Zero Day Bug Bypasses Windows User Account Control

Local buffer overflow vulnerability tricks Microsoft operating systems into granting an attacker system-level user privileges.

Mathew J. Schwartz, Contributor

November 29, 2010

2 Min Read
Dark Reading logo in a gray background | Dark Reading

How Firesheep Can Hijack Web Sessions

How Firesheep Can Hijack Web Sessions


(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

Multiple versions of Microsoft Windows are vulnerable to a previously undisclosed, zero-day buffer-overflow vulnerability that would allow an attacker to gain system-level privileges and take control of the PC.

According to security research firm Vupen, "this issue is caused by a buffer overflow error within the 'win32k.sys' driver when processing certain registry values stored as 'reg_binary,' which could allow unprivileged users to crash an affected system or execute arbitrary code with kernel (system) privileges," by modifying registry values related to end-user-defined characters (EUDC) for fonts.

According to security researcher Chester Wisniewski at Sophos, an attacker can use the EUDC-related key "to impersonate the system account, which has nearly unlimited access to all components of the Windows system."

Details of the vulnerability, together with proof-of-concept code, have been publicly disclosed, meaning it's only a matter of time before actual exploits appear. Microsoft has acknowledged the vulnerability, but noted that an attacker would need local access to exploit it.

Vupen rates the vulnerability as being of "moderate" risk, and said it confirmed the bug exists in Windows 7, Windows Server 2008 SP2, and Windows Vista SP2. While it also affects Windows XP and Windows 2003, executing the attack on those operating systems would be relatively difficult.

The security firm Prevx, which originally brought the flaw to light, said that one of the biggest security risks is that the bug allows attackers to bypass User Account Control (UAC) safeguards and take "full control of the system." Microsoft added UAC to Windows Vista and 7 specifically to prevent these types of privilege-escalation attacks.

While no patch is yet available, Sophos' Wisniewski supplied a "somewhat complicated" workaround. It uses Regedit to alter a registry value related to EUDCs for fonts, preventing an attacker from being able to exploit the bug. The fix may, however, break multilingual Windows installations.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

See more from Mathew J. Schwartz
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars

Editor's Choice

A woman sitting at a laptop and holding a mobile device, the screens of both displaying a green check mark in a circle
Cyberattacks & Data Breaches
Researchers Crack Microsoft Azure MFA in an HourResearchers Crack Microsoft Azure MFA in an Hour
byElizabeth Montalbano, Contributing Writer
Dec 11, 2024
4 Min Read
The words "zero-day" written in a line of code on a computer screen
Application Security
Microsoft NTLM Zero-Day to Remain Unpatched Until AprilMicrosoft NTLM Zero-Day to Remain Unpatched Until April
byJai Vijayan, Contributing Writer
Dec 9, 2024
3 Min Read
A patchwork quilt
Application Security
Actively Exploited Zero-Day, Critical RCEs Lead Microsoft Patch TuesdayMicrosoft Fixes Active Zero-Day, Critical RCEs on Patch Tuesday
byTara Seals, Managing Editor, News, Dark Reading
Dec 10, 2024
5 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers