How New Relic takes the guesswork out of IT fixes

Analogue radio given 10-year stay of execution as the UK U-turns on DAB digital future

It's not a Windows 10 release without something breaking so here's a troubleshooter for your OneDrive woes

AWS attempts to woo devs with new tool aimed at porting .NET applications to Linux

Microsoft takes tweaking tongs to Windows 10's Start Menu once again

Scala contributor: Open source and diversity key to tackling dev skills shortage

'90s retro resurrection PowerToys hits 0.19, bringing raft of fixes and a final flash from the desktop

Firefox 78: Protections dashboard, new developer features... and the end of the line for older macOS versions

Barclays Bank appeared to be using the Wayback Machine as a 'CDN' for some Javascript

Fighting BEC and EAC: Why whack-a-mole won’t work

F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch

Holy Guacamole! Researchers find Apache remote desktop software was silently pwnable for snooping on sessions

Languishing lodash library loophole finally fitted for a fix: It's only taken since October to address security bug

Continuous Lifecycle Online: Just like our London conference – but in your own home. Grab tickets now

Containers to capture 15% of all enterprise apps across 75% of business by 2024

HashiCorp Cloud Platform unveiled – but in private beta for AWS only

Dutch national broadcaster saw ad revenue rise when it stopped tracking users. It's meant to work like that, right?

Brit MPs vote down bid to delay IR35 reforms, press ahead with new tax rules for private-sector contractors

No one can compete with Google... unless it opens its click-and-query data to rivals, says UK markets watchdog

Happy privacy action day in California: If you don't have 'Do not sell my information' in your website footer, you need to read this story right now

Like a Bolt from the blue, Huawei's fledgling AppGallery signs a ride-sharing platform

Cool IT support drones never look at explosions: Time to resolution for misbehaving mouse? Three seconds

'Google cannot stop it, control it or curtail it...' Inside the murky world of fake addiction treatment center search spam

Purism's quest against Intel's Management Engine black box CPU now comes in 14 inches

Geek's Guide

UK government shakes magic money tree, finds $500m to buy a stake in struggling satellite firm OneWeb

Don't beat yourself up for overeating in lockdown. This black hole scoffs equivalent of our Sun every day

UK space firms forced to adjust their models of how the universe works as they lose out on Copernicus contracts

Remember that black hole just 1,000 light years from Earth? Scientists queue up to say it may not exist after all

Detroit cops employed facial recognition algos that only misidentifies suspects 96 per cent of the time

If you wanna make your own open-source chip, just Google it. Literally. Web giant says it'll fab them for free

It's a tough time for digital transformation in the financial services world – but fret not, there’s help at hand

Huawei develops epidemic prevention and control solutions for safer travel

Verity Stob

E-scooter fanboy so hyped for Teesside to host UK's first trial

Erudite, insightful, self-aware and almost human: Give your local database admin a hug – it's DBA Appreciation Day

Well bork me sideways: A railway ticket machine lies down for a little Windoze

Hey, Boeing. Don't celebrate your first post-grounding 737 Max test flight too hard. You just lost another big contract

Security

Windows 7 UAC flaw silently elevates malware access

Weak links in chain of trust

Wed 4 Feb 2009 // 20:19 UTC 13

Got Tips?

Dan Goodin Bio Email

Researchers have uncovered yet another flaw in Microsoft's Windows 7 beta that could allow attackers to gain full administrative privileges by bypassing the operating system's UAC, or user access control.

Researcher Rafael Rivera Jr. has released proof-of-concept code that demonstrates how unauthorized third-party software can elevate its privileges and install a potentially malicious payload on the latest version of Windows, which is still in beta. Researchers warn that anyone using the OS is vulnerable.

"Unfortunately this flaw is not just a single point of failure," writes security blogger Long Zheng. "The breadth of Windows executables is just too many and too diverse and many are exploitable."

The vulnerability stems from Microsoft's attempts to make UAC more palatable by allowing certain applications to make changes to the OS without first prompting the user for permission. Executables that are digitally signed are essentially given fast-track permission under UAC's default configuration. And it turns out many of these third-party executables are in turn able to invoke still more third-party code.

This gives rise to what Zheng calls "piggybacking," in which a proxy executable launches an elevated instance of rundll32.exe, a file that has existed in one form or another since before the days of Windows 95. Rundll32.exe can then point to a malicious payload, and because the payload has inherited the administrative privileges from its authorized parent process, UAC never prompts the user.

Rivera's proof-of-concept uses a one-line file called Catapult.exe as the proxy application that launches the rundll file. That in turn is able to execute a multi-line C++ program called Cake.dll, which reads the current process token and shows an on-screen message box. Of course, an attacker could do much more nefarious things.

A Microsoft spokesman said: "We are not aware of anyone impacted by this issue at this time, but it has already been addressed in a later internal beta build." In the meantime, Windows 7 users may want to set UAC to "high." ®

Tips and corrections

13 Comments

Keep Reading

Let's authenticate: Beyond Identity pitches app-wrapped certificate authority

Enclave-bound service aims to be another nail in the password coffin

Microsoft to pay new bounties for identity services holes

If ye can board Microsoft accounts, Azure AD or even OpenID without the skipper knowing, loot be your reward

UK.gov drives ever further into Nocluesville, crowdsources how to solve digital identity

Look, we're all of out ideas!

Microsoft 365 Business to gain more Azure Active Directory toys... oh, and it's called Microsoft 365 Business Premium (from 21 April)

Because this Office branding shake-up isn't confusing at all

Singapore to require smartphone check-ins at all businesses and will log visitors' national identity numbers

Even parks and train stations encouraged to use QR codes. Which may show the limits of Bluetooth contact-tracing!

