nsane.forums Posted November 25, 2010 Share Posted November 25, 2010 Winrumors has reported that a new 0-day vulnerability affecting Windows XP, Vista and 7 has been discovered. The vulnerability resides in win32k.sys, "the kernel mode part of the Windows subsystem." This exploit allows user priviledge elevation, enabling even limited accounts to execute arbitrary code. Marco Giuliani of Prevx has stated that no malware is currently exploiting this flaw, but also warned that it would be "very soon" before malware authors begin exploiting the vulnerability. The API in which the vulnerability is located does not correctly validate input, resulting in stack overflow. This means that an attacker could control the destination of the "overwritten return address" and in essence execute their code with kernel mode privileges. Since this exploits user elevation, it bypasses UAC and leaves Vista and 7 vulnerable. This is specifically important due to the fact that UAC was originally implemented to prevent unauthorized privilege elevation. Prevx is well known for mistakenly stating, last year, that Windows Update was creating a "black screen of death." It was later revealed that the black screen was caused by a malware infection, rather than an oversight or mistake on Microsoft's part. Microsoft has confirmed that they are evaluating this vulnerability so a fix could be in the works. View: Original Article Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted November 25, 2010 Administrator Share Posted November 25, 2010 May well see a emergency out of schedule update. Link to comment Share on other sites More sharing options...
spootnack Posted November 25, 2010 Share Posted November 25, 2010 New Prevx release provides a solution to this 0-day.Check out the Prevx topic in CC !++ Link to comment Share on other sites More sharing options...
tipo Posted November 26, 2010 Share Posted November 26, 2010 Various security vendors warned today about the public availability of exploit code for a previously unknown Windows privilege escalation vulnerability that can be used to bypass UAC.The vulnerability was disclosed on a programming portal called CodeProject, but the page has since been removed by the site's administrators.The flaw is located in the Windows kernel-mode device driver (win32k.sys) and allows attackers with limited access to execute code as SYSTEM.According to BitDefender, the vulnerable API is called RtlQueryRegistryValues and can be exploited by creating a malformed registry key.An important aspect of this vulnerability is that it allows bypassing the User Access Control (UAC), a security feature designed to prevent the execution of unauthorized code in Windows 7 and Vista.Despite the initial disclosure page being taken down, proof-of-concept exploit code has already made it's way onto exploit-db.com and is currently available to anyone interested in it.Giving the nature of the vulnerability, antivirus vendors expect to see it exploited in malware attacks very soon. Microsoft has yet to comment on the issue.One malware that made use of similar elevation of privilege (EoP) flaws in Windows is the infamous Stuxnet industrial espionage worm discovered earlier this year.In fact, one of the two EoP vulnerabilities leveraged by Stuxnet remains unpatched to this day. Earlier this week we reported that exploit code for it has also been publicly released.Chester Wisniewski, a senior security advisor at Sophos, notes that one possible mitigation involves setting the user's permissions for the "HKEY_USERS\[ACCOUNT_SID]\EUDC" registry key to Deny Delete and Create Subkey. The SID can be determined by typing "whoami /user" in a command prompt window.With this new announcement, Microsoft currently has three zero-day vulnerabilities on its hands. In addition to the Stuxnet EoP, a critical Internet Explorer arbitrary code execution flaw is also being exploited in the wild.link Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted November 26, 2010 Administrator Share Posted November 26, 2010 Threads merged. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.