Windows Security Bypassed by Modifying a Single Bit of Code

In the latest round of Patch Tuesday updates, Microsoft released a fix for a privilege escalation vulnerability in Windows (CVE-2015-0057) which could allow an attacker to gain complete control of a Windows device by modifying just a single bit of the Windows operating system.

“In other words, a threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization,” said researcher Udi Yavo, whose team previously disclosed the vulnerability to Microsoft.

“Interestingly, the exploit requires modifying only a single bit of the Windows operating system. We have verified this exploit against all supported Windows desktop versions, including Windows 10 Technical Preview.”

Yavo notes that in the last few years Microsoft has made extensive efforts to protect systems from privilege escalation vulnerabilities that can enable malicious code to run on the kernel level and bypass security mechanisms like sandboxes.

This particular vulnerability the researchers uncovered was found in the GUI component of Microsoft Windows Kernel Win32k module, which controls the vertical and horizontal Windows scroll bars.

Asuccessful exploit allows an attacker to bypass Kernel Data Execution Prevention (DEP), Kernel Address Space Layout Randomization (KASLR), Mandatory Integrity Control (MIC), Supervisor Mode Execution Protection (SMEP), and NULL deference protection.

The researchers are not releasing the full details of the exploit, but did explain some of the processes involved, and produced the following proof-of-concept video:

Also in the Patch Tuesdayreleases, in a rare move Microsoft re-engineered some core components of the Windows operating system in order to mitigate a critical design vulnerability that could allow attackers to gain administrator-level privileges on tens-of-millions of devices.

“A remote code execution vulnerability exists in how Group Policy receives and applies connection data when a domain-joined system connects to a domain controller,” a Microsoft security advisory states.

“An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, could view, change, or delete data, or could create new accounts with full user rights.”

The vulnerability was first discovered by Jeff Schmidt of JAS Global Advisors back in early 2014 while he was working on a research project for ICANN, and Schmidt reportedly worked with Microsoft for nearly a year to develop a fix for the issue, which has been described as being more serious than Heartbleed, Shellshock , Gotofail or POODLE.

JAS advises that sysadmins for Microsoft environments should immediately consult the Microsoft documentation because the fix involves a completely new feature that has to be configured on Active Directory Clients and Servers.