Topic: Newly discovered zero-day exploit bypasses UAC in Windows (bug in win32k.sys)

[Samker]

New Windows Zero Day Exploit - Nov 2010

A newly discovered zero-day exploit in Windows could let hackers take admin-type control over affected computers.

Security firm Sophos said that the exploit appeared on an "education web site " but was soon removed.

The malware could let an application gain system privileges, and bypass User Account Control in Vista and Windows 7.

"The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel," wrote Chester Wisniewski, a senior security advisor at Sophos, in a blog post: http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/

"The flaw is related to the way in which a certain registry key is interpreted, and enables an attacker to impersonate the system account which has nearly unlimited access to all components of the Windows system."

Wisniewski explained that the flaw is present in Windows operating systems going back to XP. Sophos has published a workaround in the blog post.

"On its own, this bug does not allow remote code execution, but does enable non-administrator accounts to execute code as if they were an administrator," he said.

"For this to be exploited, malicious code that uses the exploit needs to be introduced. This means that your email, web and anti-virus filters can prevent malicious payloads from being downloaded."

(V3)