New Windows zero-day exploit bypasses UAC

By on

Microsoft has today confirmed that it has begun investigating a new zero-day exploit that allows a malicious attacker to bypass the User Account Control (UAC) on limited access accounts and execute code that could cause damage to the system.

According to Prevx, the exploit is a weakness in the win32k.sys file, an important system file that connects the kernel of various Windows subsystems.

The security firm has provided an explanation of what the exploit does:

Win32k.sys’s NtGdiEnableEUDC API is not rightly validating some inputs, causing a stack overflow and overwriting the return address stored on the stack. A malicious attacker is able to redirect the overwritten return address to his malicious code and execute it with kernel mode privileges.

Windows XP, Windows Vista and Windows 7 are all vulnerable to the attack, and it affects both 32-bit and 64-bit versions of the operating systems.

While it has not found any malware using the new exploit at the time of writing, the code for the exploit has been published online on a Chinese message board, meaning that it won’t be long for the exploit to go into the wild by many malware writers.

Microsoft has said that it will be investigating the matter, according to WinRumours. “We‘re investigating public PoC for a local EoP vuln requiring an account on the target system,” a spokesperson said.

Prevx has also confirmed that it is assisting Microsoft with the flaw.

Image by: jepoirrier/Flickr