Zero-day vulnerability in Windows

Privilege escalation

The zero-day was being actively exploited by Russian hackers (APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy).

Vulnerability details

Advisory: SB2016110101 - Privilege escalation in Windows 10

Vulnerable component: Windows

CVE-ID: CVE-2016-7255

CVSSv3 score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer


The vulnerability allows a local user to gain elevated privileges on the target system.

The weakness is due to improper handling of objects in memory by win32k.sys. By sending a specially crafted system call NtSetWindowLongPtr(), a local attacker can set index GWLP_ID to WS_CHILD value on a window handle with GWL_STYLE and execute arbitrary code with system privileges.

Successful explotation of the vulnerability results in privilege escalation.

Note: this vulnerability is being actively exploited in the wild.

Public Exploits:

Latest references in media:

- Hardening Windows 10 with zero-day exploit mitigations [2017-01-13 22:28:49]

- Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations [2017-05-15 00:10:06]

- Microsoft Patches Zero-Days Exploited by Russia-Linked Hackers [2017-05-10 06:10:23]

- EPS Processing Zero-Days Exploited by Multiple Threat Actors [2017-05-09 19:20:17]

- Nation States Distancing Themselves from APTs [2017-02-14 16:50:28]

- Windows 10 Blocks Zero-Days Before Patches Arrive: Microsoft [2017-01-19 00:07:06]

- Windows 10 Anniversary Update crushed exploits without need of patches [2017-01-16 09:10:01]

- Lithuania government PCs infected by a Russian spyware [2016-12-28 06:54:59]

- German Industrial Giant Victim of Cyber Espionage [2016-12-12 16:46:11]

- One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild [2016-12-02 10:56:21]

- InPage Zero Day Used in Attacks Against Banks [2016-11-23 15:08:13]

- Army Bug Bounty Building New Relationships with Hackers [2016-11-14 18:05:06]

- Security Affairs newsletter Round 86 тАУ News of the week [2016-11-13 14:05:31]

- Pawn Storm APT conducted spear-phishing attacks before zero-days was fixed [2016-11-13 10:54:57]

- Cyberspies Ramped Up Attacks After Exposure of Zero-Days [2016-11-09 20:23:28]

- November Patch Tuesday fixes controversial Windows 0-day hole [2016-11-09 18:54:57]

- Microsoft has patched a critical Windows kernel zero-day vulnerability disclosed by Google that was being exploited by Fancy Bear Russian Hackers. [2016-11-09 18:22:49]

- Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched [2016-11-09 14:27:42]

- Microsoft patches 68 vulnerabilities, two actively exploited ones [2016-11-09 12:24:29]

- Heavy Patch Tuesday on US Election Day [2016-11-09 12:12:06]

- Microsoft patches CVE-2016-7255 Windows zero-day exploited by Fancy Bear [2016-11-09 09:24:35]

- Patch Tuesday of November 2016: Six Critical Bulletins, Eight Important [2016-11-09 06:30:46]

- Microsoft patches 68 vulnerabilities, two actively exploited ones [2016-11-09 01:02:26]

- Nov 2016 Patch Tuesday: Microsoft released 14 security updates, 6 rated critical [2016-11-08 21:02:39]

- Microsoft Patches Windows Zero-Day Exploited by Russian Hackers [2016-11-08 20:23:26]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.