HomeWinBuzzer NewsKaspersky Discovers “MysterySnail” Zero-Day in Microsoft’S Win32K Kernel

Kaspersky Discovers “MysterySnail” Zero-Day in Microsoft’S Win32K Kernel


rolled out its October 2021 Patch Tuesday this week. We have already covered the general release, including a fix for a zero-day vulnerability in Win32K that is being exploited in the wild. That bug is severe enough that it deserves a closer look. And that is why is doing in a blog post published yesterday.

The security firm is calling the exploit MysterySnail and it was discovered by one of its researchers. Kaspersky informed Microsoft about the flaw previously, hence the company's fix in the Patch Tuesday rollup this week.

This zero-day exploit found in the platform allows threat actors to create escalation of privilege attacks to take control of Windows servers. It seems the MysterySnail is an extension of an advanced persistent threat (APT) coming from Chinese speaking hackers.

Through tracking the exploit, Kaspersky found a new type of remote access trojan (RAT). The idea is for the exploit to enter a vulnerable server and help the attackers steal data. Microsoft has already rolled out a patch as part of October Patch Tuesday. That means users should install the update to avoid becoming a victim.

Kaspersky reports “the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during execution of those callbacks,” the blog explains. “The CVE-2021-40449 is triggered when the function ResetDC is executed a second time for the same handle during execution of its own callback.”


When this happens, there is a memory trail that leads to a Proactive Data Container (PDC) that is already destroyed. Hackers can use the broken PDC to call an arbitrary kernel function. Attackers can then read and write on the kernel memory. By using already known techniques, the next step would be to leak kernel addresses.

“The malware itself is not very sophisticated and has functionality similar to many other remote shells,” researchers noted. “But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy.”

Tip of the day: Windows Aero Shake is a handy feature that lets you quickly reduce screen clutter with a shake of an app's title bar. Doing so minimizes all windows other than the one in focus, allowing you to focus solely on what's at hand. Another wiggle lets you undo Aero Shake, maximizing the other Windows again so you can continue working.

Unfortunately, the feature can also have unintended consequences. Those who move their windows about or have dual monitors may notice that they're accidentally activating Windows shaking. Luckily, enabling or disabling Aero shake isn't too hard.

Last Updated on February 14, 2022 8:19 pm CET

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News