Old Windows kernel bug comes back to bite

Summary:On October 22, 2004, Argentine hacker Cesar Cerrudo approached Microsoft with the discovery of a Windows Kernel GDI local privilege escalation vulnerability.  At the time, Cerrudo said Redmond's security response team deemed it a "design problem" and filed it away as something "to be fixed in a future service pack.

On October 22, 2004, Argentine hacker Cesar Cerrudo approached Microsoft with the discovery of a Windows Kernel GDI local privilege escalation vulnerability.  At the time, Cerrudo said Redmond's security response team deemed it a "design problem" and filed it away as something "to be fixed in a future service pack."

Late last year, during LMH's month of kernel bugs project, details on this bug again surfaced with debugger information a note that it remains unpatched after more than two years.

Now comes word from Immunity Inc.'s Dave Aitel that his research team has written a reliable exploit that gives an attacker local root access on Windows 2000 and Windows XP systems.  The exploit has been released to Immunity's partner program, which offers up-to-the minute information on new vulnerabilities and exploits to IDS (intrusion detection companies) and larger penetrating testing firms."Everyone now has local root, which is useful on pen tests," says Aitel.

Interestingly, the U.S. government's NVD (national vulnerability database) gives this flaw a high severity rating -- CVSS 7.0 -- and warns that it could be exploited to gain administrator access and compromise the confidentiality of and integrity of data on Windows 2000 through 2000 SP4 and Windows XP through SP2.

Immunity's new exploit of a moldy old vulnerability underscores just how risky it is for Microsoft to delay pushing out fixes for bugs originally considered low-risk.

Microsoft prioritizes security fixes based on the severity of a vulnerability but, in some cases, this can be quite dangerous if an external researcher (or malicious hacker) discovers an exploitable condition in a "low risk" issue.

Microsoft learned this lesson the hard way in May 2005 when an Internet Explorer JavaScript Window() vulnerability was misdiagnosed as a denial-of-service bug that would be fixed in a future service pack. 

However, in December 2005, a security researcher issued an advisory (with exploit) to prove that the IE flaw could in fact be used in remote code execution attacks. This sent Microsoft scrambling to ship a critical IE bulletin with fixes for the same old flaw.

Any bets we'll see this happen again? 

[UPDATE: March 12, 2007 at 6:13 PM Eastern] Joel Eriksson, CTO of Bitsec, wrote in to say that he created the exploit and sold it to Immunity.  In 60 days, after Immunity's exclusivity expires, Bitsec will release the exploit to the public. He also mentioned an interesting blog post (with screenshots) discussing reliable kernel exploits.

Topics: Windows, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.