Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.
Responsible for discovering this new UAC bypass method is a German student that goes online by the name of Christian B., currently working on his master's thesis, centered on UAC bypass techniques.
The technique he came up with is a variation on another Windows 10 UAC bypass method discovered by security researcher Matt Nelson in August 2016.
While Nelson's method used the built-in Event Viewer utility (eventvwr.exe), Christian's UAC bypass uses the fodhelper.exe file, located at:
C:\Windows\System32\fodhelper.exe
If this file name isn't familiar to you, this is the window that appears when you press the "Manage optional features" option in the "Apps & features" Windows Settings screen.
Both techniques work in the same way and take advantage of what's called "auto-elevation," which is a state that Microsoft assigns to trusted binaries (files signed with Microsoft certificate, and located in trusted locations such as "C:\Windows\System32").
Just like eventvwr.exe, fodhelper.exe is also a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution, or when other processes spawn from the fodhelper.exe parent process.
The technique employs changing the value of a registry key to contain the command to be executed. Since fodhelper.exe is trusted, the command is executed without the UAC prompt. The article continues with how to avoid the exploit. First off, do NOT run as an Administrator by default. Second, set the UAC level to "Always notify."
(Score: 3, Insightful) by FatPhil on Friday May 26 2017, @10:32AM
When idiots build something insecure around MS Windows, it's the idiots' fault.
When idiots build something insecure around Linux, it's the idiots' fault.
When engineers build something secure around MS Windows, and it's still insecure, then it's Microsoft's fault, but also the engineers' fault for chosing MS Windows.
When engineers build something secure around Linux, then everyone's happy.
MS Windows and Linux cannot be compared as equals. (They may of course be compared in order to contrast them.)
Idiots and engineers likewise cannot be compared as equals. (Ditto)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves