1 Attack Method2 No Official Action
Despite a proof of concept (PoC) showing the vulnerability can be exploited, Microsoft says it will not be issuing a patch. White-hat researcher John Page (a.k.a. hyp3rlinx) discovered and disclosed the Windows vulnerability. Under normal operations, edits to the registry bring a security warning dialog box stating “are you sure you want to continue?” and presents a “Yes” or “No” choice. It’s a simple step to stop unwitting users from screwing up Windows. Page has found a zero-day that allows someone to edit this dialog box. For example, the box could be edited to swap the Yes and No options, meaning when a user clicks no they are really choosing yes.
Attack Method
As the researcher points out, users could be caught out relatively easily. He detailed his findings and published his proof-of-concept in a report on Monday. The PoC shows how an attacker could plant a persistent remote code-execution backdoor onto a target machine. “When opening a Windows .reg file, User Account Control (UAC) will launch, asking the user if they want to allow the program to make changes to their computer,” Page told Threatpost. “This is like the first line of defense and requires the user to click through it, unless for some reason UAC has been turned off. So, Windows UAC helps to prevent unauthorized changes to the system.” “I was able to spoof the Windows registry dialog box security warning messages displayed to the user by creating a .reg file, using certain encoded characters %n %1 %0 along with my message within the filename itself, e.g. ‘Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg. This enabled me to override the dialog warnings with my own instructions, basically telling the user to click ‘Yes’ instead of ‘No’ if they do not trust the file, making them think it will be cancelled when they click ‘Yes’.”
No Official Action
As bad as the attack itself is the ability for the bad actor to cover their tracks as the dialog box will behave as the user expects even if they made the wrong choice. Perhaps the most worrying aspect of this case is that Microsoft will not issue a patch to fix this bug. The company argues the issue is not severe enough to warrant a security update. Page disagrees and says this could be a relatively attack method for hackers. “When a dangerous file type like .reg file can have its default security warnings and dialog behavior tampered with, this is to me a vulnerability and potential attack vector.”