A zero-day for Windows 7 back in July of this year also bypassed Windows UAC.

Once again a serious zero-day has hit Windows, this time an unpatched vulnerability in the Kernel. So far it only seems to be a local exploit, for full devastating effect hackers will need to combine this with a remote zero-day to get access to the machine and then elevate their permissions and bypass UAC with this.

Microsoft is investigating reports of an unpatched vulnerability in the Windows kernel that could be used by attackers to sidestep an important operating system security measure.

One security firm dubbed the bug a potential “nightmare,” but Microsoft downplayed the threat by reminding users that hackers would need a second exploit to launch remote attacks.

The exploit was disclosed Wednesday — the same day proof-of-concept code went public — and lets attackers bypass the User Account Control (UAC) feature in Windows Vista and Windows 7. UAC, which was frequently panned when Vista debuted in 2007, displays prompts that users must read and react to. It was designed to make silent malware installation impossible, or at least more difficult.

“Microsoft is aware of the public posting of details of an elevation of privilege vulnerability that may reside in the Windows kernel,” said Jerry Bryant, a group manager with the Microsoft Security Response Center, in an e-mail. “We will continue to investigate the issue and, when done, we will take appropriate action.”

The bug is in the “win32k.sys” file, a part of the kernel, and exists in all versions of Windows, including XP, Vista, Server 2003, Windows 7 and Server 2008, said Sophos researcher Chet Wisniewski in a Thursday blog post.

Microsoft is aware of the flaw but has not yet issued a statement as to when they will be patching this, I’d imagine given their past that will wait for the next Patch Tuesday before pushing the patch out. And plus the fact it’s a kernel bug it, it may take a little more time to fix.

The security companies seem to be taking this one quite seriously as the publicly-released code is confirmed working across multiple versions of Windows.

There is a very slight chance that Microsoft might push an Out-of-band-patch for this, but I find it unlikely as it’s not a remote vulnerability.

Several security companies, including Sophos and Vupen, have confirmed the vulnerability and reported that the publicly-released attack code works on systems running Vista, Windows 7 and Server 2008.

Hackers cannot use the exploit to remotely compromise a PC, however, as it requires local access, a fact that Microsoft stressed. “Because this is a local elevation-of-privilege issue, it requires attackers to be already able to execute code on a targeted machine,” said Bryant.

“On its own, this bug does not allow remote code execution, but does enable non-administrator accounts to execute code as if they were an administrator,” added Wisniewski.

Although many Windows XP users, especially consumers and those in very small businesses, run the OS via administrator accounts, Microsoft added UAC to Vista and later operating systems as one way to limit user privileges, and thus malware’s access to the PC.

Attackers would have to combine the exploit with other malicious code that takes advantage of another vulnerability on the machine — not necessarily one in Windows, but in any commonly-installed application, such as Adobe Reader, for example — to hijack a PC and bypass UAC.

“This exploit allows malware that has already been dropped on the system to bypass [UAC] and get the full control of the system,” said Prevx researcher Marco Giuliani in an entry on that security company’s blog Thursday.

Prevx reported the vulnerability to Microsoft earlier in the week.

Microsoft has changed the way UAC functions before when it was demonstrated that it could be easily bypassed. The next patch cycle is due on Tuesday, Dec. 14 – which thankfully isn’t too long. I’d be expecting a kernel patch for this issue by then.

There is more info about the issue here:

Sophos – New Windows zero-day flaw bypasses UAC
Prevx – Windows 0-day exploit: Q&A session

Source: Network World

The rootkit in questions is a fairly well known variant (TDL/Alureon) and has been around for several years, but according to Prevx it’s been hitting on x64 installs of Windows 7 since August this year.

It’s usually an oldskool method to circumvent the Windows security measures, the MBR (Master Boot Record) – haven’t seen anyway malware using that for quite some time.

A notorious rootkit that for years has ravaged 32-bit versions of Windows has begun claiming 64-bit versions of the Microsoft operating system as well.

The ability of TDL, aka Alureon, to infect 64-bit versions of Windows 7 is something of a coup for its creators, because Microsoft endowed the OS with enhanced security safeguards that were intended to block such attacks. The rootkit crossed into the 64-bit realm sometime in August, according to security firm Prevx.

According to research published on Monday by GFI Software, the latest TDL4 installation penetrates 64-bit versions of Windows by bypassing the OS’s kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source. The rootkit achieves this feat by attaching itself to the master boot record in a hard drive’s bowels and changing the machine’s boot options.

Microsoft has pumped some pretty advanced protection mechanisms into the latest member of the Windows family, but still you just know it’s only a matter of time before the bad guys find some way to get around it.

This is an advanced piece of malware though as there are multiple layers of protection in Windows 7 and TDL4 bypasses them all, it even blocks access to debuggers and is undetectable by most AV software.

Whichever way you look at it, that’s some neat coding.

“The boot option is changed in memory from the code executed by infected MBR,” GFI Technical Fellow Chandra Prakash wrote. “The boot option configures value of a config setting named ‘LoadIntegrityCheckPolicy’ that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dl file.”

