Windows 0-day vulnerability bypasses UAC

Winrumors has reported that a new 0-day vulnerability affecting Windows XP, Vista and 7 has been discovered. The vulnerability resides in win32k.sys, "the kernel mode part of the Windows subsystem." This exploit allows user priviledge elevation, enabling even limited accounts to execute arbitrary code.

Marco Giuliani of Prevx has stated that no malware is currently exploiting this flaw, but also warned that it would be "very soon" before malware authors begin exploiting the vulnerability.

The API in which the vulnerability is located does not correctly validate input, resulting in stack overflow. This means that an attacker could control the destination of the "overwritten return address" and in essence execute their code with kernel mode privileges. Since this exploits user elevation, it bypasses UAC and leaves Vista and 7 vulnerable. This is specifically important due to the fact that UAC was originally implemented to prevent unauthorized privilege elevation.

Prevx is well known for mistakenly stating, last year, that Windows Update was creating a "black screen of death." It was later revealed that the black screen was caused by a malware infection, rather than an oversight or mistake on Microsoft's part. 

Microsoft has confirmed that they are evaluating this vulnerability so a fix could be in the works.

Report a problem with article
Previous Story

Pictures of Nexus S and Gingerbread finally leak

Next Story

Google's Chrome OS slips to 2011 "consumer launch"

59 Comments

Commenting is disabled on this article.

*yawn* So, why does another vulnerability in the most popular family of operating systems in the world surprise anyone? Windows 7 is the most secure OS in computing history, with Vista right behind 7. And, why is this even newsworthy at this point, since it's not an exploit that is being exploited?

I don't waste my time with competing computing products that cost way more and/or do way less, and neither do the malware authors. And, who could blame them for not wasting time writing malicious code for such a small group of potential victims? It's along the same rationale that professional bank robbers don't hold up gas stations... there's simply not much to be gained from it. If OS X or Linux had half the market share that Windows holds, the computing world would be a far more dangerous place.

And, I am in the camp with the power users that disable UAC immediately. I also run with full admin rights and always have. Nobody uses my PC except for me and I find the prompts very annoying. I disabled UAC in Vista RC1 when it was released, haven't enabled it in Vista or 7 since then and I don't have issues with malware infections. If my wife were a computer dummy (she is not) or I had kids using a shared machine, I would leave UAC enabled and make everyone run with very limited rights.

Can I go back to sleep now?

privilege escalation is the point of this exploit, UAC bypass is just a side effect.

Interesting thing about the "responsible disclosure" is that Microsoft is aware of this flaw since the beginning of the year, while this PoC had also been properly delivered to MSRC prior to its public avalibility.
According to wikipedia (spare me with any wikipedia argues, http://en.wikipedia.org/wiki/Responsible_disclosure),
If this has something to do with the period for vendor patches, probably this would make the history of longest ever response time to such level of a security flaw.

Darrian said,
Since when did UAC have anything to do with web surfing or monitoring your activity?
people around the interwebz just type stuff - it need not make sense.

The moral of the story is even Windows 7/Vista users are susceptible to viruses/malware/exploits. Where is WindowsFanatic? I'd like to hear his opinion on this regarding his so called "Most secure operation system in the world".

I think the best solution is to replace virus ridden Windows installations with GNU/Linux. You can then be assured of your security.

Flawed said,
The moral of the story is even Windows 7/Vista users are susceptible to viruses/malware/exploits. Where is WindowsFanatic? I'd like to hear his opinion on this regarding his so called "Most secure operation system in the world".

I think the best solution is to replace virus ridden Windows installations with GNU/Linux. You can then be assured of your security.

The moral of the story is that all OSes have flaws. Linux has plenty of privilege escalation vulnerabilities, so I have no idea what the heck you are talking about, you make it sound as if this never happens in Linux, which is not true. Most nobody wants Linux, lying about it's security prowess isn't going to change that. Anyway, Windows 7 has just about all the security available in Linux, with the ability to run apps/games that XP runs, so it's the best of both worlds.

