It is arguable that Microsoft’s discovery of the pair od zero-day exploits came by chance. The company was analysing a PDF sample of a potential exploit for a Windows kernel flaw. That PDF was sent by ESET senior malware researcher Anton Cherepanov. While looking into that potential vulnerability, Microsoft stumbled upon two entirely different zero-day exploits. The first was a flaw in Adobe services, while the second affected older Microsoft platforms like Windows 7 and Windows Server 2008. In response to the discovery, Microsoft and Adobe sent out relevant patches to shore their services:
CVE-2018-4990 | Security updates available for Adobe Acrobat and Reader | APSB18-09 CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability
Discussing the Adobe vulnerabilities, Microsoft’s Windows Defender blog post states: “The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF.”
Amazing Result
The PDF sample including the exploits (and the potential Windows kernel problem) were found on VirusTotal. However, Microsoft says it has not observed any instances of the flaws being exploited in an attack. Instead, the company explains the exploit was still being developer and was at a proof-of-concept stage. Because of this, Redmond insists finding and shutting down the flaws before an attack was an “amazing result of the great collaboration between ESET, Microsoft, and Adobe security researchers.”