Technology

Windows privilege exploit appears after Microsoft patch release

An anonymous researcher published proof-of-concept code for a Windows elevation-of-privilege flaw after Microsoft issued a record patch batch.

Maya Lindqvist

By Maya Lindqvist · Senior Technology Correspondent

2 min read

Windows privilege exploit appears after Microsoft patch release
Photo: Ars Technica

A new Windows zero-day exploit was made public shortly after Microsoft issued a record number of security fixes, according to Ars Technica. The disclosure matters because researchers say the code can let a low-privilege Windows account make sensitive changes tied to an administrator account.

Ars Technica reported that the exploit targets the Windows User Profile Service and has been named HiveLegacy by the researcher who published it. Multiple researchers said the exploit works, according to Ars Technica.

The researcher uses the pseudonym NightmareEclypse, according to Ars Technica. The same researcher has criticized Microsoft’s handling of their bug reports and has now published nine exploits of this kind, Ars Technica reported.

How the exploit works

HiveLegacy is an elevation-of-privilege exploit, according to Ars Technica. It focuses on a weakness in the Windows User Profile Service, a component involved in handling user profile data on Windows systems.

Ars Technica reported that the flaw allows users with limited system rights to compromise an administrator user’s account by changing that account’s classes registry hive. Microsoft documentation describes the Windows registry as a database used by the operating system and applications, and Ars Technica said the classes hive helps Windows Explorer choose the correct application when a user clicks certain file types.

The reported risk is not limited to ordinary user accounts. Ars Technica said processes with limited rights could likely use the same path with additional work, though the published description centered on low-privilege users.

Researcher says code was limited

NightmareEclypse said the proof-of-concept code included with the HiveLegacy report had been stripped down to reduce the chance that attackers could use it maliciously, according to Ars Technica. The disclosure still leaves Microsoft facing pressure to produce a fix for a flaw that is now publicly described.

Ars Technica reported that the timing compounded the problem for Microsoft because the exploit appeared on the same day the company released an unusually large set of patches. A KrebsOnSecurity report linked by Ars Technica described Microsoft’s patch release as a record batch of security fixes.

Microsoft had not been quoted in Ars Technica’s report on any immediate fix for HiveLegacy. Ars Technica described the company as scrambling to address another zero-day disclosed by the pseudonymous researcher.

The episode adds to a public dispute between Microsoft and a researcher who says the company has mishandled bug reports, according to Ars Technica. For Windows administrators, the immediate issue is that researchers say the exploit works and affects privilege boundaries between low-rights users and administrator accounts.

This story draws on original reporting from Ars Technica.