Nov 25, 2010 13:23 GMT  ·  By

Details of a zero-day vulnerability impacting Windows 7 but also Windows Vista and Windows XP have been published in the wild.

Security outfit Prevx discovered the new unpatched security flaw in Windows and shared the details with the world, revealing that successful exploits can get an attacker to elevate the privileges of a non-administrator account.

According to Chester Wisniewski, a Senior Security Advisor at Sophos Canada, not only can the vulnerability be exploited for Elevation of Privileges, but the flaw also allows an attacker to circumvent security mitigations built into Vista and Windows 7, in this particular case the User Account Control (UAC).

Wisniewski explained that the vulnerability resides at the core of the Windows operating system.

“The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel,” Wisniewski said.

“The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users,”

Wisniewski even put together a video demonstrating an exploit which uses the proof of concept provided by Prevx.

Users will be able to watch the attack in the video embedded at the bottom of this screen. Of course, Wisniewski has physical access to the machine on which he’s running the exploit, but fact is that this vulnerability could be used in tandem with others in order to do much more harm to a PC than just EoP.

As is, the vulnerability will not allow an attacker to perform remote code execution on an affected system.

“The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems.

“On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator,” Wisniewski added.

He even noted explains how a mitigation can be applied via the Windows registry in order to render exploits useless.