Microsoft is working on mitigating an entire Windows bug class

Researcher set out to find 15 new Windows bugs last year. He found 25, and Microsoft already patched 11.

Windows logo

Microsoft is working on developing comprehensive mitigation for a class of Windows bugs that have plagued the operating system for more than two decades.

Israeli security researcher Gil Dabah told ZDNet that a fix is currently in the works.

Earlier today, Dabah published proof-of-concept code and a report detailing 25 bugs, all exploiting variations on the same type of vulnerability.

Bug class impacts the old Win32k component

Dabah's work expands on an attack surface in the Windows operating system that's been known since the mid-90s. The vulnerability class impacts Win32k, a Windows component that manages the user interface on Windows 32-bit architectures, and the interactions between UI elements, drivers, and the Windows OS/kernel.

Today, the Win32k component still ships with Windows, even on 64-bit versions, where it acts as a legacy layer, allowing older apps to run on modern systems.

But the problem comes from how this component evolved. In earlier versions of Windows, this component ran in the user-mode section of the Windows OS.

When Microsoft finally realized that this is a crucial component and that it should run in the more secure kernel mode, it was already too late, as the component had grown in size and complexity, and a complete re-write would have broken backward compatibility for thousands of 32-bit apps.

Today, the Win32k component is quite a mess. Some operations happen entirely in the kernel space, while other sections rely on older parts of the codebase.

These older Win32k functions are all prefixed with "xxx" and when they're called, they're sent from the secure kernel mode to user mode, and the result is returned back to kernel space.

windows-bug-class.png

image: Gil Dabah

Attackers and security researchers were quick to spot the weakness in this non-standard execution model. Both realized that they could tamper with Win32k's xxx-prefixed code while it was in user mode memory, and fool the kernel into executing unwanted actions with elevated privileges when the results of the xxx function were returned to the kernel.

For more than a decade, security researchers have detailed numerous methods and techniques for inserting malicious code inside the Win32k component and get admin rights. Research on the topic goes as far back as 2008 and 2011.

A one-year-long challenge

In an interview today, Dabah told ZDNet that exactly one year ago, to the day, he set out to find a new way to exploit these types of bugs, challenging himself to uncover more than 15 different issues in the Win32k component.

Today, the researcher delivered on that challenge by publishing a 34-page report detailing multiple never-before-seen methods for getting an elevation of privilege via the Win32k component.

In total, the researcher found 25 different bugs, some of which worked even on the latest versions of Windows 10 -- at the time of testing being Windows Insider Preview, September 2019.

Of the 25 bugs, Dahab said that "11 were exploited to prove feasibility for elevation-of-privilege (EOP)." These 11 got fixes from Microsoft, which has been slowly releasing patches since November 2019, with the most recent fixes arriving in February, this year.

A tough patch process

But while many security researchers are usually unhappy with the way Microsoft patches security issues, Dabah said that the OS maker has done an excellent job, especially when taking into account the extremely old codebase.

"People normally think it's easy to go and touch a 30-years-old software, but it's like the biggest challenge nobody imagined," Dabah told ZDNet. "Talking from somewhat my own experience in this domain as well."

Dabah says that Microsoft is currently "developing a wide mitigation to solve this bug class once and for all." This mitigation is currently in the WIP (Windows Insider Preview) version, Dabah said.

Once this mitigation goes live, Dabah hopes they'll plug all other bugs in the same vulnerability class, even those that have not been discovered or documented yet.

Dabah's report, which received praises from most of the information security community, is available for download in PDF format. Proof-of-concept code for 13 of the 25 bugs is available on GitHub.