Windows UAC Bypass Permits Code Execution

msm1267 writes from a report via Threatpost: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk. The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC. An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up. Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

Doesn't break what UAC is intended for.

[nuckfuts]

UAC isn't intended to be some kind of inviolable security mechanism. It's more of a simple alert that some process is trying to make changes to your system - a nice thing to know if you weren't expecting it. The fact that you can bypass the UAC prompt when already on the computer with administrative rights is pretty non-consequential.

Improving windows!

[jdavidb]

The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up.

Thank goodness! I've been looking for a way around those annoying popups ever since they first arrived in Windows, and I know I'm not the only one.