Exploit Code Out For New Windows Kernel Flaw

Security experts are warning about a newly discovered local privilege escalation bug in the Windows kernel that affects most of the current versions of the operating system, including Vista and Windows 7.

The new Windows kernel bug is considered a critical vulnerability, even though it can't be exploited remotely, thanks to the fact that an attacker could use it gain powerful credentials on a compromised system and take complete control of the machine. Also, there is publicly available exploit code for the bug affecting Windows 7 and Windows Vista. Security firm Prevx said that it had seen exploits in the wild, but that they're not usable against older Windows versions.

The flaw is a stack overflow in the NtGdiEnableEUDC API, which an attacker could use to escalate his privileges once he's on a system, the company said. There is no patch available for the bug yet.

"This flaw allows all software, even if run from a limited account, to gain system privileges. We see many drive-by attacks, which make use of application exploits to drop malware on vulnerable machines. While there are still a huge number of customers who are used to run their operating system with administrative privileges, most users are using limited accounts or administrator accounts in Admin Approval Mode (User Account Control). Using a limited account gives them a great advantage versus malware, because it limits the vulnerable surface the malware can damage. This 0-day exploit allows a malware that has already been dropped on the system to bypass these limitations and get the full control of the system," Prevx said in a blog post.

Local vulnerabilities typically aren't considered critical, but the location of the EnableEUDC bug and the availability of exploit code has heightened the level of concern.

Commenting on this Article is closed.