Feeds

Windows 7 UAC flaw silently elevates malware access

Weak links in chain of trust

High performance access to file storage

Researchers have uncovered yet another flaw in Microsoft's Windows 7 beta that could allow attackers to gain full administrative privileges by bypassing the operating system's UAC, or user access control.

Researcher Rafael Rivera Jr. has released proof-of-concept code that demonstrates how unauthorized third-party software can elevate its privileges and install a potentially malicious payload on the latest version of Windows, which is still in beta. Researchers warn that anyone using the OS is vulnerable.

"Unfortunately this flaw is not just a single point of failure," writes security blogger Long Zheng. "The breadth of Windows executables is just too many and too diverse and many are exploitable."

The vulnerability stems from Microsoft's attempts to make UAC more palatable by allowing certain applications to make changes to the OS without first prompting the user for permission. Executables that are digitally signed are essentially given fast-track permission under UAC's default configuration. And it turns out many of these third-party executables are in turn able to invoke still more third-party code.

This gives rise to what Zheng calls "piggybacking," in which a proxy executable launches an elevated instance of rundll32.exe, a file that has existed in one form or another since before the days of Windows 95. Rundll32.exe can then point to a malicious payload, and because the payload has inherited the administrative privileges from its authorized parent process, UAC never prompts the user.

Rivera's proof-of-concept uses a one-line file called Catapult.exe as the proxy application that launches the rundll file. That in turn is able to execute a multi-line C++ program called Cake.dll, which reads the current process token and shows an on-screen message box. Of course, an attacker could do much more nefarious things.

A Microsoft spokesman said: "We are not aware of anyone impacted by this issue at this time, but it has already been addressed in a later internal beta build." In the meantime, Windows 7 users may want to set UAC to "high." ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.