Windows optimize

Windows kernel-mode vulnerability: Will it be the next Conficker?

Conficker is one successful piece of malware, residing on seven million computers, with more infected every day. Experts are concerned the kernel-mode driver bug has the same potential.

On November 10, 2009 Microsoft patched 15 vulnerabilities in Windows, Windows Server, Excel, and Word. If you only test and install one update, make sure it's MS09-065. The patch fixes a bug that has Conficker potential, thus attractive to cybercriminals.

Some Conficker history

In December of 2008, I began writing about circumstances that culminated in the creation of the Conficker/Downadup worm. Almost a year later, with a fix available, the malware is going strong. Experts are divided as to why.

Some feel pirated operating system software is the reason, as updates have to occur out of band. Something users of pirated software aren't inclined to do. Others feel it is user neglect, with Windows not configured to update automatically. I suspect both sides are right. What do you think?

MS09-065

Microsoft's executive summary for MS09-065 states:

"This security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font. In a Web-based attack scenario, an attacker would have to host a Web site that contains specially crafted embedded fonts that are used to attempt to exploit this vulnerability."

Not knowing what it was, I had to look up Embedded OpenType font. EOT fonts were developed by Microsoft for use on Web pages. Word and PowerPoint can also use EOT fonts. So, there are two attack vectors, malicious Web sites and Office documents sent as attachments.

Experts are betting on the malicious Web site and Internet Explorer approach. That's because "drive-by" attacks are infecting thousands of unpatched computers every day.

Unique exploit

This potential exploit has some unique qualities. Using Internet Explorer is required. But, the flaw is not in the browser. It's in the kernel-mode driver. It's also interesting that exploits leveraging this vulnerability do not require the use of JavaScript, which is the normal tool for attackers using Web sites as malware-delivery platforms.

Final thoughts

It looks like Internet Explorer may get an erroneous bum rap, as one solution is to use a different Web browser. The simple cure is to update Windows and Office; remember, Microsoft fixed 14 other vulnerabilities.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

33 comments
kevlar700
kevlar700

I had to fix up my mates machine with a cracked copy of windows. To my horror It had not been installing windows updates for months. I Ran multiple antivirus and spyware removers to stop it connecting to dodgy places automatically. (I say he should reinstall, but all he cares about is it working, he uses his laptop for things he cares about) I then had to install Windows Genuine Advantage to get the security updates to download. Microsoft say they allow security updates for everyone for the good of everyone. If you are supposed? to know that you need to install WGA, then I am disgusted with Microsoft, yet again.

Ocie3
Ocie3

Quote from article: "....Others feel it is user neglect, with Windows not configured to update automatically. .... What do you think?" I think that if I allowed Windows Update to install updates automatically, then I would be constantly replacing I.E. 8 with I.E. 7. It seems to me (among others) that I.E. 8 clearly introduces a delay when opening files with Windows Explorer, and often there seems to be a clear delay when running a program [i]via[/i] the Windows XP Start Menu. Uninstalling IE 8 and replacing it with IE 7 apparently returns the amount of time between selecting the shortcut and execution of the program to what it was before -- shorter than when IE 8 has been installed. I don't know whether the same thing occurs if a computer has Windows 7 installed, but it seems likely that I.E. 8 was developed with Windows 7 as the default platform. Aside from that, if the KB969947 vulnerability is readily exploited, then it will certainly be exploited. Of course, like Conficker, the exploiting software is limited to unpatched Windows computers -- if 10 million-plus computers is "limited".

maclovin
maclovin

So, THIS is why Microsoft expects me to pay FULL price for a glorified service pack sold as a brand new OS! Fonts stored in the kernel, wtf? That's just plain not smart.

Tony Hopkinson
Tony Hopkinson

is putting a font in the damn kernel. Not really a surprise though is it, after all the jpg, and wmf vectors were pretty much the same thing.

Michael Kassner
Michael Kassner

To understand the details. In my own-limited way, I was trying to understand that as well. Could you help?