Flawed said,
The moral of the story is even Windows 7/Vista users are susceptible to viruses/malware/exploits. Where is WindowsFanatic? I'd like to hear his opinion on this regarding his so called "Most secure operation system in the world".

I think the best solution is to replace virus ridden Windows installations with GNU/Linux. You can then be assured of your security.

Lollllllllll. The moral of the story is that this is the *First* ever vulnerability ever found with UAC. There are *NO* viruses/malware made out of this yet. So, Windows 7/Vista users are COMPLETELY safe as yet. On the other hand Ubuntu and Linux, and Firefox have hunderds of security exploits which means thousands of Linux Luddites get affected with malware every day. Lollllllllll.

Plus Ubuntu is a fugly, unproductive, unusable and pathetic OS compared to the beautiful, productive and elegant Windows 7. That's why every sane person should stay 100 miles away from the crap that Ubuntu is. Lolllllllllllllll.

Mr aldo said,
If it walks like a duck, quacks like a duck, looks like a duck, it's a duck.

That's, of course, false analogy because UAC doesn't implement a security boundary, and doesn't claim to be, so doesn't meet the walking, quacking or looking like a duck test.

I suppose it's a relative concept though - akin to those who don't know the difference between a chicken and a duck To the uneducated, they might well seem the same!

N1CK said,

That's, of course, false analogy because UAC doesn't implement a security boundary, and doesn't claim to be, so doesn't meet the walking, quacking or looking like a duck test.

I suppose it's a relative concept though - akin to those who don't know the difference between a chicken and a duck To the uneducated, they might well seem the same!

Well, sure, Microsoft says it isn't really a security feature, but it certainly acts as one... It prevents applications from running as an administrator without asking. That's security to me. At least more so than previous to Windows Vista.

N1CK, you have to understand, that MS is a huge corporation and has to cover it's *** completely in a 100% bullet proof legal manner. UAC is not a 'security boundary' but that has special meaning in MS jargon, that means it will never ever be breached no matter what (and if it is breached, it will be patched ASAP by MS). Even if a security feature prevents 99.99999% of malware infection attempts on various configurations, if there is a .00001% chance of a configuration allowing a lucky piece of malware in, then MS can't legally call it a 'security boundary' even though that would be vastly better than a 100% chance the malware could infect the system at will. That's basically what UAC is, unless you can demostrate a piece of malware that can bypass UAC in a statistically significant number of cases and configurations, I'm going to have to say it's much better than nothing at all, and only slightly worse than running as standard user. But if you're paranoid, by all means, run as standard user. But most users are not going to remember a second password and enter it every time they need Admin access, they will just disable it, so UAC is a good solution in practice.

UAC exists to coerce developers to not require administrative privileges for their applications to run - which used to be so prevalent under XP. It does this by making it 'painful' to require such rights.

It does not implement a security boundary - and you can still modify the user session in many other ways to get elevation if you want to.

Did you actually read those articles?

From the first:

"However, let's be clear that no matter how difficult to pull off, the mere possibility of such a breach of a sandbox wall implies that ILs, in and of themselves, do not define security boundaries. What's a security boundary? It's a wall through which code and data can't pass without the authorization of a security policy. User accounts running in separate sessions are separated by a Windows security boundary, for example. One user should not be able to read or modify the data of another user, nor be able to cause other users to execute code, without the permission of the other user. If for some reason it was possible to bypass security policy, it would mean that there was a security bug in Windows (or third-party code that allows it).
It should be clear then, that neither UAC elevations nor Protected Mode IE define new Windows security boundaries. Microsoft has been communicating this but I want to make sure that the point is clearly heard. Further, as Jim Allchin pointed out in his blog post Security Features vs Convenience, Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use."

