Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.
Responsible for discovering this new UAC bypass method is a German student that goes online by the name of Christian B., currently working on his master's thesis, centered on UAC bypass techniques.
The technique he came up with is a variation on another Windows 10 UAC bypass method discovered by security researcher Matt Nelson in August 2016.
While Nelson's method used the built-in Event Viewer utility (eventvwr.exe), Christian's UAC bypass uses the fodhelper.exe file, located at:
C:\Windows\System32\fodhelper.exe
If this file name isn't familiar to you, this is the window that appears when you press the "Manage optional features" option in the "Apps & features" Windows Settings screen.
Both techniques work in the same way and take advantage of what's called "auto-elevation," which is a state that Microsoft assigns to trusted binaries (files signed with Microsoft certificate, and located in trusted locations such as "C:\Windows\System32").
Just like eventvwr.exe, fodhelper.exe is also a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution, or when other processes spawn from the fodhelper.exe parent process.
The technique employs changing the value of a registry key to contain the command to be executed. Since fodhelper.exe is trusted, the command is executed without the UAC prompt. The article continues with how to avoid the exploit. First off, do NOT run as an Administrator by default. Second, set the UAC level to "Always notify."
(Score: 1, Interesting) by Anonymous Coward on Friday May 26 2017, @01:11PM (2 children)
One of these days Windows will finally be ready for the desktop.
You gotta be kidding me that this is still an issue in Windows land 30 years later. How many years did it take them to not lanuch autoexec.bat by default when you plugged in a device?
(Score: 2) by Kromagv0 on Friday May 26 2017, @01:40PM (1 child)
It was autorun.inf not autoexec.bat
T-Shirts and bumper stickers [zazzle.com] to offend someone
(Score: 0) by Anonymous Coward on Friday May 26 2017, @03:47PM
Yes, indeed, you are correct. I'm certainly showing my age when referring to autoexec.bat.