Windows 10 Flaw Leaves Door Open for Malware

Microsoft's Windows 10 operating system offers increased security, but it’s not perfect. A newly found vulnerability lets attackers to circumvent the Windows User Account Controls (UAC) that typically block malware and other unwanted software.

Security researchers Matt Graeber and Matt Nelson discovered the flaw and outlined it on the Enigmaox3 website, detailing how Windows 10’s built-inSilentCleanup process can be leveraged to allow malware to bypass the UAC.

Many users know the UAC as the screen that asks you to allow or stop software from installing and modifying the computer. The new  vulnerability allows malware to run with elevated privileges, even when introduced by low-level unprivileged users.

MORE: Windows 10 Anniversary Update: Full Review

We typically recommend that most computer users don't use their system's administrator account for daily activity, as it leaves their system open to all sorts of attacks. But since these two utilities run with the highest levels of power, they make all users vulnerable.

The vulnerability is made through SilentCleanup working with the system optimizing utility Disk Cleanup, which creates a temporary folder filled with .DLL (Dynamic Link Library) files, which it loads.   DLLs are code repositories  that can't be run on their own. Since Windows gives users write-level access to this temporary directory, the researchers discovered that any other .DLL could be dropped into this folder, and then run with the highest privileges.

So, if a user falls prey or victim to a DLL redirect -- wherein an application attempts to access a DLL on the Windows system, but a bad actor has swapped in a malicious DLL -- the wrong code could be loaded into Disk Cleanup's temporary folder. And since SilentCleanup and Disk Cleanup run with the highest privileges, the malware is given complete access to edit your system and wreak havoc.

Nelson and Graeber claim to have reported the flaw to Microsoft's Security Response Center on July 20, but say the company responded that it wasn't a security issue. According to Nelson, the company noted that UAC isn’t a security measure, so Microsoft doesn't classify this as a security problem.

At the same time, this bypass gives attackers a new way to hit users, as it doesn't attack users with a process-injection method that would normally get flagged by security software. While Nelson and Graeber provide complicated steps for how to disable the software, doing so tampers with the default settings made to keep Windows running smoothly. Instead, the researchers argue, Microsoft should lower the privileges given to the Disk Cleanup and Silent Cleanup processes.

Windows 10 Security and Networking