CERT-In Vulnerability Note CIVN-2010-147
Multiple Vulnerabilities in Microsoft Kernel-Mode Drivers
Original Issue Date: June 10, 2010
Severity Rating:High
System Affected
- Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista Service Pack 1, and Windows Vista Service
Pack 2
- Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (including Server-Core installation)
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (including Server-Core installation)
- Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit systems
- Windows 7 for x-64-based systems
- Windows Server 2008 R2 for x64-based Systems (including Server-Core installation)
- Windows Server 2008 R2 for Itanium-based systems
Overview Multiple vulnerabilities have been reported in Microsoft Kernel-mode Drivers; successful exploitation of these vulnerabilities could elevate privileges on vulnerable system and run arbitrary code locally or cause the system to crash.
Description
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.
Win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys).
The TrueType font technology consists of two parts: the description of the fonts themselves (the TrueType font files) and a program that reads the font description and generates a bitmap representation of the font (the TrueType rasterizer). The TrueType rasterizer is a computer program that is incorporated as part of the operating system.
A TrueType font file includes many different kinds of information used by the TrueType rasterizer and the operating system software to ensure that characters display on the computer screen or print out exactly as the font designer intended them to.
1. Win32k Improper Data Validation Vulnerability
( CVE-2010-0484 )
This is an elevation of privilege vulnerability which is caused due to the Windows kernel-mode drivers 'win32k.sys' that do not properly validate changes in certain kernel objects.
An attacker would first have to log on to the system to exploit this vulnerability. Once successfully exploited this vulnerability, an attacker could execute arbitrary code on the vulnerable system with the privileges of the Windows Kernel, granting the attacker escalated privileges and complete control of an affected system or cause the system to crash.
2. Win32k Window Creation Vulnerability ( CVE-2010-0485 )
This is an elevation of privilege vulnerability which is caused due to the Windows kernel-mode drivers 'win32k.sys' that do not properly validate all callback parameters when creating a new window.
An attacker would first have to log on to the system to exploit this vulnerability. Once successfully exploited this vulnerability, an attacker could execute arbitrary code on the vulnerable system with the privileges of the Windows Kernel, granting the attacker escalated privileges and complete control of an affected system or cause the system to crash.
3. Win32k TrueType Font Parsing Vulnerability
( CVE-2010-1255 )
This is an elevation of privilege vulnerability which is caused by the way that Windows 'win32k.sys' kernel mode driver provides glyph outline information to applications.
An attacker would first have to log on to the system to exploit this vulnerability. Once successfully exploited this vulnerability, an attacker could execute arbitrary code on the vulnerable system with the privileges of the Windows Kernel, granting the attacker escalated privileges and complete control of an affected system or cause the system to crash.
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS10-032
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx
References
Secunia
http://secunia.com/advisories/39655
XForce
http://xforce.iss.net/xforce/xfdb/57376
http://xforce.iss.net/xforce/xfdb/58887
http://xforce.iss.net/xforce/xfdb/57375
Security Tracker
http://securitytracker.com/alerts/2010/Jun/1024072.html
VUPEN
http://www.vupen.com/english/advisories/2010/1389
SecurityFocus
http://www.securityfocus.com/bid/40508/
http://www.securityfocus.com/bid/40569
http://www.securityfocus.com/bid/40570
Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=20576
http://tools.cisco.com/security/center/viewAlert.x?alertId=20577
http://tools.cisco.com/security/center/viewAlert.x?alertId=20578
CVE Name
CVE-2010-0484
CVE-2010-0485
CVE-2010-1255
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
