informa
News

Zero Day Bug Bypasses Windows User Account Control

Local buffer overflow vulnerability tricks Microsoft operating systems into granting an attacker system-level user privileges.
How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

Multiple versions of Microsoft Windows are vulnerable to a previously undisclosed, zero-day buffer-overflow vulnerability that would allow an attacker to gain system-level privileges and take control of the PC.

According to security research firm Vupen, "this issue is caused by a buffer overflow error within the 'win32k.sys' driver when processing certain registry values stored as 'reg_binary,' which could allow unprivileged users to crash an affected system or execute arbitrary code with kernel (system) privileges," by modifying registry values related to end-user-defined characters (EUDC) for fonts.

According to security researcher Chester Wisniewski at Sophos, an attacker can use the EUDC-related key "to impersonate the system account, which has nearly unlimited access to all components of the Windows system."

Details of the vulnerability, together with proof-of-concept code, have been publicly disclosed, meaning it's only a matter of time before actual exploits appear. Microsoft has acknowledged the vulnerability, but noted that an attacker would need local access to exploit it.

Vupen rates the vulnerability as being of "moderate" risk, and said it confirmed the bug exists in Windows 7, Windows Server 2008 SP2, and Windows Vista SP2. While it also affects Windows XP and Windows 2003, executing the attack on those operating systems would be relatively difficult.

The security firm Prevx, which originally brought the flaw to light, said that one of the biggest security risks is that the bug allows attackers to bypass User Account Control (UAC) safeguards and take "full control of the system." Microsoft added UAC to Windows Vista and 7 specifically to prevent these types of privilege-escalation attacks.

While no patch is yet available, Sophos' Wisniewski supplied a "somewhat complicated" workaround. It uses Regedit to alter a registry value related to EUDCs for fonts, preventing an attacker from being able to exploit the bug. The fix may, however, break multilingual Windows installations.

Recommended Reading: