A vulnerability has been discovered in Microsoft’s UI Automation framework that potentially exposes millions of Windows users to attacks that bypass endpoint detection and response systems to enable undetected data theft and system manipulation, Cyber Security News reports.
The UIA framework was initially designed to aid users with disabilities and has been integral to all Windows versions since XP. However, by exploiting UI Automation’s elevated permissions to interact with user interface elements, attackers can execute a range of malicious activities including exfiltrating sensitive information, redirecting browsers to phishing sites, manipulating chat applications like WhatsApp and Slack, and harvesting credit card data from browsers. For example, attackers can monitor changes in UI elements, such as credit card fields, to extract entered information stealthily, according to security researchers at Akamai.
Alarmingly, EDR technologies have failed to detect malicious activities using this method, making it a highly dangerous attack vector. Although Microsoft has implemented some restrictions on UI Automation, skilled attackers can still exploit its features. Experts recommend monitoring the use of UIAutomationCore.dll and unexpected UI Automation named pipes as potential detection strategies.
