Researchers Bypass All Windows Protections by Modifying a Single Bit

One of the security bulletins released by Microsoft on Tuesday fixes a privilege escalation vulnerability which, according to researchers, can be exploited by malicious actors to bypass all the security measures in Windows by modifying a single bit.

The vulnerability (CVE-2015-0057), rated “important,” affects the Windows kernel-mode driver (Win32k.sys) and is caused by the improper handling of objects in memory. According to Microsoft, an attacker who manages to log in to the targeted system can “gain elevated privileges and read arbitrary amounts of kernel memory,” which would allow them to install software, view and change data, and create new accounts with full administrative rights.

The security hole was identified and reported to Microsoft a few months ago by the security firm enSilo. In a blog post published on Tuesday, enSilo CTO Udi Yavo revealed that they have created a fully working exploit that can be used to bypass all security measures by modifying a single bit in the operating system.

“A threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization,” explained Yavo.

The exploit works on all versions of the operating system, from Windows XP to the 64-bit version of the latest Windows 10 Technical Preview (with protections enabled). The attack method can be used to bypass kernel protections such as Kernel Data Execution Prevention (DEP), Kernel Address Space Layout Randomization (KASLR), Mandatory Integrity Control (MIC), Supervisor Mode Execution Protection (SMEP), and NULL deference protection, the researcher said.

“We have shown that even a minor bug can be used to gain complete control over any Windows Operating System,” Yavo said. “Nevertheless, we think that Microsoft efforts to make the its operating system more secure raised the bar significantly and made writing reliable exploits far harder than before. Unfortunately, these measures are not going to keep attackers at bay. We predict that attackers will continue incorporating exploits into their crime kits, making compromise inevitable.”

Researchers have published some technical details on the vulnerability along with a proof-of-concept video. However, they haven’t made available the actual exploit to prevent abuse.

This isn’t the first time Microsoft’s protections are bypassed. In January, Bromium security researcher Jared DeMott demonstrated that the Heap Isolation and Delay Free mitigations can be bypassed.

CVE-2015-0057 is not the only interesting vulnerability patched by Microsoft on Tuesday. The company has also released updates for a critical remote code execution flaw (CVE-2015-0008) caused due to the way Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. On the other hand, Microsoft still hasn’t addressed a recently disclosed universal cross-site scripting (UXSS) vulnerability affecting Internet Explorer.