Security News > 2020 > August > Windows and IE Zero-Day Vulnerabilities Chained in 'PowerFall' Attacks

Windows and IE Zero-Day Vulnerabilities Chained in 'PowerFall' Attacks
2020-08-12 16:09

An attack launched in May 2020 against a South Korean company involved an exploit that chained zero-day vulnerabilities in Windows and Internet Explorer, Kaspersky reported on Wednesday.

The vulnerabilities exploited in the attack have now been patched, but they had a zero-day status when exploitation was first observed.

Microsoft fixed this Windows vulnerability in June, but its details were disclosed in May by Trend Micro's Zero Day Initiative along with four other unpatched security holes affecting Windows.

ZDI disclosed CVE-2020-0986, which it reported to Microsoft in December 2019, after the tech giant missed a six-month deadline and failed to release a patch in May. Kaspersky said it spotted the Windows vulnerability being exploited in attacks one day after ZDI's disclosure.

The exploit used in the WizardOpium attacks did not work on the latest Windows 10 builds.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/qoiHGls8SEk/windows-and-ie-zero-day-vulnerabilities-chained-powerfall-attacks

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-06-09 CVE-2020-0986 Out-of-bounds Write vulnerability in Microsoft products
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.
local
low complexity
microsoft CWE-787
7.8