According to researchers at Prevx, TDL is the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware on infected machines. Once installed it is undetectable by most antimalware programs. In keeping with TDL’s high degree of sophistication, the rootkit uses low-level instructions to disable debuggers, making it hard for white hat hackers to do reconnaissance.

One of the advanced protections Microsoft added to 64-bit versions of Windows was kernel mode code signing policy. Microsoft also added a feature known as PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel. TDL manages to circumvent this protection as well, by altering a machine’s MBR so that it can intercept Windows startup routines.

Prevx came out with this research, you can read more about their findings here:

x64 TDL3 rootkit – follow up

There is also an in-depth technical analysis from Microsoft researcher Joe Johnson check here [PDF].

Source: The Register

The news this week has been a flaw in Microsoft‘s all versions of Windows labeled as the “Black Screen of Death”, they did acknowledge the problem a few days ago (in a roundabout way) but basically said it wasn’t their fault and it wasn’t widespread.

The blame is currently being passed around and as of now, no-one really knows exactly what is going on. With Prevx leading up the initial claims that the newest batch of November updates pushed out by Microsoft caused the problem.

Users who want the best Windows experience will need some help from Microsoft. But if the Black Screen of Death case is any indication, Microsoft isn’t so quick to take responsibility. As usual, users find they are left to their own devices to solve problems with software and hardware they paid good money for.

For too long, users have been forced by default to deal with the many security problems that plague the Windows ecosystem. Whether because of malware, flaws in how Microsoft built Windows or any other number of things that can occur in the course of using a Windows PC, it seems that users have to look to their own knowledge and resources to maintain at least a basic level of security.

It has gotten so bad that today, no anti-malware program is capable of targeting and removing every malicious file that can potentially impact a Windows installation. Even with several anti-malware tools installed, not a single Windows user is absolutely safe. And in order to come closer to achieving that lofty goal, the user needs to be diligent, always keeping in mind that if trouble strikes, it could very well be a battle with a malicious hacker.

It’s a pretty crippling bug and very confusing for most users as it’s not a total kernel panic like the traditional Blue Screen of Death but starts up normally and allows you login.

The problem appears after you login when the entire screen is black, there is no menu, no system tray, no taskbar and only a single “My Computer” desktop icon.

Plus any non-technical users trying to remedy the problem will face a tough time, not all fixes work and it’s really an odd problem.

Perhaps that’s why the controversy over the Black Screen of Death has taken on such a life of its own in the past 24 hours. Just one day ago, Windows users experiencing a Black Screen of Death generally believed that the problem began with updates from Microsoft that they had installed.

But after investigating the situation, Microsoft responded late Dec. 1 saying it wasn’t at fault. And Prevx, the security company that initially suggested that Windows updates were to blame, has already backtracked. Once again users are left wondering what they can possibly do to keep from loosing time, data and even possibly cash to this glitch for which Microsoft apparently doesn’t want to take responsibility.

A lot of buck passing has been going on as per usual and the baggage ends up with the end user as per usual with issues pertaining to Microsoft.

It’s pretty heated at the moment so it’ll be interested to see what transpires over the next few days and if we will actually get some definitive answers (unlikely).

Wherever the fault actually lies, Windows 7 users are still left wondering what is going on and how they are supposed to fix it.

Source: eWeek

The BBC has made an odd move recently by buying/seeding a botnet of 22,000 computers under the guise of investigative journalism.

They claim it’s not illegal as they caused no harm and only sent spam to e-mail accounts used by themselves. Technically I think it’s still breaking the law under the Computer Misuse Act but most likely nothing would happen as they caused no damage or losses (According to lawyer Struan Robertson BBC did violate the act).

Software used to control thousands of home computers has been acquired online by the BBC as part of an investigation into global cyber crime.

The technology programme Click has demonstrated just how at risk PCs are of being taken over by hackers. Almost 22,000 computers made up Click’s network of hijacked machines, which has now been disabled.

The BBC has now warned users that their PCs are infected, and advised them on how to make their systems more secure. Click managed to acquire its own low-value botnet – the name given to a network of hijacked computers – after visiting chatrooms on the internet.

The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law.

The whole thing has created quite a furor in the computer security scene, with people debating the legality and ethics involved.

Which was probably what the BBC wanted in the first place, the more people talk about it the better right?

SMH even claim the whole thing back-fired.

By prior agreement, Click launched a Distributed Denial of Service (DDoS) attack on a backup site owned by security company Prevx. Click then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.

Amazingly, it took only 60 machines to overload the site’s bandwidth. DDoS attacks are used by extortionists who threaten to knock a site offline unless a hefty ransom is paid. Jacques Erasmus from Prevx said that high-traffic websites with big revenues are a “massive target” for this kind of attack.

“Cyber criminals are getting into contact with websites and threatening them with DDoS attacks. “The loss of trade is very substantial so a lot of these websites just pay-up to avoid it,” he explained.

But well pushing the boundaries, that’s what investigative journalism is about right? We’ve had enough programs about pimps, triads and drugs – why not some about cybercrime and the underbelly on the Internet.

I hope I manage to view the show, it sounds like it’ll be interesting (even if ethically questionable).

But well aren’t all the best things on that thin grey line?

Source: BBC