The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper validation of changes in certain kernel objects. By running a malicious application, a local attacker can submit malformed calls to the Windows Kernel and execute arbitrary code in kernel mode.

Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.

Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.