A Google researcher by the name ‘forshaw’ found and reported a privilege escalation bug in Windows 8.1. Forshaw even reveals a PoC (Proof of Concept) program for the Windows 8.1 weakness. In it, forshaw details how to take advantage of the Windows 8.1 bug:
The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions. I’d recommend running on 32 bit just to be sure. To verify perform the following steps:
1) Put the AppCompatCache.exe and Testdll.dll on disk
2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
3) Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:\\windows\\system32\\ComputerDefaults.exe testdll.dll”.
4) If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Forshaw does not indicate whether the bug is present in earlier versions of Windows, but the ability to get administrator privileges certainly presents a problem for Microsoft Windows security. A Microsoft spokesperson responded to this threat today in a statement:
We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.
I think Google or the Google researcher forshaw should have notified Microsoft of the bug as it appears that Microsoft was completely caught off-guard by its public release. However, I guess it is up to Microsoft to make sure that Windows 8.1 is as secure as possible, and should probably investigate to see if there any are other security flaws that may make Windows 8.1 vulnerable in the future.
Let us know what you think in the comments below!
Further reading: Google, Microsoft, Windows 8.1, ZDNET
