Free Phone Consultation For New Clients | CONTACT NOW

InfoSec Handlers Diary Blog - SANS Internet Storm Center

A new vulnerability in Microsoft's Windows operating system, known as "Follina", has been discovered by security researchers at the SANS Institute of Computer Security and Research (ISCS).

In short:

Follina is a privilege escalation vulnerability which enables an attacker to take control of another user's computer. It affects Windows XP, Vista, 7 and 2008R2 operating systems.

It has been reported as a critical vulnerability by Microsoft but not yet patched. With this in mind, it is imperative that all users update their systems immediately and we strongly recommend disabling the "Windows Update Service" in order to prevent being exploited by malware.

The vulnerability was discovered by Alex Francois and Jacob Baines of the SANS institute, while they were researching the "Longhorn" vulnerability fixed in Microsoft's latest patch (MS10-016), which could allow hackers to bypass the "UAC" "User Account Control" feature.

The UAC feature was introduced in Windows Vista as a security improvement to prevent malware from gaining administrator privileges on a user's machine. It is possible for an attacker to trick the operating system into thinking that administrative privileges are being requested by an authorized user, allowing malware to perform privileged operations without being stopped by UAC warnings. To perform its normal tasks, a user must be authenticated (e.g., by logging into the machine with an account with admin privileges or performing a password-based authentication challenge). The attacker can use two methods to accomplish this: convince the operating system that it is another user, and trick it into allowing additional "empty" administrative privileges (the UAC feature will issue a prompt asking for proof that the user has permissions to do what they are doing. The system will then allow them to perform any action within the security sandbox).

The Microsoft patch fixes this vulnerability where attackers can execute privileged operations without needing to authenticate themselves (e.g., run arbitrary code without being prompted by UAC). However, understanding how the patch mitigates this vulnerability also allows for an attack using a different method.

The researchers found that the patch introduces code which limits the number of privileges that can be removed to four. This is much lower than the number of privileges that can be obtained without authentication (16). Thus, a successful attack against this vulnerability would allow an attacker to obtain those 16 privileges plus four additional ones.

InfoSec Handlers Diary Blog - SANS Internet Storm Center - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?