Windows zero-day flaw bypasses UAC

November 26, 2010 // 10:03 a.m.

Tags: #0-day #security #vulnerability #windows #windows-flaw #windows-vulnerability #windows-zero-day #zero-day

A new zero-day attack against Windows, capable of bypassing the User Access Control protections introduced in Windows Vista and designed to prevent malware from gaining administrative access without user authorisation, has been discovered in the wild.

The proof-of-concept implementation of the infection technique, known as Troj/EUDPoC-A, was posted to a Chinese educational forum before being discovered by anti-virus researchers from various security firms.

Chester Weisniewski, of anti-virus vendor Sophos, warns that the technique used by the Trojan 'enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system,' and does so without triggering the User Access Control protections introduced by Microsoft to prevent exactly that occurring.

The flaw targeted by the code is thought to exist in all versions of Windows from Windows XP onwards - including Windows 2008 R2 and fully-patched Windows 7 systems, and thus far no fix for the issue is available from Microsoft.

Marco Giuliani of security firm PrevX warns that the proof of concept code 'could potentially become a nightmare' as ne'er-do-wells rush to take advantage of the flaw before it is patched by Microsoft. 'We expect to see this exploit being actively used by malware very soon,' Giuliani explained, 'it's an opportunity that malware writers surely won't miss.'

The vulnerability is thought to be under active investigation by Microsoft, but so far there has been no word as to an estimated release date for a fix. In the meantime, Sophos has a workaround for the flaw, but it is unlikely to offer much protection against maliciously modified variants.

Are you disappointed that Microsoft's UAC is proving to be a poor protection, or just anxious for Microsoft to get the flaw fixed as soon as possible? Share your thoughts over in the forums.

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU