Zero-day Windows flaw goes public

gallery

A zero-day privilege escalation flaw has hit Windows that could allow hackers to bypass user account control security found in Vista and Windows 7.

The flaw was posted briefly on a programming education site and could allow even limited user accounts to execute code in kernel mode, although researchers have found the vulnerability exploited on its own would not allow remote code execution.

“This is a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem,” explained Prevx’s Marco Giuliani, in a blog.

A vulnerable API in Windows could be manipulated by having its input changed to cause an overflow in the kernel, he noted. This would then allow arbitrary code to run in kernel mode.

“A malicious attacker is able to redirect the overwritten return address to his malicious code and execute it with kernel mode privileges,” Giuliani said.

All versions of Windows XP, Vista and 7, in both 32 and 64 bit, are vulnerable to this attack, but no attacks have been seen in the wild as yet, he added.

Paul Ferguson, senior threat researcher at Trend Micro, said the timing of this flaw was “crucial” given the holidays are coming.

“With users spending more time online in search of discounts and Black Friday deals, it may become easier for cyber criminals to spread malware exploiting the zero-day vulnerability,” Ferguson explained in a blog.

Sophos senior security advisor Chester Wisniewski had a more positive outlook for users.

“The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced,” Wisniewski added in his own blog.

“This means your email, web and anti-virus filters can prevent malicious payloads from being downloaded.”

Microsoft had not responded to our request for comment at the time of publication.

Earlier this month Microsoft confirmed another zero-day flaw had hit Internet Explorer, affecting all versions of the browser.

Email to a friend

Print this page