Reading any security blog these days can be very helpful, but sometimes, it’s scary, as you get warned of things you can do nothing about, save for possibly complaining to Microsoft, or some other vendor that may be involved.
In a way, this is one of those days. Though the item from the Naked Security blog on the Sophos site gives a bit of help with the mitigation of the flaw, it is not fully tested, nor does it seem to have any one standing up stating it is a complete solution.
Do you ever notice how often there seems to be no complete solution with Windows? It behaves like a set of dominoes, and with a little help wants desperately to follow the second law of thermodynamics (entropy).
A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.
The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.
The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.
There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated.
Because it is complicated, and involves a few pictures, it is best to follow the link back to the article.
The steps, as given are clear, but it is stated clearly that the problem may not be completely removed.
The registry keys being changed by this mitigation should not impact a user’s ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.
The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced. This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded. Keep an eye on the Naked Security blog for more information as we learn more about this flaw.
Update: Sophos detects the proof of concept as Troj/EUDPoC-A. Stay tuned for further details as they become available.
If you go to the Sophos site you will see that there is also a video provided that shows what can happen when the system is exploited in the manner described.
The fact that the PoC was posted is not a good thing, because it will be passed along to some ne’er-do-well that will use it.
We can hope that Microsoft has taken note, and has a few people working on a fix for the next Patch Tuesday.