Microsoft patches critical hole in Windows kernel

Of note, the kernel vulnerability is one of those that requires some social engineering tactics:

Microsoft Security Bulletin MS09-065 - Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)

 

Well, I hate to be a nit-picker, but social engineering is not required. Instead, just compromise some legit sites via the usual methods to serve the exploit and that is that - users of those sites will meet your exploit and get owned if they are unpatched. That may be a better option than spamming email and social networking with malicious links.

I'm personally rather annoyed by the fact that MS keeps repeating the "an attacker would have to convince the user to visit the Web site" mantra as a mitigating factor to drive-by type vulnerabilities, when in real life the attacker will just compromise a legit web site and redirect its visitors to their own site serving the exploit and therefore absolutely no convincing the user is required to exploit the vulnerability. Instead, the user just has to visit a site that, for all they know, is legit, and that they may have frequented for a long while.

 

Good point Windchild and thanks for pointing that out. The article does mention it; MS' details don't. Will they get owned if they are running as LUA and /or SRP?

 

I haven't enough information on the vulnerability to be able to tell for sure, but from what the http://www.microsoft.com/technet/security/bulletin/ms09-065.mspx bulletin says it looks like they would. Actually, it looks like a whole lot of security measures would get bypassed by a clever exploit of the CVE-2009-2514 EOT font parsing vulnerability. The vulnerability is in a kernel-mode driver, and the result is execution of arbitrary code in kernel mode, so it should fly right past most security measures, both those built in the OS and those provided by security software. A serious vulnerability. Since it's an EOT vulnerability, though, it requires the user to be using something that supports EOT fonts, like IE with font downloading enabled, or Office. This might end up becoming one of those vulnerabilities that are used for literally many years after they were patched, against those folks who just won't patch for one reason or another. Once the proof of concept code starts coming out, it might also serve as a good reminder that there really is no substitute for patching.

 

Panda's explanation seems to imply it would mirror that of the user's privileges.

Ultimately, I'd say this is the best solution for the majority of them. At times over the years I've omitted applying certain patches because the mitigating factors could be such that it was enough to cripple the attack vector such as, for example, closing a firewall port or disabling a service. In this case applying the patch looks to be the best solution

 

Yeah, Panda seems to say this:

Unfortunately though, I think Panda are just wrong in this case. Now, I'm not 100 % dead certain that they are wrong, but consider what Microsoft says:

Notice how they don't list the usual: "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." Notice also that they say: "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode." That seems to say that it doesn't matter what privileges the local user has - the system gets owned regardless, making this the really bad kind of vulnerability.

Personally, I wouldn't omit applying even such patches that correct vulnerabilities that are easily mitigated. Often the patches include changes that are not revealed in the security bulletins, which is one reason. And then there's always that later you may forget about the patch and accidentally undo the mitigating factor, for example by enabling a service that you now need, that also happens to be needed in exploiting the unpatched vulnerability. I'm an advocate of patch, patch, patch on any OS.

 

So web browsers that don't support (.eot) font and support instead (.ttf) font or (.otf) font are spared?

Another reason not to use Internet explorer for those too lazy and unwise to patch for this vulnerability almost similar to the wmf vulnerability in terms of critical threat level.