Feeds

Windows 7 UAC flaw silently elevates malware access

Weak links in chain of trust

Internet Security Threat Report 2014

Researchers have uncovered yet another flaw in Microsoft's Windows 7 beta that could allow attackers to gain full administrative privileges by bypassing the operating system's UAC, or user access control.

Researcher Rafael Rivera Jr. has released proof-of-concept code that demonstrates how unauthorized third-party software can elevate its privileges and install a potentially malicious payload on the latest version of Windows, which is still in beta. Researchers warn that anyone using the OS is vulnerable.

"Unfortunately this flaw is not just a single point of failure," writes security blogger Long Zheng. "The breadth of Windows executables is just too many and too diverse and many are exploitable."

The vulnerability stems from Microsoft's attempts to make UAC more palatable by allowing certain applications to make changes to the OS without first prompting the user for permission. Executables that are digitally signed are essentially given fast-track permission under UAC's default configuration. And it turns out many of these third-party executables are in turn able to invoke still more third-party code.

This gives rise to what Zheng calls "piggybacking," in which a proxy executable launches an elevated instance of rundll32.exe, a file that has existed in one form or another since before the days of Windows 95. Rundll32.exe can then point to a malicious payload, and because the payload has inherited the administrative privileges from its authorized parent process, UAC never prompts the user.

Rivera's proof-of-concept uses a one-line file called Catapult.exe as the proxy application that launches the rundll file. That in turn is able to execute a multi-line C++ program called Cake.dll, which reads the current process token and shows an on-screen message box. Of course, an attacker could do much more nefarious things.

A Microsoft spokesman said: "We are not aware of anyone impacted by this issue at this time, but it has already been addressed in a later internal beta build." In the meantime, Windows 7 users may want to set UAC to "high." ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.