Tony Hopkinson
Tony Hopkinson

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=811 Craft a program that looks like a font, it blows up whee it isn't and then excutes what ever was uploaded as the font. Hurrah, same issue as many others, simply a different vector.

Tony Hopkinson
Tony Hopkinson

that's in teh Kernel. That's MS standard practice, they put everything in there near enough, as part of their dumb ass monolithic design. One implementation, always loaded, etc. Monolithic design does have short term business advantage, long term it's extremely fragile and crippling though.

Michael Kassner
Michael Kassner

But, I don't think the fonts are in the Kernel. The concern is the Kernel-mode drivers that parse the fonts. They corrupt when a mal-formed EOT font is requested.

TNT
TNT

Thanks for the clarification Michael, but what I'm asking is why embed the font in the kernel to begin with? What increased functionality did it provide, or what problem did it solve? Understanding the purpose can sometimes help resolve the problem.

Michael Kassner
Michael Kassner

An embedded font that is displayed is able to corrupt the kernel-mode driver.

TNT
TNT

I understand how embedding fonts in PDF documents and even PowerPoint presentations is helpful, but I'm uncertain as to the benefit of including it in the kernel. Can anyone explain to me why Microsoft did this in the first place?

Michael Kassner
Michael Kassner

Thanks, Tony. What is your take on this. Is it easy to do? If so, I understand why the experts are concerned.

Michael Kassner
Michael Kassner

MS09-065 fixes a bug that has the potential to be exploited on a scale similar to Conficker.

bboyd
bboyd

Good Intentions pave what road? Convenience is in who's interest? Not that I'm fond of mal-ware writers but this sounds like a very elegant attack. Best server with a side dish of hijacked web page. Any word on the level of intrusion it allows?

Neon Samurai
Neon Samurai

What should happen to criminals using this with malicious intent is another story but the exploit itself; elegant.

Tony Hopkinson
Tony Hopkinson

is privilege escalation, earlier is remote code execution. Details are in the link Michael provided in his blog. MS09-065.

Michael Kassner
Michael Kassner

I have read that there was an exploit out and about, but not much more.

Michael Kassner
Michael Kassner

I still wonder if it is lurking in the background. There needs to be some kind of MS Web browser doing the work.

bboyd
bboyd

MS made it reasonably easy to remove IE with the new control panel. Don't like the CP changes as a whole but that is an issue of aesthetics. As for updates leave automatic on and make sure backup/restore point for the inevitable breaking it will cause. Does that make me a pessimist?

seanferd
seanferd

I suppose it is possible that better coding practices had somehow eliminated the vulnerability in 7 before it was known (or prompted the realization thereof), but I rather guess MS knew ahead of time.

seanferd
seanferd

I hate the odd, unexpected appearances of IE. I hate MS software online help interface even more.

Ocie3
Ocie3

whether this vulnerability would have been in the Windows 7 kernel if MS did not know about it before the Win7 RTM. It is possible, I suppose, that some change in the Windows 7 kernel eliminated the vulnerability before MS knew that it existed, but that doesn't seem likely. If MS knew, then they certainly took their sweet time to release a patch for the other affected software.

Neon Samurai
Neon Samurai

I'm not sure if it's using IE in the back ground but it looks like an update utility similar to other platforms rather than a forced browser interface. With winXP you can also see a similar interface by using "automatic check but confirm install" with auto-update.

bboyd
bboyd

Completely gone, thank the EU for that nice possibility. Now to convince people to quite calling elements of it in their programs. Call the default browser not IE. So on my system sometimes I find links in programs, that are hard coded to look for IE, break. :)

Michael Kassner
Michael Kassner

Windows 7 is OK tells me that they knew about this before RTM was solidified.

seanferd
seanferd

Thanks for that. I was just waiting for the hammer to drop, what with all the office patches, which seemed to be announced further ahead than normal, plus the lack of info on the OS patches right up to Tuesday. At least they wrote the patches. But I'm just waiting to read something that says, "I told them three years ago." Sounds like a bad design decision in the first place.