Today we released security bulletin MS11-034 to address vulnerabilities in the win32k subsystem. This update addresses externally reported issues as well as several internally found vulnerabilities that were discovered as part of our variant investigation.

The bulletin may appear to address an alarmingly large number of issues. However, if you dig into the issues themselves, you’ll find that the 30 vulnerabilities addressed in this update really just share three separate vulnerability root causes: insufficient validation or locking of win32k objects after a user-mode callback. The security researcher who discovered these issues, Tarjei Mandt, applied the same technique to every different win32k object type. This blog post aims to outline the differences between the three vulnerability subclasses as well as cover additional details of the vulnerabilities fixed in this month's update.

Vulnerability Classes

The first vulnerability class pertains to the absence of locking win32k objects. Objects that are not locked prior to executing user-mode callbacks, therefore objects can be manipulated once control has been passed back to the user via callback. This means an object can be modified or freed before returning back to the kernel. Our observations indicate that memory re-use can be leveraged to gain elevation of privileges in some cases.

The second vulnerability class pertains to the absence of validation on menu items after a user-mode callback returns resulting in a typical use-after-free vulnerability. A malicious user could destroy a menu during the user-mode callback causing certain kernel functions to operate on dangling pointers.

The third vulnerability class pertains to the absence of validation of DDE conversation objects after user-mode callbacks which could result in a NULL pointer dereference. This can allow a standard user to elevate privileges or to cause a denial of service condition depending on the usage of the object after the user-mode callback. Investigation indicated that elevation of privileges was possible for at least a couple of the reported DDE vulnerabilities.

Finally, we would like to clarify the exploitability of these issues. These vulnerabilities can allow a standard user to elevate privileges because arbitrary code can be executed while the CPU is running in Supervisor mode. None of the vulnerabilities we've addressed in this month's update can be triggered remotely, hence the Important severity rating.  For a local attacker able to run code on a compromised system, most of the vulnerabilities fixed in this package are straightforward to exploit.

Acknowledgement

Thanks to Thomas Garnier in the UK Science team, Jonathan Ness, Matt Miller, and Tarjei Mandt

- Richard van Eeden and Brian Cavenah, MSRC Engineering