Microsoft has publicly confirmed that it is currently investigating a new 0-day Windows exploit that could possibly allow attackers to execute malicious code from limited access accounts.
Disclosed on a chinese message board, the new flaw centres on a weakness in the win32k.sys file which interfaces with the kernel of various Windows subsystems. The vulnerability is said to be a privilege escalation exploit, which will allow attackers to execute arbitrary code in kernel mode, completely bypassing the User Account Control on newer Windows systems.
Details of the flaw were published by Prevx, an IT security company, providing explanations of how the exploit came to be:
Win32k.sys’s NtGdiEnableEUDC API is not rightly validating some inputs, causing a stack overflow and overwriting the return address stored on the stack. A malicious attacker is able to redirect the overwritten return address to his malicious code and execute it with kernel mode privileges.
Users of Windows XP, right through to Vista and Windows 7 are vulnerable to the exploit, which will execute on both 32 and 64-bit operating systems.
At the moment, there are no reported instances of this exploit being used in the wild but because the flaw is publicly available online, it can be expected that developers and attackers will pick up the proof-of-concept code and use it to deliver malware soon.
Winrumors contacted the Redmond company for comment, a spokesperson confirmed the company was “investigating public PoC for a local EoP vuln requiring an account on the target system.”