No operating system is threat-proof and every user knows this. There is an evergoing battle between software companies, on the one hand, and hackers, on the other hand. It appears there are many vulnerabilities hackers can take advantage of, especially when it comes to the Windows OS.
At the beginning of August, we reported about the Windows 10’s SilentCleanup processes which can be used by attackers to allow malware to slip through the UAC gate into users’ computer. According to recent reports, this is not the only vulnerability hiding in Windows’ UAC.
A new UAC bypass with elevated privileges has been detected in all Windows versions. This vulnerability roots in the environment variables of the OS, and allows hackers to control child processes and change environment variables.
How does this new UAC vulnerability work?
An environment is a collection of variables used by processes or users. These variables can be set by users, programs or the Windows OS itself and their main role is to make the Windows processes flexible.
Environment variables set by processes are available to that process and its children. The environment created by process variables is a volatile one, existing only while the process is running, and disappears completely, leaving no trace at all, when the process ends.
There is also a second type of environment variables, which are present across the entire system after every reboot. They can be set in the system properties by administrators, or directly by changing registry values under the Environment key.
Hackers can use these variables to their advantage. They can use a malicious C:/Windows folder copy and trick system variables into using the resources from the malicious folder, allowing them to infect the system with malicious DLLs, and avoid being detected by the system’s antivirus. The worst part is that this behavior remains active after each reboot.
Environment variable expansion in Windows allows an attacker to gather information about a system prior to an attack and eventually take complete and persistent control of the system at the time of choice by running a single user-level command, or alternatively, changing one registry key.
This vector also lets the attacker’s code in the form of a DLL to load into legitimate processes of other vendors or the OS itself and masquerade its actions as the target process’ actions without having to use code injection techniques or use memory manipulations.
Microsoft doesn’t think this vulnerability constitutes a security emergency, but will nevertheless patch it in the future.
RELATED STORIES YOU NEED TO CHECK OUT: