Microsoft Fixes Windows 10 Vulnerability But Doesn't (gaining admin-level privileges)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A Google security engineer says Microsoft has failed to properly patch a security flaw affecting Windows 10 and Windows Server 2016 distributions.

The flaw affects the Windows Storage Services, a core OS service that manages file transfers and storage operations. More precisely, the vulnerability affects the "SvcMoveFileInheritSecurity" function that Windows calls every time it wants to move a file.

Flaw lets attackers gain admin rights with ease
Back in November last year, James Forshaw, a software engineer with Google's Project Zero security team, discovered two methods of leveraging this function to elevate a user's privileges on a Windows computer.


The vulnerability —tracked as CVE-2018-0826— allows an attacker to copy or overwrite files to locations it normally shouldn't, such as the \Windows folder.

Since files located in that and other folders are sometimes automatically executed by various trusted applications and even the OS itself, this bug is a good and simple way of gaining admin-level privileges on a Windows system.

Microsoft patches only one of two exploitation methods

But Forshaw says he specifically filed two distinctive bug reports with Microsoft so its engineers would understand there are two ways of exploiting this vulnerability.


Despite his efforts, Forshaw was unpleasantly surprised last week when Microsoft only patched the first method, but not the second.

Forshaw argues that Windows users are still vulnerable to CVE-2018-0482, despite users applying the proper patches as part of the February 2018 Patch Tuesday updates.

The good news is that older Windows versions such as 8.1 and earlier are not affected and that the bug cannot be exploited remotely. Forshaw explains:

This issue is an Elevation of Privilege which allows a normal user to gain administrator privileges. However in order to execute the exploit you'd have to already be running code on the system at a normal user privilege level. It cannot be attacked remotely (without attacking a totally separate unfixed issue to get remote code execution), and also cannot be used from a sandbox such as those used by Edge and Chrome. The marking of this issue as High severity reflects the ease of exploitation for the type of issue, it's easy to exploit, but it doesn't take into account the prerequisites to exploiting the issue in the first place.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top