Windows Kernel Bug May Bypass User Account Control

Another 0-day bug on the Windows platform is affecting win32k.sys (a critical component of the Windows kernel), and this time, the approach seems to pose a major challenge to the security world. This vulnerability is triggered by a buffer overflow in the kernel file, which allows code to bypass UAC on Windows Vista and Windows 7.

More to the point, this security flaw is affecting the RtlQueryRegistryValues API, which is used to query multiple registry values by a query table, with the EntryContext field as output buffer. In order to successfully exploit the flaw, it is mandatory that the attacker create a malformed Registry key, or to be able to manipulate a Registry key that is available with only user rights. Due to the nature of the flaw, we won’t detail more on the matter.

Suffice to say that a working proof of concept has been publicly available for a few hours on an extremely popular programming website. The demonstration included a step-by-step tutorial, as well as binary and source code needed to defeat the UAC.

The call to EnableEUDC will trigger the bug

Since the win32k.sys bug is currently unpatched and code was publicly exposed, we expect to see it used in malware soon-ish. We are aware of the situation and we’re working on a generic detection scheme to prevent malicious code from reaching the kernel.

In the meantime, make sure to avoid downloading files from untrusted locations. Also, if you haven’t done this yet, you should consider installing and updating an antivirus solution.