User account controls offer no protection
A new zero-day flaw has hit Windows, and it seems capable of slipping past user account controls, security researchers have said.
"This is a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem," said malware technology specialist Marco Giuliani on the Prevx blog. "It is a privilege escalation exploit which allows even limited user accounts to execute arbitrary code in kernel mode."
Giuliani warned that 32 and 64 bit versions of Windows XP, Vista and 7 were vulnerable. "Being a privilege escalation exploit, it bypasses by design even the protection given by the User Account Control and Limited User Account technology implemented in Windows Vista and Windows 7," he said.
While the API-based flaw has been published on a Chinese message board, Prevx has seen no attacks yet. "This could potentially become a nightmare due to the nature of the flaw," he warned. "We expect to see this exploit being actively used by malware very soon - it's an opportunity that malware writers surely won't miss."
Sophos security researcher Chester Wisniewski noted that for the flaw to be used, a hacker would need access to the system first. "For this to be exploited, malicious code that uses the exploit needs to be introduced," he said in a Sophos blog post. "This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded."
Sophos detailed a work-around here, while Prevx has updated its software to protect against the flaw. Giuliani said his firm was working with Microsoft on the flaw, and the software giant has acknowledged it's investigating.