Europe's digital identity system needs patching after can_we_trust_this function call ignored

ExplicitKeyTrustEvaluator... True, false? Who cares, just accept it anyway

Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data

Black Hat Revenge plan morphs into data leak discovery

Hack computers to steal someone's identity in China? Why? You can just buy one from a bumpkin for, like, $3k

Black Hat Exploit an 3l33t zero-day and reverse-shell that backend DB proxy server... or simply pay this farmer off

Tech Resources

Navigating the CTI Noise

We all want better threat intelligence, but it’s not easy to build a CTI program and deliver it considering all the moving parts, people, processes, and technology. Sure you need to gather the data, but how do you separate intel and priorities from the noise? How do you turn this into actionable information that improves the security of your business?

ABOUT US

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR NEWSLETTERS

Join our daily or weekly newsletters, subscribe to a specific section or set News alerts

Subscribe

Do not sell my personal information Cookies Privacy Ts&Cs

How New Relic takes the guesswork out of IT fixes

Analogue radio given 10-year stay of execution as the UK U-turns on DAB digital future

It's not a Windows 10 release without something breaking so here's a troubleshooter for your OneDrive woes

AWS attempts to woo devs with new tool aimed at porting .NET applications to Linux

Microsoft takes tweaking tongs to Windows 10's Start Menu once again

Scala contributor: Open source and diversity key to tackling dev skills shortage

'90s retro resurrection PowerToys hits 0.19, bringing raft of fixes and a final flash from the desktop

Firefox 78: Protections dashboard, new developer features... and the end of the line for older macOS versions

Barclays Bank appeared to be using the Wayback Machine as a 'CDN' for some Javascript

Fighting BEC and EAC: Why whack-a-mole won’t work

F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch

Holy Guacamole! Researchers find Apache remote desktop software was silently pwnable for snooping on sessions

Languishing lodash library loophole finally fitted for a fix: It's only taken since October to address security bug

Continuous Lifecycle Online: Just like our London conference – but in your own home. Grab tickets now

Containers to capture 15% of all enterprise apps across 75% of business by 2024

HashiCorp Cloud Platform unveiled – but in private beta for AWS only

Dutch national broadcaster saw ad revenue rise when it stopped tracking users. It's meant to work like that, right?

Brit MPs vote down bid to delay IR35 reforms, press ahead with new tax rules for private-sector contractors

No one can compete with Google... unless it opens its click-and-query data to rivals, says UK markets watchdog

Happy privacy action day in California: If you don't have 'Do not sell my information' in your website footer, you need to read this story right now

Like a Bolt from the blue, Huawei's fledgling AppGallery signs a ride-sharing platform

Cool IT support drones never look at explosions: Time to resolution for misbehaving mouse? Three seconds

'Google cannot stop it, control it or curtail it...' Inside the murky world of fake addiction treatment center search spam

Purism's quest against Intel's Management Engine black box CPU now comes in 14 inches

UK government shakes magic money tree, finds $500m to buy a stake in struggling satellite firm OneWeb

Don't beat yourself up for overeating in lockdown. This black hole scoffs equivalent of our Sun every day

UK space firms forced to adjust their models of how the universe works as they lose out on Copernicus contracts

Remember that black hole just 1,000 light years from Earth? Scientists queue up to say it may not exist after all

Detroit cops employed facial recognition algos that only misidentifies suspects 96 per cent of the time

If you wanna make your own open-source chip, just Google it. Literally. Web giant says it'll fab them for free

It's a tough time for digital transformation in the financial services world – but fret not, there’s help at hand

Huawei develops epidemic prevention and control solutions for safer travel

E-scooter fanboy so hyped for Teesside to host UK's first trial

Erudite, insightful, self-aware and almost human: Give your local database admin a hug – it's DBA Appreciation Day

Well bork me sideways: A railway ticket machine lies down for a little Windoze

Hey, Boeing. Don't celebrate your first post-grounding 737 Max test flight too hard. You just lost another big contract

Security

Windows 7 UAC flaw silently elevates malware access

Weak links in chain of trust

Most Read

'It's really hard to find maintainers...' Linus Torvalds ponders the future of Linux

MIT apologizes, permanently pulls offline huge dataset that taught AI systems to use racist, misogynistic slurs

If you wanna make your own open-source chip, just Google it. Literally. Web giant says it'll fab them for free

Analogue radio given 10-year stay of execution as the UK U-turns on DAB digital future

Barclays Bank appeared to be using the Wayback Machine as a 'CDN' for some Javascript

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Keep Reading

Let's authenticate: Beyond Identity pitches app-wrapped certificate authority

Microsoft to pay new bounties for identity services holes

UK.gov drives ever further into Nocluesville, crowdsources how to solve digital identity

Microsoft 365 Business to gain more Azure Active Directory toys... oh, and it's called Microsoft 365 Business Premium (from 21 April)

Singapore to require smartphone check-ins at all businesses and will log visitors' national identity numbers

Europe's digital identity system needs patching after can_we_trust_this function call ignored

Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data

Hack computers to steal someone's identity in China? Why? You can just buy one from a bumpkin for, like, $3k

Tech Resources

Navigating the CTI Noise

Unlocking the Cloud-Native Data Layer

Guide to Antivirus (AV) Replacement

10 Examples of Smarter Alerting

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

SIGN UP TO OUR NEWSLETTERS