Warning: New UAC vulnerability affects all Windows versions

Madeleine Dean By: Madeleine Dean
2 minute read

Home » News » Warning: New UAC vulnerability affects all Windows versions

No operating system is threat-proof and every user knows this. There is an evergoing battle between software companies, on the one hand, and hackers, on the other hand. It appears there are many vulnerabilities hackers can take advantage of, especially when it comes to the Windows OS.

At the beginning of August, we reported about the Windows 10’s SilentCleanup processes which can be used by attackers to allow malware to slip through the UAC gate into users’ computer. According to recent reports, this is not the only vulnerability hiding in Windows’ UAC.

A new UAC bypass with elevated privileges has been detected in all Windows versions. This vulnerability roots in the environment variables of the OS, and allows hackers to control child processes and change environment variables.

How does this new UAC vulnerability work?

An environment is a collection of variables used by processes or users. These variables can be set by users, programs or the Windows OS itself and their main role is to make the Windows processes flexible.

Environment variables set by processes are available to that process and its children. The environment created by process variables is a volatile one, existing only while the process is running, and disappears completely, leaving no trace at all, when the process ends.

There is also a second type of environment variables, which are present across the entire system after every reboot. They can be set in the system properties by administrators, or directly by changing registry values under the Environment key.

Hackers can use these variables to their advantage. They can use a malicious C:/Windows folder copy and trick system variables into using the resources from the malicious folder, allowing them to infect the system with malicious DLLs, and avoid being detected by the system’s antivirus. The worst part is that this behavior remains active after each reboot.

Environment variable expansion in Windows allows an attacker to gather information about a system prior to an attack and eventually take complete and persistent control of the system at the time of choice by running a single user-level command, or alternatively, changing one registry key.

This vector also lets the attacker’s code in the form of a DLL to load into legitimate processes of other vendors or the OS itself and masquerade its actions as the target process’ actions without having to use code injection techniques or use memory manipulations.

Microsoft doesn’t think this vulnerability constitutes a security emergency, but will nevertheless patch it in the future.



Next up

Windows 10 May Update install still stuck for many users

Alexandru Voiculescu By: Alexandru Voiculescu
Less than a 1 minute read

Many users complained on Reddit that Windows 10 v1903 update often gets stuck. One user says that is getting the What Needs Your Attention message. […]

Continue Reading

Switching tabs in Firefox spikes disk usage on Windows 10 v1903

Alexandru Voiculescu By: Alexandru Voiculescu
2 minute read

Reddit users reported that the new Windows 10 v1903 is causing a spike in the disk usage when switching between Firefox tabs. I don’t know […]

Continue Reading

Users are reporting UI inconsistencies in Windows 10 v1903

Rabia Noureen avatar. By: Rabia Noureen
2 minute read

We already reported about UI and design bugs in Windows 10 May 2019 Update in a previous post. It seems like Microsoft wanted to release […]

Continue Reading