Establishing Digital Trust: Don't Sacrifice Security for Convenience
In what may seem a little like déjà vu, security researchers are looking into another zero-day security flaw in Windows, just a week after Microsoft shipped an out-of-band patch for an earlier zero-day vulnerability.
Danish security research firm Secunia and some other bug sleuths have reported that a buffer overflow flaw in the kernel of all supported versions -- and some unsupported versions -- of Microsoft (NASDAQ: MSFT) Windows could result in an escalation-of-privileges attack.
The hole was discovered by a security researcher named Gil Dabah, who goes by the screen name "Akron" and posted his findings to a blog site named "Heapos Forever" on Friday evening.
"The vulnerability is caused due to a boundary error in win32k.sys within the 'CreateDIBPalette()' function when copying color values into a buffer allocated with a fixed size when creating the DIB palette," according to Secunia's discussion of the flaw.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
In short, the Windows kernel contains a buffer that can be sent too much data, thus causing what's called a "buffer overflow" error. Once the buffer has overflowed, an attacker could conceivably take advantage of the condition to give himself the same privileges as the computer user.
"Successful exploitation may allow execution of arbitrary code with kernel privileges," Secunia's discussion continued.
Meanwhile, Symantec's Security Focus site put it a little more succinctly: "Successful exploits will result in the complete compromise of affected computers."
Security Focus noted, however, that so far there have been no published exploits for the hole.
"We can confirm that Microsoft is investigating reports of a possible vulnerability in Windows kernel," Jerry Bryant, group manager for response communication at Microsoft, said in an e-mail to InternetNews.com. "We are not aware of any attacks against this issue."
Microsoft just patched a zero-day last Monday, issuing the out-of-band fix just eight days before its regular Patch Tuesday release because it felt that the flaw was too dangerous to wait, and attacks were escalating in the wild.
That zero-day -- so-called because the flaw becomes public before a patch is ready to stop its exploitation -- was related to how the Windows Shell handles some onscreen shortcuts.
August's Patch Tuesday fix release, itself, will be no easy skate for PC help desk and system administration personnel. In its regular advance notice to systems managers last Thursday, Microsoft's security team said that it will ship 14 patches on Tuesday, eight of them rated critical. All told, the patches will fix a total of 34 security flaws, one of the largest Patch Tuesdays on record.
Despite the alarm raised by the alleged flaw in the Windows kernel, however, the new zero-day only earned a "less critical" designation on Secunia's threat-rating scale -- four steps down from the firm's most critical ranking.
So far, Microsoft has not issued a Security Advisory regarding the new kernel vulnerability -- a relatively standard procedure once the company's security team has clearly identified a flaw in one or more of its products.
In this case, both Secunia and Symantec Security Focus say that the kernel flaw affects all versions of Windows, from XP, Vista and Windows 7 through Windows Server 2003 and 2008. Microsoft stopped supporting XP Service Pack 2 (SP2) last month, so only XP SP3 is supported with security patches.
Tuesday, Aug. 10, is Patch Tuesday this month.