Alter One Bit, Bypass Security

Monday, February 16, 2015 @ 09:02 AM gHale

A privilege escalation vulnerability that can end up exploited to bypass all security measures in Windows by modifying a single bit was one of the vulnerabilities fixed this week.

The vulnerability (CVE-2015-0057), rated “important,” affects the Windows kernel-mode driver (Win32k.sys) and is the result of improper handling of objects in memory.

Microsoft: Control System Warning
IE Hole Allows Attackers to Phish
New Malware Stays Hidden
Malware Couples with Backdoor Trojan

An attacker who manages to log in to the targeted system can “gain elevated privileges and read arbitrary amounts of kernel memory,” which would allow them to install software, view and change data, and create new accounts with full administrative rights, Microsoft researchers said.

The security hole ended up reported to Microsoft two months ago by the security firm enSilo. They created a fully working exploit that can bypass all security measures by modifying a single bit in the operating system, said ensile CTO, Udi Yavo in a blog post.

“A threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization,” Yavo said.

The exploit works on all versions of the operating system, from Windows XP to the 64-bit version of the latest Windows 10 Technical Preview (with protections enabled). The attack method can bypass kernel protections such as Kernel Data Execution Prevention (DEP), Kernel Address Space Layout Randomization (KASLR), Mandatory Integrity Control (MIC), Supervisor Mode Execution Protection (SMEP), and NULL deference protection, Yavo said.

“We have shown that even a minor bug can be used to gain complete control over any Windows Operating System,” Yavo said. “Nevertheless, we think that Microsoft efforts to make its operating system more secure raised the bar significantly and made writing reliable exploits far harder than before. Unfortunately, these measures are not going to keep attackers at bay. We predict that attackers will continue incorporating exploits into their crime kits, making compromise inevitable.”

Leave a Reply

You must be logged in to post a comment.