Attackers can bypass Windows’ protections by changing a single bit
Among the many vulnerabilities that Microsoft patched on Tuesday is one that can be exploited to bypass all Windows security measures by, curiously enough, modifying a single bit of the Windows operating system.
This privilege escalation vulnerability (CVE-2015-0057) is present in the Win32k.sys module, which is the GUI component of Microsoft Windows Kernel. Among other things, the module handles windows’ scrollbars.
EnSilo CTO Udi Yavo discovered the flaw, and the company’s researchers have managed to create a working exploit for all supported Windows desktop versions, including Windows 10 Technical Preview.
“Over the last several years, privilege escalation vulnerabilities became all the more crucial for exploitation because they enable malicious code to run on the kernel. As such, a threat actor exploiting a privileged escalation vulnerability can bypass protective security mechanisms such as application sandboxes,” Yavo explained.
The exploit they created defeats all of Windows’ defenses, including Microsoft’s own Enhanced Mitigation Experience Toolkit (EMET), Supervisor Mode Execution Protection (SMEP), NULL Dereference Protection, kernel DEP, and so on.
In order for the exploit to be deployed, an attacker would have to first gain access to a Windows machine.
More details about the vulnerability can be found in this technical post, and the researchers have also included a video demonstrating the exploit:
What they didn’t include is the exploit code, or details about it, so that they can at least delay a bit its recreation by hackers.