Upgrading to Windows 7 isn't Cheap

URL: http://linuxtoday.com/news_story.php3?ltsn=2010-08-27-025-35-OP-DT-MS

IT World: "A recent Gartner report showed what many of us already knew: Moving to Windows 7 from XP is expensive."

New Windows kernel mode flaw points to future attack vectors

URL: http://feeds.arstechnica.com/~r/arstechnica/index/~3/wO2zWJWEayw/new-windows-kernel-mode-flaw-points-to-future-attack-vectors.ars

A new Windows flaw that allows all current, supported versions of Windows to be crashed was published on Friday by Israeli researcher Gil Dabah. The bug allows a local user to cause a system to suffer a blue-screen of death crash. In principle, this may also allow attackers to run code of their choosing with kernel privileges, though in practice, the looks as if it would be difficult due to the nature of the flaw.

The bug is in a kernel-mode component called win32k.sys, which handles many key Windows features like window management and 2D graphics. This specific flaw is in the component's handling of the system clipboard; by placing specially malformed data onto the clipboard, the system can be made to corrupt the screen or crash outright. In the early days of Windows, the component in question did not run in kernel mode; it was moved there for Windows NT 4, as doing so made 2D desktop graphics substantially faster.

win32k.sys has remained in kernel mode ever since, and as a result, this flaw affects Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, for both x86 and x64, both with or without Service Packs.

Microsoft is aware of the flaw but has not announced when a patch might be made available. Due to the nature of the problem, it has been assigned a "Less Critical" rating by security group Secunia. This rating is a result of the lack of remote exploitability and the difficulties in using the flaw to execute an attacker's code.

So far this year, Microsoft has patched a number of similar flaws in the Windows kernel, including bugs in the win32k.sys component. The company tends to give them an "Important" rating, again due to the requirement that the attacker be logged in to perform the attack. Researcher Tavis Ormandy went so far as to suggest that so far this year, Windows has not gone more than a few days at a time without a known, published kernel flaw of this kind.

If the flaw could be exploited in such a way as to allow arbitrary code execution, an attacker with a regular user account would be able to increase his privileges. This does not directly increase the risk of the flaw—the ability to log on is still required—but it does make the flaw more useful, as it allows attackers to break out of system sandboxes such as those used in Web browsers like Chrome and Internet Explorer. This in turn magnifies the risk of those browser flaws.

It is precisely this dual technique—a browser flaw to allow malicious code to run, coupled with a kernel privilege escalation flaw—that is being widely used to jailbreak iPhones and other Apple devices. The privilege escalation is needed because the iPhone runs software in a sandbox; merely being able to attack Safari is not enough to make the system changes required to jailbreak.

Though Internet Explorer 7 and 8 and Chrome both incorporate this kind of sandboxing on Windows Vista and Windows 7, typical attacks on Windows systems don't bother attempting to use kernel flaws to escalate their privileges. The widespread use of Windows XP and users running with full Administrator rights makes it not worth the effort. As Windows XP finally starts dying off and sandboxing becomes more common, we could start to see greater attention paid to, and exploitation of, this kind of flaw, just as we already do on locked-down phone platforms.

Read the comments on this post