Microsoft has confirmed it is investigating public proof of concept code for a new un-patched flaw in Windows.
Prevx, an IT security firm, published details of the exploit in a blog posting on Wednesday. “This is a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem. It is a privilege escalation exploit which allows even limited user accounts to execute arbitrary code in kernel mode,” wrote Malware Technology specialist Marco Giuliani.
Giuliani warned that Windows XP, Vista and Windows 7 were all vulnerable to attack, including 32-bit and 64-bit editions. Prevx says they have not see any malware exploiting this flaw but warned “we expect to see this exploit being actively used by malware very soon – it’s an opportunity that malware writers surely won’t miss.”
The vulnerability is located in Win32ksys’s NtGdiEnableEUDC API according to Prevx. The API is not correctly validating some inputs resulting in a stack overflow. A malicious attacker could redirect the overwritten return address to their malicious code and execute it with kernel mode privileges. As the flaw is a privilege escalation exploit, it bypasses the User Account Control (UAC) and Limited User Account technologies implemented in Windows Vista and Windows 7.
Prevx were widely critized after they announced, in November 2009, that a Windows Update was causing a “Black Screen of Death”. It was discovered that the black screen was caused by a malware infection on affected PCs. The company issued an apology to Microsoft, stating: “we apologize to Microsoft for any inconvenience our blog may have caused. This has been a challenging issue to identify.” Despite the mistake, Prevx remain a Microsoft Gold Certified Partner and work very closely with the firm on a number of security threats.
Microsoft confirmed that they are looking into the reports of the latest 0-day flaw. “We’re investigating public PoC for a local EoP vuln requiring an account on the target system,” said a Microsoft spokesperson.
Update: Security firm Sophos has posted a video to demonstrate the exploit: