A concerning security vulnerability has been discovered in Windows’ UI Automation (UIA) framework, enabling attackers to bypass EDR solutions and conduct malicious activities undetected. Security researcher Tomer Peled from Akamai has revealed this significant finding.
Key Vulnerabilities:
– Attackers can harvest sensitive data
– Redirect browsers to phishing sites
– Manipulate messaging applications like Slack and WhatsApp
– Control UI elements remotely
Technical Background:
UI Automation, introduced in Windows XP, was designed to support assistive technology products through the Microsoft .NET Framework. It requires elevated privileges and uses COM for inter-process communication, allowing interaction with various UI elements.
Attack Methodology:
The exploit works by:
1. Creating UIA objects to interact with focused applications
2. Setting up event handlers for UI changes
3. Accessing cached elements beyond visible screen content
4. Manipulating both visible and hidden UI components
DCOM Extension:
Deep Instinct researchers have identified an additional threat vector using Distributed COM (DCOM) Remote Protocol, which:
– Enables remote payload delivery
– Creates embedded backdoors
– Exploits the IMsiServer COM interface
– Requires same-domain network access
Security Implications:
This vulnerability is particularly dangerous as it utilizes legitimate Windows features, making it difficult for security solutions to detect. The attack requires initial user interaction but can lead to significant system compromise once executed.
Mitigation:
While the vulnerability exists by design, organizations should:
– Monitor UI Automation usage
– Implement strict access controls
– Watch for unusual DCOM activities
– Maintain updated security protocols