Windows kernel a fertile field for vulnerabilities

LAS VEGAS — The graphics control component of the Windows kernel has proved a fruitful ground for security researcher Tarjei Mandt, who has discovered dozens of vulnerabilities in the 15-year-old system.

Microsoft has issued more than 40 patches so far this year for this class of bugs, but “the actual vulnerability count is much higher than those that have been addressed,” Mandt said. “There are plenty more that haven’t been announced.”

Mandt, who works for the security company Norman ASA, presented his findings on vulnerabilities in Windows’ use of user-mode callbacks Aug. 3 at the Black Hat Briefings. Although Microsoft has addressed “a big chunk of the issues,” an unknown number remain, he said. “It’s ongoing research. The complexity of some of the issues makes it hard to say how many more bugs there might be."

The problem lies in the Win32k.sys operating environment introduced in 1997, and remains a fundamental component of the Windows architecture for managing both the Windows Manager and Graphic Device Interface. It allows the kernel to make user-mode callbacks to enable a variety of tasks, including invoking application-defined hooks, making event notifications and copying data to and from the user mode. The problem is that the kernel fails to sufficiently validate changes in memory on its return from a call-back when it releases a lock that had been in place, Mandt said.

“Without proper authentication, this will result in all kinds of vulnerabilities,” he said.

Microsoft in April released patches for 30 vulnerabilities in Windows kernel-mode drivers that could allow elevation of privileges by an attacker that logged on locally. The attacker would have to have valid log-in credentials and could not exploit vulnerabilities remotely, the company said in its April security bulletin. Still, “this security update is rated Important for all supported releases of Microsoft Windows,” the bulletin said. Another 14 patches for related vulnerabilities were released in July.

Mandt said most security research is being done in applications and that kernel-level research takes a different set of skills. He began researching the Win.32k environment last fall and reported the first bugs in the kernel to Microsoft in October.

“This particular component hadn’t been looked at by others,” he said. “That was one motivating factor,” for choosing it. “I knew that the module had certain complex components,” which meant there was a greater chance for finding bugs.

Still, he was surprised at the number he found because the component had been around since 1997. But because complex operating systems are built up over time on legacy components, problems will persist if the code is not carefully examined.

“In order to have a secure operating system, you need people to look into the components,” he said, and “not many people are doing it.”

He called his discoveries eye-opening. “Whatever software you look at there will always be problems,” he said, but he did not expect to find as many problems as he did. “It is surprising that there have been so many vulnerabilities present in the Windows kernel.”

Because the fundamental problem is buried in an old element of the Windows kernel, Microsoft’s response to date has been to mitigate individual vulnerabilities through patches. Mandt said he is not aware of any exploits in the wild for vulnerabilities he has discovered, but that regular patching is important because of the likelihood that new vulnerabilities will continue to be reported.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • security in the cloud (ShutterStock image)

    Cloud security is the agency’s responsibility

Reader Comments

Fri, Aug 5, 2011

I thought the kernal was rewritten for Win 7. Is this article talking about Win XP and prior versions or is this an issue in Win 7 also? And since this is looking at the Win32k.sys OS, is it an issue on the 64 bit Windows version? Wit hall the advances in hardware and graphics, it is hard to believe a file written in 1997 would still remain an issue.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group