Security hole in Windows kernel allows UAC bypass

Security hole in Windows kernel allows UAC bypass

Summary: A privilege escalation vulnerability in the Windows kernel can be exploited to bypass Microsoft's UAC (user account control) security mechanism

SHARE:

A privilege escalation vulnerability in the Windows kernel can be exploited to bypass Microsoft's UAC (user account control) security mechanism, according to a warning from a security researcher.

Proof-of-concept exploit code has been published on the Web.  Microsoft says it is investigating the issue.

This Secunia advisory spells out the problem:follow Ryan Naraine on twitter

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges.

The vulnerability is caused due to an error in win32k.sys when processing the "GreEnableEUDC()" function. This can be exploited to overflow the "EntryContext" buffer specified in the "QueryTable" parameter to the "RtlQueryRegistryValues()" function via e.g. a specially crafted "SystemDefaultEUDCFont" registry value.

Successful exploitation allows execution of arbitrary code in the kernel.

The published proof-of-concept successfully bypasses the UAC security mechanism on Windows but the severity is somewhat reduced because a hacker must combine two security vulnerabilities (and exploits) to launch a successful attack.

Topics: Security, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

48 comments
Log in or register to join the discussion
  • According to the rules, this one is no big deal

    [i]which can be exploited by malicious, local users[/i]

    The rules clearly state that local vulnerabilities are no big deal, at least when they are found in OS X and Linux.

    Cue the double standards...
    NonZealot
    • The article does not show a double standard applied...

      @NonZealot <br>Your comment "The rules clearly state that local vulnerabilities are no big deal...", I have never read that rule however, I will agree with you local vulnerabilities are not a big deal. Reading in that article I do not read where it states it does or does not apply to other OSes. <br><br>As usual you are just starting another fight. Do you have anything of substance to contribute to the article or discussion? Hum, does not appear as though you do.
      BubbaJones_
      • He mentioned other operating systems for reference purposes.

        @RicD_: The fact other operating systems are not mentioned is irrelevant.
        ye
      • RE: Security hole in Windows kernel allows UAC bypass

        @RicD_ Because when things like this are shown in MAC OS or Linux the fanboys blow it off.
        Jimster480
      • RE: Security hole in Windows kernel allows UAC bypass

        [i]@RicD_ Because when things like this are shown in MAC OS or Linux the fanboys blow it off.[/i]

        What do you care if it gets "blown off" or not. You don't even use OSX or Linux so so-what.
        ahh so
    • Also there is no actual exploit code. Just proof of concept.

      @NonZealot: nt
      ye
    • Agreed: No big deal

      @NonZealot
      nt
      Dietrich T. Schmitz, ~ Your Linux Advocate
    • It's hilarious how you play the cue the double standards schtick

      as first post on a thread.
      frgough
      • Do you know what the word &quot;cue&quot; means?

        @frgough
        Obviously you don't.

        Hint: a cue happens [b]before[/b] the event it is a cue for. Hence, my post makes [b]perfect[/b] sense as the first post.

        Is English not your first language? Just curious because it is either that or you aren't very smart.
        NonZealot
      • Yes, he did have to trout out Apple and Linux...

        ...when he knew his cue schtick didn't have a pot to pi$$ over this windoze kernel issue.

        Just blame Apple for the UAC security hole bypass. It's all Steve Jobs fault.

        lol... :D
        ahh so
    • True, windows has a bad record for privilege escalation

      Surely local vulnerabilities are a big issue for desktop OSes. Particularly those with a history of massive amounts of malware.

      Or is NonZealot saying this is a real problem for windows users?
      Richard Flude
      • Any evidence to support this?

        @Richard Flude: [i]True, windows has a bad record for privilege escalation[/i]

        Or are you expecting us to take you at your word?

        [i]Particularly those with a history of massive amounts of malware.[/i]

        Massive market share leads to massive amounts of malware.
        ye
      • Yes, Ye

        Privilege escalation recorded by secunia win7 (11), vista (24). Before that no effective protection from largest attack vector - shatter attacks (crippled windows event messaging)

        If market share is the determinant for amount of malware, then the solution on windows would only be sell fewer or move to alternate OS. Ye might have a point.
        Richard Flude
      • RE: Security hole in Windows kernel allows UAC bypass

        @ye: "massive market share leads to massive amounts of malware", so that would mean that the 70% linux market on cellphones would create a massive amount of malware. So far, I have only seen proof-of-concepts for android and none for the other linux variaties.

        Quit using that MS none sense. Mainframes had a massive marketshare of the market on the 60's and until today, no successfull virus has appeared on that market. Unix had a smaller market share and essentially created the first worms.
        cosuna
      • RE: Security hole in Windows kernel allows UAC bypass

        @cosuna

        Big difference in a Cell Phone OS and a Desktop OS you do realize that right. Just because Android is based of Linux does not mean it is the same kernel as the desktop version. It is just like iOS is based off Mac OS.

        Nice attempt though.
        bobiroc
      • Wow you really do like living in the past.

        @Richard Flude: DLL hell, shatter attacks, etc. What's next? IRQ and COM port conflicts? You're really, really desperate aren't you?

        [i]If market share is the determinant for amount of malware, then the solution on windows would only be sell fewer or move to alternate OS.[/i]

        That's a possibility if your intent is to use a platform which is not targetted by malware.
        ye
      • Ye, the past is clearly longer than the MCSEs attention span

        I blame the duration system failing our youth.

        Still today rhe majority of wondows users are exposed to shatter attacks (XP). You'd think the learned MCSE would know this.

        For fun, what portion of desktop users are intent on using a platform targeted by malware?
        Richard Flude
      • There's those words again. Did you just learn something new?

        @Richard Flude: [i]ll today rhe majority of wondows users are exposed to [b]shatter attacks (XP)[/b].[/i]

        Shatter attacks are old news. Perhaps they're new to you? Come join us in 2010. You'll notice much has changed.
        ye
      • Given XP is still at what?

        Around 60% usage at the moment?

        That makes shatter attacks still relevant news.

        Come up with something better, ye. You got NonZealot beat.
        ahh so
    • RE: Security hole in Windows kernel allows UAC bypass

      @NonZealot : local user means you and any body else using the system. That is, this is not a fly-by, but can easily be attached to a fake "setup.exe" file which will not prompt the user for priviledges when runned. Simple example. You could create a simple *.exe file running a demo flash and with out the user knowledge (he depends on UAC for security) code could create a trojan o plant a virus.

      Then again... people always state that the reason for moving to Windows 7 was security... yeah right... XP we know dearly and IT Admins no how to block all entrances. 7 is brand new and prone to this kinds of mistakes.
      cosuna