Windows Security Bypassed by Modifying a Single Bit by Researchers

Windows operating systems security from XP to current version Window 10 can be bypassed with a single bit

Microsoft on Tuesday released privilege escalation vulnerability in its security bulletins which according to researchers, can be exploited by malicious actors to bypass all the security measures in Windows operating system by modifying a single bit.

Microsoft says that an attacker who manages to log in to the targeted system can “gain elevated privileges and read arbitrary amounts of kernel memory,” which would allow them to install software, view and change data, and create new accounts with full administrative rights.

Udi Yavo, the chief technology officer at the security firm Ensile says that “The vulnerability (CVE-2015-0057) is rated as “important,” which could give attackers total control of the victims’ machines.”

Yavo further said that “A threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization.”

Yavo continued, “Interestingly, the exploit requires modifying only a single bit of the Windows operating system.”

The flaw existed in the graphical user interface (GUI) component of the Win32k.sys module within the Windows Kernel which, among other things, manages vertical and horizontal Windows’ scroll bars. The flaw actually resides in the xxxEnableWndSBArrows function which could alter the state of both scroll bars through a call.

The exploit works on all versions of the operating system, from Windows XP to the 64-bit version of the latest Windows 10 Technical Preview (with protections enabled). The attack method can be used to bypass kernel protections such as Kernel Data Execution Prevention (DEP), Kernel Address Space Layout Randomization (KASLR), Mandatory Integrity Control (MIC), Supervisor Mode Execution Protection (SMEP), and NULL deference protection, the researcher said.

“We have shown that even a minor bug can be used to gain complete control over any Windows Operating System,” Yavo said. He also commented that Microsoft efforts to make the its operating system more secure has raised the bar significantly and made writing reliable exploits far harder than before. Unfortunately, these methods are not going to stop attackers. We predict that attackers will continue incorporating exploits into their crime kits, making compromise inevitable.”

Th researchers have also published a PoC video demonstrating the vulnerability, though it doesn’t actually disclose any sensitive code, but shows the privilege escalation exploitation on a machine running 64-bit Windows 10 Technical Preview.

Microsoft’s patch issues are nothing new,before this, In January, Bromium security researcher Jared DeMott demonstrated that the Heap Isolation and Delay Free mitigations can be bypassed.

CVE-2015-0057 is not the only interesting vulnerability patched by Microsoft on Tuesday. The company has also released updates for a critical remote code execution flaw (CVE-2015-0008) caused due to the way Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. On the other hand, Microsoft still hasn’t addressed a recently disclosed universal cross-site scripting (UXSS) vulnerability affecting Internet Explorer.