Windows 0-day drops the same day Microsoft releases record number of patches

In a recent discussion, Will Dormann, a senior principal vulnerability analyst at Tharros Labs, shed light on a concerning vulnerability that could grant attackers significant control over systems. He emphasized that if an attacker can configure a system to execute their code upon the admin user’s login, they effectively gain administrator privileges without needing to be an admin themselves.

Understanding the Vulnerability

Dormann elaborated on the implications of this vulnerability, stating that the capability for a non-admin user to modify the classes registry hive of an admin user represents a potent exploit. “Clever attackers or individuals with specific goals will likely devise methods to leverage this weakness in ways that are more sophisticated and may not even require user interaction,” he noted.

Furthermore, he indicated that this exploit could potentially be combined with another vulnerability that provides direct access to an administrative account, amplifying the risk.

Another analyst provided insight into the technical workings of the vulnerability, explaining that when a new user logs on, Windows must load the user’s class hive. Since the user is not yet logged in, this process occurs within the context of NT AUTHORITYSYSTEM, which is where the LegacyHive vulnerability can be exploited.

In response to the vulnerability report, Microsoft acknowledged its awareness and stated that it is currently investigating the matter. The company also expressed its preference for vulnerability reporters to adhere to a coordinated disclosure policy.

Protecting Against HiveLegacy

For Windows users concerned about the HiveLegacy vulnerability, independent researcher Kevin Beaumont has published a detection script that can help safeguard systems. Additional defensive measures include:

  • Restricting the creation of local non-user accounts.
  • Monitoring the ProfSvc for any unexpected hive loads.
  • Tracking activity related to NTUSER.DAT and UsrClass.dat files.

As the investigation unfolds, users are encouraged to remain vigilant and proactive in securing their systems against potential threats.

Winsage
Windows 0-day drops the same day Microsoft releases record number of patches