The local privilege escalation vulnerability (CVE-2015-0057) could give attackers total command of the victims’ machines, explains Udi Yavo, the principal applied scientific discipline officeholder at the safety theatre enSilo.
"A threat role instrumentalist that gains access to a Windows motorcar tin flaming exploit this vulnerability to bypass all Windows safety measures, defeating mitigation measures such every bit sandboxing, amount segregation in addition to retentiveness randomization," said Yavo.
INTERESTING PART OF THE FLAW
Yavo continued, "Interestingly, the exploit requires modifying solely a unmarried fleck of the Windows operating system."
The flaw existed inwards the graphical user interface (GUI) cistron of the Win32k.sys module inside the Windows Kernel which, amidst other things, manages vertical in addition to horizontal Windows’ scroll bars. The flaw truly resides inwards the xxxEnableWndSBArrows component subdivision which could modify the patch of both scroll bars through a call.
The researchers at the safety theatre managed to practise an exploit for all versions of Windows in addition to institute that the desktop versions upward to Windows 10 technical preview were affected yesteryear the vulnerability.
In an advisory, Yavo provided a especial technical analysis of the vulnerability in addition to showed that fifty-fifty a nipper põrnikas tin flaming move used yesteryear remote attackers to compass consummate command over whatsoever Windows operating system.
VIDEO DEMONSTRATION
Yavo included a proof-of-concept video, that doesn't truly reveal whatsoever sensitive code, but shows the privilege escalation exploitation on a motorcar running 64-bit Windows 10 Technical Preview.
You tin flaming spotter the video below:
The assault method tin flaming move used to bypass amount protections such every bit Kernel Data Execution Prevention (DEP), Kernel Address Space Layout Randomization (KASLR), Mandatory Integrity Control (MIC), Supervisor Mode Execution Protection (SMEP), in addition to NULL deference protection.
FUNNY PART
Yavo likewise institute an ancient slice of code inwards calls inside the horizontal scrollbar cistron of the xxxEnableWndSBArrows component subdivision to the xxxWindowEvent function, in addition to the "funny" affair almost it was that that it’s a dead code. This code he said had existed "for almost 15-years doing absolutely nothing".
However, the vulnerability was patched yesteryear Microsoft on Tuesday. But, the fellowship nonetheless hasn't addressed a of late disclosed Universal Cross-Site Scripting (UXSS) vulnerability affecting Internet Explorer that could let malicious hackers to inject malicious code into users' websites in addition to pocket cookies, session in addition to login credentials.
