Microsoft patches Windows Administrator Protection bypass vulnerabilities

As reported by The Register, Microsoft has addressed multiple security vulnerabilities that could have allowed attackers to bypass its new Windows Administrator Protection feature before its general release. These flaws, reported by Google's Project Zero, could have enabled silent elevation of administrative privileges.

Security researcher James Forshaw identified nine vulnerabilities in December, many stemming from existing User Account Control (UAC) issues. The most significant flaw involved a Logon Sessions vulnerability that exploited how Windows handles DOS device object directories during user sessions. By manipulating token ownership via the NtQueryInformationToken API, an attacker could gain control of these directories.

This bypass was particularly effective because Administrator Protection creates new logon sessions for privilege elevation, a behavior that, combined with other mitigations, created an exploitable scenario for C drive redirection. Microsoft has since patched this by preventing DOS device object directory creation when impersonating a shadow admin token. The fact that a previously known but unexploitable UAC bypass became practical with the introduction of Administrator Protection underscores the complex interplay of security mechanisms.

Source: The Register