Blackswan = unexpected, tough to detect, easy to exploit, set of seven 0-days found in one week, present in every Windows version since 2007 puts billions of users at risk
Today, we’re excited to be able to release more details on our security services team’s discovery of seven critical 0-day vulnerabilities in Microsoft Windows software and operating systems. This includes six privilege escalations and one info leak – all of which have now been patched.
What’s in a name? The meaning behind Blackswan.
We have dubbed our findings “Blackswan” due to the unexpected find, the quantity, and the detection challenge of these vulnerabilities which have amazingly existed in Windows since the 2007 release of Windows Vista, putting billions of users at risk.
Such an extensive discovery is extremely rare. We estimate that nearly every Windows computer in the world is vulnerable if unpatched, potentially impacting businesses worldwide.
According to Matt Holland, our Founder, CEO, and CTO, all seven of these vulnerabilities add to a perfect attack scenario and would be easy to utilize as part of a ransomware or nation state attack chain against businesses of any size and type.
“The Blackswan 0-days are absolute gold for cyber criminals,” said Matt. “If found, they would be very effective from an attacker’s perspective because they are extremely hard to detect, provide access to the deepest layers of the operating system, and can be exploited with 99% reliability. This makes it absolutely to keep systems patched and put advanced security measures in place, especially for those businesses that rely on Windows every day.”
A recap on the Blackswan timeline
We discovered the vulnerabilities in late April 2021, responsibly disclosing our research findings to Microsoft in early May 2021, with proof of concepts and full working exploits.
In its Patch Tuesday updates on July 13, 2021 and September 14, 2021, Microsoft issued patches for the first vulnerability, CVE-2021-34514, and the next five vulnerabilities, including CVE-2021-38628, CVE-2021-38629, and CVE-2021-38638. Patches for the seventh vulnerability, CVE-2021-26442 were released on October 12, 2021.
All of the Blackswan vulnerabilities were discovered within one week by Field Effect’s security services team while doing research on the company’s Covalence MDR platform. A vulnerability in the Advanced Local Procedure Call (ALPC) component of the Windows kernel ntoskrnl.exe caught their eye — something that was exploitable if triggered in an unexpected way. Upon further investigation, a series of vulnerabilities were found that had similar characteristics.
As Matt explains, the unexpected discovery deserves the moniker “Blackswan” for several reasons. “We weren’t actively threat hunting and didn’t expect to find seven 0-days that could be easily weaponized with only a single week’s effort. What makes these particularly unique is how easily we found them and how long they have been undiscovered in Windows.”
Field Effect customers are protected with Covalence MDR Solution
Through our extensive experience with offensive tradecraft techniques and incident response, and our team’s intelligence background, Field Effect is continually innovating to expand our Covalence MDR platform to stay ahead of the constantly evolving threat landscape. This commitment to product growth is backed by an ongoing, significant investment in R&D — more than 50% of our revenues are invested into technology.
Our Blackswan vulnerability discovery is just the tip of the iceberg when it comes to the amazing caliber of cyber security talent we have at Field Effect and our commitment to ensuring our customers and partners are protected! It also underscores the importance of being diligent with cyber security and investing in an enterprise-grade managed security service to effectively detect and block threats well before they become serious risks to businesses.
All seven vulnerabilities have been patched
- CVE-2021-34514: Windows Kernel Elevation of Privilege Vulnerability
- CVE-2021-38629: Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability
- CVE-2021-38628: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- CVE-2021-38638: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. Note: this CVE actually includes three 0-days.
- CVE-2021-26442: Windows HTTP.sys Elevation of Privilege Vulnerability
You can access links to the patches and more details about the vulnerabilities patched in Microsoft’s Security Update.
For the latest news about new and emerging threats, cyber security best practices and tips, informative webinar invites, and more – sign up for our newsletter below!