A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.
The exploit takes advantage of a bug in win32k.sys, which is the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.
The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.
There is one mitigation I discovered while researching this exploit. Unfortunately it is rather complicated, ugly, and difficult to implement. To prevent the flaw from being exploited you can perform the following actions:
- As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
- Right-click EUDC and choose permissions
- Choose the user whose account you are modifying and select Advanced
- Select Add and then type in the user’s name and click OK
- Click the Deny checkbox for Delete and Create Subkey
- Click all the OKs and Apply buttons to exit
The registry keys being changed by this mitigation should not impact a user’s ability to use their system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.
The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced. This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded. Keep an eye on the Naked Security blog for more information as we learn more about this flaw.
Related Posts
- Newly discovered Windows kernel flaw bypasses UAC
Last week an exploit for a Windows kernel flaw was published by an unknown source. Presumably as a joke, details of the flaw, along with proof-of-concept code, were published o... - Zero-Day Bypasses Windows UAC
Yet another zero-day vulnerability recently reared its ugly head in the threat landscape. Discovered by Marco Giuliani at Prevx, the proof of concept (POC) shows that a vulnerable application program... - Zero-Day Bypasses Windows UAC from Trend Micro)
Yet another zero-day vulnerability recently reared its ugly head in the threat landscape. Discovered by Marco Giuliani at Prevx, the proof of concept (POC) shows that a vulnerable application program... - Newest unpatched Windows flaw a variation on 2004 problem
Microsoft has issued a security bulletin warning of a new unpatched Windows vulnerability affecting all Windows versions from Windows XP through to Windows 7, except for Server... - Microsoft warns of new Windows zero-day bug
Microsoft today warned Windows users of a new unpatched vulnerability that attackers could exploit to steal information and dupe people into installing malware.
Full story: Network World on Secur... - Zero-day Windows exploit – Microsoft issues advisory
Microsoft has just published an advisory about a remotely-exploitable vulnerability in the Windows graphics rendering engine. A patch isn't available yet, but with Patch Tuesday just a week away, we ... - Windows 0day Exploit Bypasses UAC
There has been a proof-of-concept (POC) in the wild that includes source code containing information on how to exploit a flaw in Windows kernel API RtlQueryRegistryValues, which can lead to privilege... - Microsoft Fixes ASP.NET Zero-Day Flaw
Microsoft released Security Bulletin MS10-070 out-of-band today--a couple weeks ahead of the regularly scheduled Patch Tuesday for October. The update resolves a zero-day issue with ASP.NET that could... - Microsoft patches Windows XP flaw that aided Stuxnet worm
Microsoft Tuesday patched a critical Windows XP vulnerability that aided attacks based on the Stuxnet worm by letting attackers gain remote access through the operating system's print spooler service.... - Windows DLL-loading security flaw puts Microsoft in a bind
Last week, HD Moore, creator of the Metasploit penetration testing suite, tweeted about a newly patched iTunes flaw. The tweet said that many other (unspecified) Windows applic...
Posted on 25 November 2010. Tags: Bypasses, flaw, Windows, ZeroDay
