San Jose (CA) - A security company called SkyRecon Systems has uncovered two kernel-level vulnerabilities present in multiple versions of the Windows operating system, including server versions. These flaws occur not only on x86-based PCs in both 32-bit and 64-bit mode, but also on 64-bit Itanium machines. As is common with this kind of exploit, the vulnerabilities are the result of a flaw in the Windows design and are not the result of hardware features. SkyRecon is working with Microsoft to release patches for the vulnerabilities later this month.


CVE-2008-2252 and CVE-2008-3464

Affected operating systems include all versions of Windows XP Professional, Windows 2000 Server, Windows 2003 Server. CVE-2008-2252 also affects Vista.

These vulnerabilities leave the system open to a type of attack which allows invading code (a virus or worm) to achieve kernel-level access. This is a common exploit used by something called a root-kit, which is a way to achieve kernel-level access by normal user programs. Basically, the results of this exploit mean nothing inside the core operating system is left secure, and nothing would be potentially out of bounds for access if such an exploit were used.

To explain this further, consider the architecture of the x86 CPU.


RING0 - RING3

In the Windows operating system there are several levels of code execution. On the x86, these logical barriers exist in hardware via someting called RING0, RING1, RING2 and RING3. A newer level called RING-1 (negative one or minus one) was created for the hypervisor layer.

They're called rings because of the way hardware designers visualize security. The most secure portions are on the outside. In this context, being more secure means being able to do less. The further away from the core an application is, the less it can do.

The concentric rings end up at the RING0 layer, which looks like a bull's eye on a target. From inside RING0 nothing is truly secure. The only way security is maintained in RING0 code is by adhering to strict software protocols. That means a program doesn't do what a program's not supposed to do. It is literally the only defense there is against RING0 code.

A RING0 program, for example, can access all of memory - even memory running in other programs. It can also, of course, access all of the hardware on the machine. It is for these reasons that only the most trusted core algorithms operate in this ring. Everything else operates in RING1 or higher, which provides increasing levels of insulation against faulty programs taking the machine down.

Typical user applications run in RING3.


RING3 becomes RING0

These newly discovered vulnerabilities allow a RING3 application to achieve RING0 execution. As such, what begins initially as a normal user application running in Windows ultimately takes complete control over the machine. It is unlikely that such an exploit would be useful for any purpose other than taking the machine down or extracting information from it, both of which would be quite negative to the user.

One possible useful side-effect of this vulnerability would be for debugging code during software development. By introducing a high-level program into Windows, and then safely and without purposeful malice, achieving RING0 access, all of the system would be exposed and could be visualized by a regular user application. If someone were developing an application and needed access to inner-parts of the core OS that aren't normally present, then that information might be extremely useful. It's actually quite ironic because this week I am literally working on a problem that could benefit from using this exploit.


Security bulletins

Microsoft has issued security bulletins for these exploits: MS08-003. They have identified them as "important." Microsoft has four categories used for security issues, with important being a significant designation:

Critical
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.

Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

Moderate
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

Low
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

LOL

Oct 14, 2008 17:20     

I guess headward and others who simply repeat microfluff propaganda will be in shock... vista is secure pfft...
Enlighten report abuse vote down vote up Votes: -3

seriously... horrid summary

Oct 14, 2008 19:14     

"As is common with this kind of exploit, the vulnerabilities are the result of a flaw in the Windows design and are not the result of hardware features. SkyRecon is working with Microsoft to release patches for the vulnerabilities later this month." I am by no means a Microsoft fan boy - I run a good mix of Windows, Linux, and MacOS... but... really ? Why would you try to point out it's a software flaw and not a hardware flaw ? .... most exploits and rootkits ARE entirely software based and don't rely on hardware errata. Seriously horrid summary.

Will report abuse vote down vote up Votes: +3

not critical?

Oct 14, 2008 19:24     

I don't know about you, but if a code can take down my computer and extract info, I say it's pretty critical. If it can do all that, what's stopping it from acting as a worm too?
nev report abuse vote down vote up Votes: +2

@seriously... horrid summary

Oct 14, 2008 20:43     

I point out the fact that it's a flaw in the Windows design because it crosses architectural boundaries. Typically these kinds of exploits are the result of a software issue within a single version of the OS, such as always affecting 32-bit or 64-bit (or both) x86 machines, and not also Itanium machines. This particular flaw is the result of a real design issue within the OS itself, and not just a design applied to a particular architecture.

Rick Hodgin report abuse vote down vote up Votes: +2

@@seriously... horrid summary

Oct 14, 2008 23:50     

Userland -> kernel mode interfaces being exploited for escalated permissions aren't anything new. Googling for "linux kernel permission escalation" will show you several flavors of the linux kernel that are vulnerable to similar problems. The fact that this problem exists multiple hardware is as simple as the description points out -> parameters passed to the kernel function aren't checked by the kernel function. The same code passed through different compilers or outputting for different target systems will all exhibit the flaw if there's a design choice in the source that creates the flaw. This isn't as uncommon as you might think. I know that Torvalds has stated many times that he is against parameter checking in most cases. Googling for such is easy as well for references :). Again, I stick by 'horrid summary' :). Seems almost trollish in nature hehehe.

Will report abuse vote down vote up Votes: +4

Nothing new

Oct 15, 2008 01:54     

Privilege escalation to kernel mode (RING0) vulnerabilities are being discovered several times a year in every OS out there (e. g. MS08-025 had been published just in April 2008). Please investigate a subject before posting "sensational" articles. And there is no problem for programmer to run code in kernel mode - as long as you have administrator rights on a machine.
void report abuse vote down vote up Votes: +3

More FUD

Oct 15, 2008 07:20     

It is just another attempt to jump on the bash MS bandwagon. ALL OSes have flaws that allow this kind of exploit. Where have been the scathing articles about them from TGDaily? I am seriously getting tired of the need to slam anything MS does and to point out how bad and evil they are from 90% of the technical press. Lets see Debian linux used a predictable random number gereator that allowed for simple prediction of Certificates and ecryption code. SUSE Linux has been breached time and time again OSX has MAJOR flaws in it and lets not forget thje Itunes and Quick time flaws that are from St. Steve and allow remote code execution on both MAC and PC. Please find someone else to take out your repesed anger and agression on.

???? report abuse vote down vote up Votes: +3

Why didn't my comment post?

Oct 15, 2008 09:56     

I posted a comment last night with links to the technet postings for these issues. The summary of my posting was that Vista is only affected by one of the alerts and that both issues can only be exploited localy.
Mike report abuse vote down vote up Votes: +0

just wondering?

Oct 15, 2008 15:59     

Has anyone noticed how red Steve Ballmer's face is lately. Usually that means high blood pressure or too much drinking.
Stew Pidd report abuse vote down vote up Votes: +0