New major security scare for Windows

Rik · Nov 25, 2010, 09:46:47

El Reg reports that:

QuoteAntimalware provider Prevx has sounded the alarm about a serious vulnerability in fully patched versions of Microsoft Windows. It allows attackers to execute malware, even in versions designed to withstand such exploits.

Technical details have already been published on a Chinese forum, leading to speculation that it won't be long before attackers exploit it in the wild.

"This could potentially become a nightmare due to the nature of the flaw," Prevx researcher Marco Giuliani wrote here. "We expect to see this exploit being actively used by malwares very soon – it's an opportunity that malware writers surely won't miss."

The flaw resides in the win32k.sys part of the Windows kernel and results from an API known as NtGdiEnableEUDC that fails to properly vet user input for harmful content. Attackers can exploit the bug to redirect overwritten return memory addresses to malicious code, which is then executed with kernel mode privileges. As a result, the flaw allows even users or processes with limited privileges to execute code will elevated rights.

"Being a privilege escalation exploit, it bypasses by design even the protection given by the User Account Control technology implemented in Windows Vista and Windows 7," Giuliani said. "All Windows XP/Vista/7 both 32 and 64 bit are vulnerable to this attack."

Microsoft "is aware of the issue and it is under investigation," according to a statement, which a spokeswoman attributed to Jerry Bryant, Group Manager of the company's Response Communications.

Bring back the BBC Micro!

Glenn · Nov 25, 2010, 09:57:48

Time you moved to 64 bit OS.

Gary · Nov 25, 2010, 10:01:17

Quote from: Glenn on Nov 25, 2010, 09:57:48
Time you moved to 64 bit OS.

Even that's not completely safe Glenn

Glenn · Nov 25, 2010, 10:03:17

No OS will ever be sadly.

Gary · Nov 25, 2010, 10:04:20

Quote from: Glenn on Nov 25, 2010, 10:03:17
No OS will ever be sadly.

Very true Glenn, right now it just seems to be getting a whole lot worse quite quickly though, saying that this time of year is know for it.

pctech · Nov 25, 2010, 11:29:47

Oh dear, not good.

DarkStar · Nov 25, 2010, 11:33:19

Link to the Prevx blog by Marco on this, they will have a fix in the next couple of days.

http://www.prevx.com/blog.asp

No good going to 64 bit, thats as vulnerable as 32 bit with this one.
Best move to Linux

D-Dan · Nov 25, 2010, 12:18:53

Quote from: DarkStar on Nov 25, 2010, 11:33:19
No good going to 64 bit, thats as vulnerable as 32 bit with this one.
Best move to Linux

I'm glad someone else said it this time; I was starting to sound repetitive

Steve

JB · Nov 25, 2010, 12:21:19

.

DarkStar · Nov 25, 2010, 16:34:08

Update: Prevx have now released an update that protects it's users

http://www.prevx.com/blog/162/Windows-day-exploit-QA-session.html

Quick work

Rik · Nov 25, 2010, 16:36:29

Impressive, Ian.

Niall · Nov 25, 2010, 22:01:03

Quote from: Rik on Nov 25, 2010, 09:46:47
El Reg reports that:

Bring back the BBC Micro!

I've got an Acorn Electron somewhere in the house

Rik · Nov 26, 2010, 10:21:53

It's worth more than you paid for it.

pctech · Nov 27, 2010, 00:09:03

Quick question about Prevx if I may as am not too familiar with the product.

Is the on access scanner enabled in the free edition and if so is this for a limited period only?

Gary · Nov 27, 2010, 08:09:09

Quote from: pctech on Nov 27, 2010, 00:09:03
Quick question about Prevx if I may as am not too familiar with the product.

Is the on access scanner enabled in the free edition and if so is this for a limited period only?

The free edition will pinpoint infection without a time limit Mitch, but to use it to remove malware by letting it downloading the tools it needs, and to monitor where you surf with safe online you need a sub.

pctech · Nov 27, 2010, 08:53:38

Cheers Gary.

I'll have to cough up then.

pctech · Dec 02, 2010, 10:47:37

Coughed up for a 12 month Prevx licence last night as seems a really good product.

Ran a full scan and it picked up three pieces of what it termed as cloaked malware that MSE completely missed.

Gary · Dec 02, 2010, 11:42:07

Quote from: pctech on Dec 02, 2010, 10:47:37
Coughed up for a 12 month Prevx licence last night as seems a really good product.

Ran a full scan and it picked up three pieces of what it termed as cloaked malware that MSE completely missed.

If you ever think you have a false positive Mitch the forum on Wilders is great, and you can talk directly to the guys who came up with the program who will do what they can to sort the issues out, they even will do remote sessions if you have conflicts to see what's going on

pctech · Dec 02, 2010, 13:08:53

Cheers, I did join a while ago and they seem quite good on there.

Niall · Dec 02, 2010, 19:09:28

You know, I have to wonder if this sort of thing is just to promote anti malware companies, or to get people to buy more 64bit operating systems.

DorsetBoy · Dec 02, 2010, 19:29:33

Quote from: Niall on Dec 02, 2010, 19:09:28
You know, I have to wonder if this sort of thing is just to promote anti malware companies, or to get people to buy more 64bit operating systems.

Why when it affects both 32 and 64 bit versions of Windows?

Niall · Dec 02, 2010, 23:44:53

Oops, I thought it was just 32bit. That's what you get when reading a thread and looking at AV update lists at the same time