A recent discovery by James Forshaw, a security researcher at Google’s Project Zero, has revealed multiple vulnerabilities in Microsoft’s new Windows Administrator Protection feature. These vulnerabilities could enable attackers to gain admin privileges on systems where this feature is enabled.
Details of the Vulnerabilities
Forshaw reported a total of nine vulnerabilities in December, primarily related to known issues with User Account Control (UAC). If exploited, these vulnerabilities could undermine the very purpose of Windows Administrator Protection. Currently, this feature is not available to all users; it is only accessible to Insider Canary users.
Mechanics of the Exploit
The Administrator Protection feature is designed to ensure users operate with the least privileges necessary. Users can temporarily elevate their privileges under pre-approved circumstances, with these privileges being revoked automatically after the process concludes. However, Forshaw noted that one of the most significant vulnerabilities he found involved a Logon Sessions flaw that exploited five distinct behaviors within Windows.
This flaw pertains to how Windows manages DOS device object directories for specific user sessions. The kernel creates these directories on demand rather than at login, which prevents it from verifying whether the user has admin rights during the creation process. Forshaw explained that by impersonating a shadow admin token, an attacker could manipulate the kernel to create a directory and assign ownership to themselves.
Microsoft’s Response
To address this vulnerability, Microsoft has implemented a fix that prevents the creation of DOS device object directories when impersonating a shadow admin token. Forshaw emphasized that this issue highlights not only a bypass of the new protection but also a long-standing UAC bypass that became practically exploitable due to the introduction of the Administrator Protection feature.
Conclusion and Ongoing Concerns
While Microsoft has taken steps to mitigate these vulnerabilities, the exact scope and impact of the exploit remain unclear. As the feature is still in the testing phase, further scrutiny may reveal additional concerns. Users should remain vigilant as Microsoft continues to refine its security measures.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
