Critical Windows UI Automation Framework Vulnerability Let Hackers Bypass EDR

Security researchers have uncovered a novel attack method that exploits Microsoft’s UI Automation framework, potentially leaving millions of Windows users vulnerable.

This technique, discovered by Akamai security researcher Tomer Peled, allows attackers to bypass endpoint detection and response (EDR) systems, opening up new avenues for cybercriminals to harvest sensitive data and manipulate user systems undetected.

The UI Automation Vulnerability

The UI Automation framework, originally designed to assist users with disabilities, has been found to have a significant security flaw.

This framework, present in all Windows operating systems from XP onwards, possesses elevated permissions to interact with user interface elements.

While intended for benign purposes such as text enlargement and screen reading, malicious actors can hijack these capabilities.

Researchers demonstrated that once a user is tricked into running a program utilizing UI Automation, attackers can:

  • Exfiltrate sensitive data
  • Redirect browsers to phishing websites
  • Read and write messages in popular chat applications like WhatsApp and Slack
  • Harvest credit card information from web browsers
  • Execute commands stealthily

One of the more damaging ways researchers thought of to (ab)use UIA is to steal credit card information.

“After a user enters an online merchant, an attacker can programmatically listen to changes in the UI elements by setting up a handler. Once a change has been made (that is, credit card information has been entered), the attacker can retrieve the text from the UI elements for later exfiltration”

Undetectable by Current EDR Solutions

Perhaps most alarmingly, all EDR technologies tested against this technique were unable to detect any malicious activity. This invisibility to security measures makes the attack vector particularly dangerous and attractive to potential threat actors.

The widespread nature of this vulnerability affecting all Windows versions since XP means that millions of users could be at risk. While Microsoft has implemented some restrictions on UI Automation, skilled attackers can still exploit these features with the right approach.

Security experts are urging system administrators and users to be vigilant. Monitoring the use of UIAutomationCore.dll and watching for unexpected UI Automation named pipes are recommended as potential detection methods.

As the cybersecurity community grapples with this new threat, it serves as a stark reminder of how technologies designed to help can sometimes be turned against us. The race is now on to develop effective countermeasures against this stealthy and potent attack technique.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The post Critical Windows UI Automation Framework Vulnerability Let Hackers Bypass EDR appeared first on Cyber Security News.