Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday May 25 2017, @11:08PM   Printer-friendly
from the another-day-another-UAC-bypass dept.

Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.

Responsible for discovering this new UAC bypass method is a German student that goes online by the name of Christian B., currently working on his master's thesis, centered on UAC bypass techniques.

The technique he came up with is a variation on another Windows 10 UAC bypass method discovered by security researcher Matt Nelson in August 2016.

While Nelson's method used the built-in Event Viewer utility (eventvwr.exe), Christian's UAC bypass uses the fodhelper.exe file, located at:

C:\Windows\System32\fodhelper.exe

If this file name isn't familiar to you, this is the window that appears when you press the "Manage optional features" option in the "Apps & features" Windows Settings screen.

Both techniques work in the same way and take advantage of what's called "auto-elevation," which is a state that Microsoft assigns to trusted binaries (files signed with Microsoft certificate, and located in trusted locations such as "C:\Windows\System32").

Just like eventvwr.exe, fodhelper.exe is also a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution, or when other processes spawn from the fodhelper.exe parent process.

The technique employs changing the value of a registry key to contain the command to be executed. Since fodhelper.exe is trusted, the command is executed without the UAC prompt. The article continues with how to avoid the exploit. First off, do NOT run as an Administrator by default. Second, set the UAC level to "Always notify."

Bleeping Computer


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday May 26 2017, @08:30AM (1 child)

    by Anonymous Coward on Friday May 26 2017, @08:30AM (#515886)

    Do you have a point?
    ...besides the one on the top of your head?

    -- OriginalOwner_ [soylentnews.org]

  • (Score: 0) by Anonymous Coward on Friday May 26 2017, @08:33AM

    by Anonymous Coward on Friday May 26 2017, @08:33AM (#515889)

    You seem to be missing it, actually.