Or the second:

"One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed. This part of UAC is in full force when the “Notify me only when…” setting is used. UAC also prompts for other system wide changes that require administrator privileges which, considered in the abstract, would seem to be an effective counter-measure to malware after it is running, but the practical experience is that its effect is limited. For example, clever malware will avoid operations that require elevation. There are other human behavior factors which were discussed in our earlier blog posts (post #1 and post #2).
UAC also helps software developers improve their programs to run without requiring administrator privileges. The most effective way to secure a system against malware is to run with standard user privileges. As more software works well without administrator privileges, more people will run as standard user. We expect that anyone responsible for a set of Windows 7 machines (such as IT Administrators or the family helpdesk worker (like me!)) will administer them to use standard user accounts. The recent feedback has noted explicitly that running as standard user works well. Administrators also have Group Policy at their disposal to enforce the UAC setting to “Always Notify” if they choose to manage their machines with administrator accounts instead of standard user accounts."

N1CK said,
Yeawn... UAC is not, was not and will never be a security boundary. Nor was it ever intended to be.

Some of you, I fear, need to do some learning...

http://blogs.technet.com/b/mar...hive/2007/02/12/638372.aspx
http://blogs.msdn.com/b/e7/arc...09/02/05/update-on-uac.aspx

This is a security flaw because it allows elevation of rights, breaching a security boundary.
It has nothing to do with UAC what-so-ever.

Not sure that I understand this. UAC is a security feature (even the articles you reference confirm this). How does this vulnerability have nothing to do with UAC?

N1CK said,
Yeawn... UAC is not, was not and will never be a security boundary. Nor was it ever intended to be.

Some of you, I fear, need to do some learning...

http://blogs.technet.com/b/mar...hive/2007/02/12/638372.aspx
http://blogs.msdn.com/b/e7/arc...09/02/05/update-on-uac.aspx

This is a security flaw because it allows elevation of rights, breaching a security boundary.
It has nothing to do with UAC what-so-ever.

Finally someone else who gets UAC. Finally!


You noobs really need to watch Security Now.

Gutierrez said,
who uses UAC anyways Useless and annoying. Probably the 1st thing that any user disables.

Actually, I run as a standard user on both my laptop and desktop which are windows 7. I also have my wife running as a standard user on her vista machine. They all have password protected admin accounts. For normal usage it is far from annoying.

Gutierrez said,
who uses UAC anyways Useless and annoying. Probably the 1st thing that any user disables.

I always wonder who gets infected with all this random stuff... now I know.

COKid said,
Well, if this bypasses UAC, then it wouldn't matter if a person utilizes UAC or not, now would it, bob?!

Well, this one particular exploit bypasses UAC, but there are dozens of others that are stopped by UAC, so it's still a worthwhile feature to use.

Gutierrez said,
who uses UAC anyways Useless and annoying. Probably the 1st thing that any user disables.

Not power users.
In my case, i am found that even some Microsoft products are not compatible with UAC, or they are compatible with some tedious configuration.

Gutierrez said,
who uses UAC anyways Useless and annoying. Probably the 1st thing that any user disables.
Actually, the first thing I do when I get a Windows 7 PC is crank that sucker up to Windows Vista style.

UAC is there for a reason...

@COKid, we are still unsure if this really works, at least, works often. The vulnerability on Vupen is rated moderate. If this was really that big of a deal, it would be critical or severe.

Gutierrez said,
who uses UAC anyways Useless and annoying. Probably the 1st thing that any user disables.

If you're an idiot.

+1 on the disabling it immediately.

And for the record: never had any issues for over four years now, despite heavy PC and Internet usage.

Jeffrey89 said,
+1 on the disabling it immediately.

And for the record: never had any issues for over four years now, despite heavy PC and Internet usage.

The UAC has yet to save me yet either, but I would rather not take the chance.

Gutierrez said,
who uses UAC anyways Useless and annoying. Probably the 1st thing that any user disables.

Wow... Seriously?

Why on earth would you disable something that you only have to deal with infrequently, like when installing software?

One of the main flaws in WinXP as a consumer OS is that it didn't provide a duality between an 'administrator' and a higher system level account. (It technically had this ability, but it was not enforced.)

UAC is not any different than running OS X or Linux where the system prompts for Root access. So by disabling this and running as an administrator account, it would be like running as 'root' on Linux full time, which even the beginning Linux user will tell is STUPID.

