A patched Windows attack surface is still exploitable

On August 8, 2023, Microsoft finally released a kernel patch for a class of vulnerabilities affecting Microsoft Windows since 2015.

The vulnerabilities lead to elevation of privilege (EoP), which allows an account with user rights to gain SYSTEM privileges on a vulnerable host. The root cause of this attack surface, according to a 2015 blog, is the ability of a normal user account to replace the original C:\ drive with a fake one by placing a symlink for the system drives in the device map for each login session. This fake drive will be followed by the kernel during impersonation instead of the original system drive. More than five months after the patches for these vulnerabilities were released, Kaspersky researchers are still seeing some of their exploits in the wild because it’s a very easy way to get a quick NT AUTHORITY\SYSTEM and that’s why it may be favored by well-known threat actors.

Read more…
Source: Kaspersky