Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Bypass All Windows Protections by Modifying a Single Bit

One of the security bulletins released by Microsoft on Tuesday fixes a privilege escalation vulnerability which, according to researchers, can be exploited by malicious actors to bypass all the security measures in Windows by modifying a single bit.

One of the security bulletins released by Microsoft on Tuesday fixes a privilege escalation vulnerability which, according to researchers, can be exploited by malicious actors to bypass all the security measures in Windows by modifying a single bit.

The vulnerability (CVE-2015-0057), rated “important,” affects the Windows kernel-mode driver (Win32k.sys) and is caused by the improper handling of objects in memory. According to Microsoft, an attacker who manages to log in to the targeted system can “gain elevated privileges and read arbitrary amounts of kernel memory,” which would allow them to install software, view and change data, and create new accounts with full administrative rights.

The security hole was identified and reported to Microsoft a few months ago by the security firm enSilo. In a blog post published on Tuesday, enSilo CTO Udi Yavo revealed that they have created a fully working exploit that can be used to bypass all security measures by modifying a single bit in the operating system.

“A threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization,” explained Yavo.

The exploit works on all versions of the operating system, from Windows XP to the 64-bit version of the latest Windows 10 Technical Preview (with protections enabled). The attack method can be used to bypass kernel protections such as Kernel Data Execution Prevention (DEP), Kernel Address Space Layout Randomization (KASLR), Mandatory Integrity Control (MIC), Supervisor Mode Execution Protection (SMEP), and NULL deference protection, the researcher said.

“We have shown that even a minor bug can be used to gain complete control over any Windows Operating System,” Yavo said. “Nevertheless, we think that Microsoft efforts to make the its operating system more secure raised the bar significantly and made writing reliable exploits far harder than before. Unfortunately, these measures are not going to keep attackers at bay. We predict that attackers will continue incorporating exploits into their crime kits, making compromise inevitable.”

Researchers have published some technical details on the vulnerability along with a proof-of-concept video. However, they haven’t made available the actual exploit to prevent abuse.

This isn’t the first time Microsoft’s protections are bypassed. In January, Bromium security researcher Jared DeMott demonstrated that the Heap Isolation and Delay Free mitigations can be bypassed.

CVE-2015-0057 is not the only interesting vulnerability patched by Microsoft on Tuesday. The company has also released updates for a critical remote code execution flaw (CVE-2015-0008) caused due to the way Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. On the other hand, Microsoft still hasn’t addressed a recently disclosed universal cross-site scripting (UXSS) vulnerability affecting Internet Explorer.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.