Windows 0day allows malicious code execution

Discussion in 'other security issues & news' started by MrBrian, Nov 24, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    http://www.theregister.co.uk/2010/11/24/windows_0day_report/

     
  2. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    New Windows zero-day flaw bypasses UAC

    http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/

     
    Last edited: Nov 25, 2010
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  4. Dogbiscuit

    Dogbiscuit Guest

    http://www.vupen.com/english/advisories/2010/3058
     
  5. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    so does anyone know if having UAC on maximum on win7 prevents this attack?
     
  6. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    no it doesn't
     
  7. Jav

    Jav Guest

    So, I guess, it means not just bypass of UAC but LUA aswell?

    EDIT: nevermind, found the answer and yes it can.
     
    Last edited by a moderator: Nov 25, 2010
  8. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I have followed the mitigation provided by Sophos as a precautionary measure;)

    If you don't know which SID is for which user account, then this would help you figure it out:

    How to Associate a Username with a Security Identifier (SID)

    Source: http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/

    Source: http://www.prevx.com/blog/160/New-Windows-day-exploit-speaks-Chinese.html

    Question remains: Does it bypass SRP and Applocker? If cmd.exe, regedit.exe is blocked by SRP, would the exploit still work? What about DEP, SEHOP, ASLR, etc? Questions, questions and more questions...

    I need answers from those who know or are going to test the POC.
     
  9. Dogbiscuit

    Dogbiscuit Guest

    It's a local vulnerability, meaning you (or a user on your system) must first run the exploit code somehow before it can do anything, unless it's combined with another exploit.
     
    Last edited by a moderator: Nov 25, 2010
  10. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    In the latter case, much like Stuxnet with its 4 zero days, the first 2 to break into the system and to spread to the networks and the other two, privilege escalation(s), to elevate rights.

    A targetted attack scenario is to combine zero day arbitrary remote code execution with this zero day kernel exploit to have the fearsome and nightmarish scenario of "no user interaction" to bypass AE/UAC/SRP/LUA/AL/AV/HIPS(if not configured to block malicious dll loading barring Didier Steven' dll loading in memory).
     
    Last edited: Nov 26, 2010
Loading...
Thread Status:
Not open for further replies.