Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for vulnerability CVE-2015-0057, an IMPORTANT-rated exploitable vulnerability which we responsibly disclosed to Microsoft a few months ago. As part of our research, we revealed this privilege escalation vulnerability which, if exploited, enables a threat actor to complete control of a Windows machine. In other words, a threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization.
Interestingly, the exploit requires modifying only a single bit of the Windows operating system.
Fascinating.
“In other words, a threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization.”
If the “Threat Actor” has gained access to the Windows machine through a phishing campaign, then they already have access. so this vulnerability needs user level access to the machine to use.
Reads like “the machine is already owned, if it is already owned.”
No, it just needs any access and can then elevate itself to SYSTEM. The video shows a guest account doing just that.
++
So even if you set up a computer with reduced privileges for your grandmother, or in an office, etc; it won’t matter, those machines would still be just as vulnerable as giving everyone an admin account.
Not to mention a user could also use this to escalate themselves – even if indirectly. So if someone stole a machine and got into the guest account, they could unlock the remainder of the machine and get into private files.
Edited 2015-02-11 17:44 UTC
But considering most Windows users are administrators, even today, this vulnerability is not necessary, as if you phish the user, odds are you are admin on that box.
I am not sure what the video shows. Does it work on a system where the file win32k.sys is modified or not?
In other words: If I run this exploit on a fully patched system, will it need to change the file on the disk first (by 1 bit) or does it only need to flip this 1 bit in memory in the program?
It is priviledge escalation. Only means how pwned you get if you get pwned.
Far from it. That means that even if you’re a smart user and take precausions, you’re still pwned as hard as the average unsuspecting idiot.
No, because the attacker needs user level access to the machine to exploit the vulnerability, so if they have no access, they get no access. Smart users should be ok. it’s the multitude of dumb ones you have to worry about, but that is nothing new.
I wonder which bit they set. The “Trust Me!!!” bit, the “Evil” bit, or both in the “I am NSA” bit?
Edited 2015-02-11 17:57 UTC
Defiantly the NSA Bit.
In all seriousness, this is what backdoors really look like.
You can’t even tell the difference between them, and real honest to goodness security bugs.
1
Browser: Mozilla/4.0 (compatible; Synapse)
This was expected. If opensource OpenSSL with the amount of security crawd reading and re-reading its source code got so seriously pwned, Windows with its otherwise poor security practices and secret goo all over the sources was sure to follow.
The interesting question is: how many similar (or even more severe) vulnerabilities are to follow?
I am amazed that there still are people who don’t assume multiple vulnerabilities in proprietary software.
If you read the article, its a very subtle bug. OpenSSL on the other hand, didn’t get much review prior to the recent bugs. It might as well have been proprietary for as many qualified people reviewed it. I’m often the first one criticizing Microsoft for a security bug, but this one wasn’t that obvious. Certainly less obvious than the Apple goto Fail bug.
Yeah out of all the options, I wouldn’t use OpenSSL as a shining example of Open Source v’s Closed Source.
I agree that OpenSSL is not the most reviewed (and definitely not the easiest to review) project, but it definitely had more attention from security specialists then most other SSL-related project (at least before LibreSSL was forked). And definitely much more review then average opensource piece of software, even as known as OpenOffice or Inkscape. OpenSSL wasn’t reviewed openly and systematically in the sense OpenBSD reviews their code, but anyway it had its share of eyes. FWIW otherwise we would never hear of Heartbleed.
Anyway, my point was that proprietary software should be presumed to have multiple vulnerabilities, because there is no realistic way to prove otherwise. In this sense each and every security issue with Windows should not come unexpected.
Edited 2015-02-12 13:15 UTC
From the article, this exploit is applicable to all Windows as far back as Windows XP.
Wondering if the patch provided by Microsoft can be installed on Windows XP.
Interestingly, Windows 2000 is not mentioned. It is however unclear if this is because the exploit has not been attempted on it or that the exploit failed.
As a side bar, although we (humble users) think in terms of our desktop, should it be presumed that this exploit also applies to the Server versions of Windows?
On how poor the security design of Windows really is.
The big WTF for me is why Windows needs kernel support for UPDATING A SCROLLBAR! Probably historical, but seems quite unnecessary!
You can user-draw almost everything In Windows with the right callback. Hence the skin engines (WindowsBlind comes to my mind)
Apparently straight from the horse’s mouth, in the bridle registry.
But even most safes can be opened with a single bit, and a powerful enough drill.