Microsoft patches AppCompat UAC bypass vulnerability

By | May 1, 2015

As an addendum to two previous posts, Microsoft recently issued an optional patch for Windows 7 Service Pack 1, Windows 8, and related Windows Server versions to address the User Account Control (UAC) bypass vulnerability that downloader and installer malware have been using for the past several months. Microsoft KB article 3045645, “Update to force a UAC prompt when a customized .sdb file is created in Windows,” was released last week as a part of a set of optional Windows updates and can be installed via Windows Update in the Control Panel or by manual download and install (the KB article provides download links).

The difference in behavior before and after the patch is applied is that a UAC prompt will be displayed when UAC is configured in its default setting. Prior to the update, the sdbinst utility could be run without a visible prompt. Users are still vulnerable if they accept the prompt and will be infected if they do so.

The update brings Windows 7 and 8 up to date with the behavior in Windows 10 for this functionality.

Update: while Windows 8.1 was originally noted to be a part of the KB3045645 update, this change was rolled into a separate, Windows 8.1-only update — KB3048097.  The title of that update is a little more cryptic, “Compatibility update for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2: April 2015.”  As with the update for Windows 7 and 8, this optional update can be installed manually or via Windows Update.