CERT-In Vulnerability Note
CIVN-2009-0135
Multiple Vulnerabilities in Microsoft Kernel-Mode Drivers
Original Issue Date:November 11, 2009
Severity Rating: HIGH
Systems Affected
- Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
- Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 including Server-Core installation
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 including Server-Core installation
- Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Overview
Multiple vulnerabilities have been reported in Microsoft Kernel-mode Drivers; successful exploitation of most severe of the vulnerabilities could allow remote code execution on vulnerable system and provide complete control to the attacker.
Description
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.
Win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys).
The Microsoft Windows graphics device interface (GDI) enables applications to use graphics and formatted text on both the video display and the printer. Windows-based applications do not access the graphics hardware directly. Instead, GDI interacts with device drivers on behalf of applications.
Embedded OpenType (EOT) fonts are a compact form of fonts designed for use on Web pages. These fonts can be embedded in a document. Use of EOT fonts ensures that a user views the document exactly as the author intended. The Web Embedding Fonts Tool (WEFT) lets Web authors create font objects that are linked to their Web pages so that when viewed through the browser, pages display in the style contained in the font object.
1. Win32k NULL Pointer Dereferencing Vulnerability
(
CVE-2009-1127
)
This is an elevation of privilege vulnerability which is caused as the Windows kernel (Win32k.sys) does not properly validate an argument passed to a system call.
An attacker would first have to log on to the system to exploit this vulnerability. Once successfully exploited this vulnerability, an attacker could execute arbitrary code on the vulnerable system with the privileges of the Windows Kernel, granting the attacker escalated privileges and complete control of an affected system.
2. Win32k Insufficient Data Validation Vulnerability
(
CVE-2009-2513
)
This is an elevation of privilege vulnerability which is caused as windows kernel-mode drivers (Win32k.sys) do not properly validate input passed from user mode through the kernel component of GDI.
An attacker would first have to log on to the system to exploit this vulnerability. Once successfully exploited this vulnerability, an attacker could execute arbitrary code on the vulnerable system with the privileges of the Windows Kernel, granting the attacker escalated privileges and complete control of an affected system.
3. Win32k EOT Parsing Vulnerability
(
CVE-2009-2514
)
This is a remote code execution vulnerability which is caused as windows kernel-mode drivers (Win32k.sys) do not properly parse font code (EOT fonts) when building a table of directory entries.
An attacker who successfully exploited this vulnerability could run arbitrary code with the privileges of the Windows kernel and take complete control of an affected system.
Workaround
- Disable support for parsing embedded fonts in Internet Explorer
- Deny Access to T2EMBED.DLL
Note: For detailed steps of these workarounds refer to Microsoft Security Bulletin MS09-065
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
MS09-065
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx
References
Secunia
http://secunia.com/advisories/37318/
SecurityTracker
http://securitytracker.com/alerts/2009/Nov/1023155.html
VUPEN
http://www.vupen.com/english/advisories/2009/3191
SecurityFocus
http://www.securityfocus.com/bid/36939
Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=19356
http://tools.cisco.com/security/center/viewAlert.x?alertId=19357
CVE Name
CVE-2009-1127
CVE-2009-2513
CVE-2009-2514
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-2436857
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|