SoylentNews

butthurt writes:

Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.

Responsible for discovering this new UAC bypass method is a German student that goes online by the name of Christian B., currently working on his master's thesis, centered on UAC bypass techniques.

The technique he came up with is a variation on another Windows 10 UAC bypass method discovered by security researcher Matt Nelson in August 2016.

While Nelson's method used the built-in Event Viewer utility (eventvwr.exe), Christian's UAC bypass uses the fodhelper.exe file, located at:

C:\Windows\System32\fodhelper.exe

If this file name isn't familiar to you, this is the window that appears when you press the "Manage optional features" option in the "Apps & features" Windows Settings screen.

Both techniques work in the same way and take advantage of what's called "auto-elevation," which is a state that Microsoft assigns to trusted binaries (files signed with Microsoft certificate, and located in trusted locations such as "C:\Windows\System32").

Just like eventvwr.exe, fodhelper.exe is also a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution, or when other processes spawn from the fodhelper.exe parent process.

The technique employs changing the value of a registry key to contain the command to be executed. Since fodhelper.exe is trusted, the command is executed without the UAC prompt. The article continues with how to avoid the exploit. First off, do NOT run as an Administrator by default. Second, set the UAC level to "Always notify."

—Bleeping Computer

Original Submission