Windows kernel-mode vulnerability: Will it be the next Conficker?

Conficker is one successful piece of malware, residing on seven million computers, with more infected every day. Experts are concerned the kernel-mode driver bug has the same potential.

On November 10, 2009 Microsoft patched 15 vulnerabilities in Windows, Windows Server, Excel, and Word. If you only test and install one update, make sure it's MS09-065. The patch fixes a bug that has Conficker potential, thus attractive to cybercriminals.

Some Conficker history

In December of 2008, I began writing about circumstances that culminated in the creation of the Conficker/Downadup worm. Almost a year later, with a fix available, the malware is going strong. Experts are divided as to why.

Some feel pirated operating system software is the reason, as updates have to occur out of band. Something users of pirated software aren't inclined to do. Others feel it is user neglect, with Windows not configured to update automatically. I suspect both sides are right. What do you think?


Microsoft's executive summary for MS09-065 states:

"This security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font. In a Web-based attack scenario, an attacker would have to host a Web site that contains specially crafted embedded fonts that are used to attempt to exploit this vulnerability."

Not knowing what it was, I had to look up Embedded OpenType font. EOT fonts were developed by Microsoft for use on Web pages. Word and PowerPoint can also use EOT fonts. So, there are two attack vectors, malicious Web sites and Office documents sent as attachments.

Experts are betting on the malicious Web site and Internet Explorer approach. That's because "drive-by" attacks are infecting thousands of unpatched computers every day.

Unique exploit

This potential exploit has some unique qualities. Using Internet Explorer is required. But, the flaw is not in the browser. It's in the kernel-mode driver. It's also interesting that exploits leveraging this vulnerability do not require the use of JavaScript, which is the normal tool for attackers using Web sites as malware-delivery platforms.

Final thoughts

It looks like Internet Explorer may get an erroneous bum rap, as one solution is to use a different Web browser. The simple cure is to update Windows and Office; remember, Microsoft fixed 14 other vulnerabilities.


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks