Black Hat Reveals Windows Hooks of Death

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
There is a particular kind of flaw that keeps popping up in Microsoft security advisories. It's a flaw that sits deep within the system with something known as user-mode callbacks.

Targei Mandt, a researcher with security firm Norman is discussing the flaw in detail at the Black Hat conference this week in Las Vegas. In an interview with InternetNews.com Mandt noted that the win32k.sys graphics component element is at the root of the flaw.

Mandt explained that win32k.sys is used to provide notifications back to applications. For example, win32k.sys is used to notify applications for whenever a window is opened or closed.

"Windows also uses this as a mechanism to pass data from the kernel to user-mode and vice versa," Mandt said.

Mandt noted that win32k.sys has been tagged with vulnerabilities in the past for validating data as it is passed from a user mode callback back into the kernel. He added that there is a global locking mechanism in win32k.sys that locks and prevents other threads from interfering with the system.

"So when you invoke a callback the lock is released to prevent the system from freezing," Mandt said. "In doing so it allows you to update structures in memory by invoking other system calls."

Mandt explained that the vulnerabilities occur when the execution comes from the user-mode callback into the kernel, and it's a failure to sufficiently validate any change while in user-mode.

"The types of vulnerabilities that these bugs lead to can be almost anything," Mandt said. "In the bugs that I've found, it's mostly Null pointer dereferences but it's not limited to that."

A Null pointer error can potentially be leveraged by an attacker as part of a larger attempt to exploit a system.

Mandt noted that the root cause of the callback flaw is the locking mechanism which is not easily fixed. In his view, the only way Microsoft can fix the issue is to re-design the Windows kernel.

"What they're doing now is patching the bugs on a case by case basis as they are reported in," Mandt said. "They also try and find related issues and improve validation efforts."

He added that addressing bugs individually is better than not addressing them at all. That said, he noted that the complexity of the system suggest that there are still bugs present.

"It's really just a matter of time to find similar issue and I don't see why I shouldn't be able to find more flaws," Mandt said. "Microsoft has managed to clean up the module quite a bit so it's not as easy as it once was, and Microsoft is probably doing the best they can. We'll see what happens in the next few patch cycles."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.