Windows Kernel Again Found VulnerableApril 9, 2009 – 3:34 PM
Recently, our APAC threat intelligence team discovered a couple of Windows kernel zero-day vulnerabilities in the field, which could be potentially used for malicious purposes. These were discovered in some discussion forums in China.
One of these issues exists in Windows NT/2000/XP according to the description provided. The issue arises due to insecure win32 syscalls, the buffer being supplied from usermode. This can lead to a Blue Screen Of Death (BSOD) if the kernel address is overwritten, leading to a Denial of Service (DoS) condition. However, this issue requires admin privileges and hence cannot lead to a privilege escalation. But a deeper look suggests that this could be used to subvert or install kernel mode hooks, which can be used for malicious purposes.
Besides this issue, another kernel bug with similar behavior was found recently in the field. In this case it involved atapi.sys.
The cause of this bug is also the same: It doesn’t verify the data passed from user mode and results in a buffer overflow. In most cases it will also cause a BSOD.
From the point of view of software design, data passed from user mode should never be trusted and must be always validated. Many of the known Windows local vulnerabilities exist because of this reason. Microsoft noticed this problem and fixed many potential defects in the kernel’s main module. However, many defects still exist in the win32k kernel part because it’s extremely complex. Most kernel vulnerability diggers are now targeting this module and have discovered many vulnerabilities in the past two years. With Windows 7 we will hope that kernel security will grow stronger.
We’ve notified Microsoft of both of these issues before posting this blog and technical details have been omitted here as the vulnerabilities are unpatched. We’ll do a follow up post after the issues are resolved.