So even if you justify for some insane reason to turn off the UAC, then run as a User, and only log into an Account that has Administrator rights when you need to install software. (This was how people on Win2K and WinXP that understood NT security used those systems.)

The time I already saved by disabling it, far outweighs any potential time I might lose on any kind of issues.

My laptop's adapter broke down two weeks ago, I had another one running with let's say at least 90% to 95% of my files and programs within 4 hours after purchase. Plus UAC actually prevented some of my safe, self-written applications.

Gutierrez said,
who uses UAC anyways Useless and annoying. Probably the 1st thing that any user disables.

Businesses who don't want to give standard users admin privledges as well as sensible home users who actually care about their system. Also, let's not forget most people that don't know what it is and how to disable it.

Questioned answered?

Does anyone know if this API is available to low integrity processes such as Internet Explorer and Chrome?

this flaw is locally exploitable only; the user have to download a malicious file from Internet, save it in his/her PC and manually execute it.

Still serious then, but not in the Internet Explorer drive-by sense.

Edit: I take that back. I guess it could be used in conjunction with other vulnerabilities.

YAWN here we go again, so is this supposed to affect all windows? 32 & 64?

Almost feels like they are trying to get back at them for their mistake last time

duddit2 said,
seems sensationalist to moi! we shall see though......

It could be, Prevx were the same folks that reported the "Black Screen of Death" so I'm a little skeptical personally. Microsoft has acknowledged it though.

I guess this is pretty ironic because "...UAC was originally implemented to prevent unauthorized privilege elevation." LOL

Jebadiah said,
I guess this is pretty ironic because "...UAC was originally implemented to prevent unauthorized privilege elevation." LOL

It's not ironic.

It could be argued it's a form of situational irony, although it's true that escalating privilegies without user knowledge is no direct, ironic, result of UAC.

Jebadiah said,
I guess this is pretty ironic because "...UAC was originally implemented to prevent unauthorized privilege elevation." LOL

Because clearly this behaviour is intended and not any sort of a bug.

Jebadiah said,
I guess this is pretty ironic because "...UAC was originally implemented to prevent unauthorized privilege elevation." LOL


Not quite true, UAC was designed to **** off users, break programs ..

Magallanes said,


Not quite true, UAC was designed to **** off users, break programs ..

No... if UAC "breaks" the program, then it was broken before.

There are a lot of programs that don't need administrative privileges. The idea of UAC is to prevent malicious programs from, well, being malicious...

Jebadiah said,
I guess this is pretty ironic because "...UAC was originally implemented to prevent unauthorized privilege elevation." LOL
the only way it would be ironic is if UAC directly/indirectly caused this privilege escalation bug (which it was implemented to prevent)

On Windows Vista and 7, I would suspect this exploit would fail because of ASLR. Even assuming not, it is still much more difficult to get on a Vista or 7 box in the first place, assuming the user doesn't get tricked into downloading and running a trojan, as the browser would have to be exploited and DEP and ASLR (and other protections) bypassed in the browser (or other 3rd party apps, which may or may not opt into such security features in Windows). XP users typically run as Admin anyway though. So the magnitude of this flaw remains to be seen.

J_R_G said,
On Windows Vista and 7, I would suspect this exploit would fail because of ASLR. Even assuming not, it is still much more difficult to get on a Vista or 7 box in the first place, assuming the user doesn't get tricked into downloading and running a trojan, as the browser would have to be exploited and DEP and ASLR (and other protections) bypassed in the browser (or other 3rd party apps, which may or may not opt into such security features in Windows). XP users typically run as Admin anyway though. So the magnitude of this flaw remains to be seen.

Its actually rated "moderate risk"

http://www.vupen.com/english/advisories/2010/3058


Deviate_X said,

Its actually rated "moderate risk"

http://www.vupen.com/english/advisories/2010/3058

Well yea, I could've looked up the rating myself. What I meant is, there is a big difference between an exploit that works reliably every time and one that fails 99% of the time because of DEP/ASLR, the rest of the time crashing the system thereby alerting the user to what's going on. Depends on the flaw code in question though, and whether that code is ASLR/DEP/etc. protected.