Recently, Google researchers discovered a local privilege escalation vulnerability in Windows which was being used in zero-day attacks, including those carried out by the Pawn Storm espionage group. Microsoft was able to release a patch by the next Patch Tuesday, November 8. This entry provides a complete analysis of the vulnerability based on samples acquired in the wild.
This is an easily exploitable vulnerability which can be found in all supported versions of Windows, from Windows 7 to Windows 10. The exploit code we’ve seen in the wild only affects 64-bit versions of Windows, although both 32- and 64-bit versions have the underlying flaw. Let us examine this vulnerability in some detail to understand the techniques used by the attacker. By changing one bit, the attacker can elevate the privileges of a thread, giving administrator access to a process that would not have it under normal circumstances.