Join us at TNW Conference 2022 for insights into the future of tech →

The heart of tech

This article was published on November 25, 2010

New Windows 0-day exploit bypasses UAC, gets published online

New Windows 0-day exploit bypasses UAC, gets published online
Matt Brian
Story by

Matt Brian

Matt is the former News Editor for The Next Web. You can follow him on Twitter, subscribe to his updates on Facebook and catch up with him Matt is the former News Editor for The Next Web. You can follow him on Twitter, subscribe to his updates on Facebook and catch up with him on Google+.

Microsoft has publicly confirmed that it is currently investigating a new 0-day Windows exploit that could possibly allow attackers to execute malicious code from limited access accounts.

Disclosed on a chinese message board, the new flaw centres on a weakness in the win32k.sys file which interfaces with the kernel of various Windows subsystems. The vulnerability is said to be a privilege escalation exploit, which will allow attackers to execute arbitrary code in kernel mode, completely bypassing the User Account Control on newer Windows systems.

Details of the flaw were published by Prevx, an IT security company, providing explanations of how the exploit came to be:

Win32k.sys’s NtGdiEnableEUDC API is not rightly validating some inputs, causing a stack overflow and overwriting the return address stored on the stack. A malicious attacker is able to redirect the overwritten return address to his malicious code and execute it with kernel mode privileges.

Users of Windows XP, right through to Vista and Windows 7 are vulnerable to the exploit, which will execute on both 32 and 64-bit operating systems.

At the moment, there are no reported instances of this exploit being used in the wild but because the flaw is publicly available online, it can be expected that developers and attackers will pick up the proof-of-concept code and use it to deliver malware soon.

Winrumors contacted the Redmond company for comment, a spokesperson confirmed the company was “investigating public PoC for a local EoP vuln requiring an account on the target system.”