Old Windows kernel bug comes back to bite

Old Windows kernel bug comes back to bite

Summary: On October 22, 2004, Argentine hacker Cesar Cerrudo approached Microsoft with the discovery of a Windows Kernel GDI local privilege escalation vulnerability.  At the time, Cerrudo said Redmond's security response team deemed it a "design problem" and filed it away as something "to be fixed in a future service pack.

SHARE:
TOPICS: Windows, Security
15

On October 22, 2004, Argentine hacker Cesar Cerrudo approached Microsoft with the discovery of a Windows Kernel GDI local privilege escalation vulnerability.  At the time, Cerrudo said Redmond's security response team deemed it a "design problem" and filed it away as something "to be fixed in a future service pack."

Late last year, during LMH's month of kernel bugs project, details on this bug again surfaced with debugger information a note that it remains unpatched after more than two years.

Now comes word from Immunity Inc.'s Dave Aitel that his research team has written a reliable exploit that gives an attacker local root access on Windows 2000 and Windows XP systems.  The exploit has been released to Immunity's partner program, which offers up-to-the minute information on new vulnerabilities and exploits to IDS (intrusion detection companies) and larger penetrating testing firms."Everyone now has local root, which is useful on pen tests," says Aitel.

Interestingly, the U.S. government's NVD (national vulnerability database) gives this flaw a high severity rating -- CVSS 7.0 -- and warns that it could be exploited to gain administrator access and compromise the confidentiality of and integrity of data on Windows 2000 through 2000 SP4 and Windows XP through SP2.

Immunity's new exploit of a moldy old vulnerability underscores just how risky it is for Microsoft to delay pushing out fixes for bugs originally considered low-risk.

Microsoft prioritizes security fixes based on the severity of a vulnerability but, in some cases, this can be quite dangerous if an external researcher (or malicious hacker) discovers an exploitable condition in a "low risk" issue.

Microsoft learned this lesson the hard way in May 2005 when an Internet Explorer JavaScript Window() vulnerability was misdiagnosed as a denial-of-service bug that would be fixed in a future service pack. 

However, in December 2005, a security researcher issued an advisory (with exploit) to prove that the IE flaw could in fact be used in remote code execution attacks. This sent Microsoft scrambling to ship a critical IE bulletin with fixes for the same old flaw.

Any bets we'll see this happen again? 

[UPDATE: March 12, 2007 at 6:13 PM Eastern] Joel Eriksson, CTO of Bitsec, wrote in to say that he created the exploit and sold it to Immunity.  In 60 days, after Immunity's exclusivity expires, Bitsec will release the exploit to the public. He also mentioned an interesting blog post (with screenshots) discussing reliable kernel exploits.

Topics: Windows, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Message has been deleted.

    L Online
    • Wow... double delete!

      So what did you say!? Inquisitive Americans that believe in the freedom of speech and expression want to know! ]:)
      Linux User 147560
      • comment spam attack

        They got a few through the filters.
        Ryan Naraine
        • RE: comment spam attack

          comment spam attack? Okay, I think I understand what you mean, but I am not 100% sure...
          Linux User 147560
          • Imagine...

            a post advertising Viagra in the talkbacks. Don't know what the actual post was, but that probably gets the point across.
            3D0G
  • Message has been deleted.

    L Online
  • Clarification. The exploit was developed by Joel Eriksson, Bitsec.

    The exploit was developed by me (Joel Eriksson, CTO Bitsec) and
    not by the immunity research team. It was bought by Immunity and
    ported to CANVAS/MOSDEF by Dave Aitel. We have given Immunity 60
    days exclusivity before releasing it to the public, which means
    we will release it in the end of april.

    I would appreciate if the article was updated/corrected to
    reflect this.

    The 29:th march we are talking at BlackHat Europe and one of the
    things we will discuss is this bug and the process of exploiting
    it reliably, but leaving certain important details out..

    http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Eriksson

    We also have a blog about our talk, with a screenshot of the
    exploit in action:

    http://kernelwars.blogspot.com/

    Best Regards,
    Joel Eriksson
    CTO Bitsec
    je_bitsec
    • If your're looking for accuracy in reporting,

      you'd best look elsewhere.

      :o)
      Jack-Booted EULA
    • Jack Boot is correct

      ZDnet is an advertising portal dressed up as a news source. If you want news and facts, go to Reuters.
      whisperycat
      • If you think it's that bad, why are you here?

        nt
        Hallowed are the Ori
        • "If I think its that bad, why am I here?"

          I didn't say I thought ZDnet was bad, I simply stated the fact that ZDnet is an advertising portal dressed up as a news portal.
          whisperycat
      • balanced?

        I suppose your suggestion holds water ... if you only see the world through one dogma. For balance, one needs to absorb the news from many outlets, left - right - CNN - Reuters - local paper(s) - WSJ - NYT - Chicago Tribune - LATimes - Young Republicans / Democrats - etc., etc., etc.. Although myopia does have it's advantages.
        ttocsmij
    • why?

      I fail to see why anyone would release to the general public the code necessary for miscreants to attack the general public directly and indirectly (ie, attacking company and government targets). Isn't that a little bit like threatening to begin shooting AIDS victims until the drug companies find a cure? I do not believe that either of these actions will force action any earlier. Frankly, I think that your "threat" could be construed as a breach of national security; in which case you should be arrested and held personally responsible for any damages that may arise from any subsequent attacks based on your published information. I am certain that I am not alone in the growing disenchantment with the present generation of CxOs that feel they are above any rules of decency or law or common sense.
      ttocsmij
      • short sight

        You sound seriously hit by the news. Good. But did you read on in the link given (http://kernelwars.blogspot.com/)? Most likely not. I've found this quite relevant:
        "Amazingly it [the Windows GDI bug] has still not been patched, perhaps due to Microsoft not taking the threat seriously until they've seen that it can be exploited reliably in practice."

        Don't know what exactly this means to you. I hear "MS is waiting for proof of importance, before they will try to close the hole." So your point "I do not believe that either of these actions will force action any earlier." may be totally wrong. If you'd like to feel sick, think twice. These guys sound like they are honestly trying to push security improvments.

        Your AIDS victims example is not only tasteless, it's wrong too. While AIDS may come to you by accident (i.e. medical fault) _all_ MS Windows users should have had the right to choose another OS. Sorry but I fail to understand, why you don't blame the creator of that insecure designed product. Can't you see? It's time to learn "secure by design" is better than "security though obscurity".

        Yes I hate to see MS with a better bugfix record than the competition, since this is achieved by hiding facts and misrating (say lying about) known problems.
        hoff.st
  • eek

    terrifying to think that Windows 2000 is going to be deployed in control of weapons-systems on British nuclear submarines and the new Type 45 Destroyers..!!!
    sj_z