This isn’t exactly what could be defined a lucky year for Microsoft. If Windows 7 sales are booming, on the other hand the operating system made-in-Redmond has been hit hard by a lot of targetted attacks during these months. Aurora exploit is just the first of the year, but the most serious attack has definitely been the Stuxnet case. Finding a 0day exploit is always difficult, but using four 0day exploits all together is actually impressive.
Yesterday another serious 0-day flaw has been publically disclosed on a chinese board.
This is a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem. It is a privilege escalation exploit which allows even limited user accounts to execute arbitrary code in kernel mode.
Win32k.sys’s NtGdiEnableEUDC API is not rightly validating some inputs, causing a stack overflow and overwriting the return address stored on the stack. A malicious attacker is able to redirect the overwritten return address to his malicious code and execute it with kernel mode privileges.
Being a privilege escalation exploit, it bypasses by design even the protection given by the User Account Control technology implemented in Windows Vista and Windows 7. All Windows XP/Vista/7 both 32 and 64 bit are vulnerable to this attack.
Good news is that we have not yet detected any malware exploiting this flaw. Bad news is that the flaw has been published online. This could potentially become a nightmare due to the nature of the flaw. We expect to see this exploit being actively used by malwares very soon – it’s an opportunity that malware writers surely won’t miss.
We won’t disclose any further detail about the vulnerability at the moment because we are collaborating with Microsoft on this flaw.
– Marco Giuliani on Prevx Blog
Related Posts
- Windows 0day Exploit Bypasses UAC
There has been a proof-of-concept (POC) in the wild that includes source code containing information on how to exploit a flaw in Windows kernel API RtlQueryRegistryValues, which can lead to privilege... - Windows 0-day SMB mrxsmb.dll vulnerability, (Wed, Feb 16th)
A new vulnerability has been discovered exploiting SMBcomponent of Windows. The attack involves sending of malformed Browser Election requests leading the heap overflow within the mrxsmb.dll driver.Th... - Heads up… 0-day in an exploit kit
Hi folks,
It's fairly well known (well, well-known if you're a security geek) that CVE-2010-3962 is in the Wild, but over the last couple of days, we've begun detecting it in the Eleonore Exploit Kit... - Windows 0-day exploit: Q&A session
Here is a Q&A session to address some questions we have received since yesterday:1) What versions of Microsoft Windows are affected by this flaw?The released exploit hit only Windows Vista and Window... - Zero-day Windows exploit – Microsoft issues advisory
Microsoft has just published an advisory about a remotely-exploitable vulnerability in the Windows graphics rendering engine. A patch isn't available yet, but with Patch Tuesday just a week away, we ... - Windows 0-day thoughts and protection
Currently the news about a Proof-of-Concept malware makes the rounds which is able to bypass the User Account Control (UAC) of Windows Vista / Windows 7 without user notification to gain privileged s... - Exploit kit inclusion could make IE 0-day a big headache
Microsoft last week published a security advisory alerting users to a flaw in Internet Explorer 6, 7, and 8 that allowed remote code execution. At the time of the advisory, the ... - Nobel Prize Site Infected to Serve 0-Day Firefox Exploit
Security software company Norman has detected a 0-day vulnerability in Firefox 3.5 and 3.6 being used by malware in the wild. This morning the Nobel Prize web site was compromised to serve th... - New Adobe 0day exploit in the wild
Early this week Adobe released a new security advisory about a critical vulnerability found in their Adobe Acrobat and Acrobat reader applications. Even the Internet Storm Center issued a security ad... - An old-new 0day Windows flaw on the horizon?
Looks like there are clouds on the horizon. Another new 0day flaw has been discovered after the last one related to Windows Shell which Microsoft fixed this month. At least this is what we can read f...
Posted on 25 November 2010. Tags: 0day, Chinese, Exploit, NtGdiEnableEUDC, Speaks, Windows
