Windows kernel a fertile field for vulnerabilities
- By William Jackson
- Aug 04, 2011
LAS VEGAS — The graphics control component of the Windows kernel has proved a fruitful ground for security researcher Tarjei Mandt, who has discovered dozens of vulnerabilities in the 15-year-old system.
Microsoft has issued more than 40 patches so far this year for this class of bugs, but “the actual vulnerability count is much higher than those that have been addressed,” Mandt said. “There are plenty more that haven’t been announced.”
Mandt, who works for the security company Norman ASA, presented his findings on vulnerabilities in Windows’ use of user-mode callbacks Aug. 3 at the Black Hat Briefings. Although Microsoft has addressed “a big chunk of the issues,” an unknown number remain, he said. “It’s ongoing research. The complexity of some of the issues makes it hard to say how many more bugs there might be."
The problem lies in the Win32k.sys operating environment introduced in 1997, and remains a fundamental component of the Windows architecture for managing both the Windows Manager and Graphic Device Interface. It allows the kernel to make user-mode callbacks to enable a variety of tasks, including invoking application-defined hooks, making event notifications and copying data to and from the user mode. The problem is that the kernel fails to sufficiently validate changes in memory on its return from a call-back when it releases a lock that had been in place, Mandt said.
“Without proper authentication, this will result in all kinds of vulnerabilities,” he said.
Microsoft in April released patches for 30 vulnerabilities in Windows kernel-mode drivers that could allow elevation of privileges by an attacker that logged on locally. The attacker would have to have valid log-in credentials and could not exploit vulnerabilities remotely, the company said in its April security bulletin. Still, “this security update is rated Important for all supported releases of Microsoft Windows,” the bulletin said. Another 14 patches for related vulnerabilities were released in July.
Mandt said most security research is being done in applications and that kernel-level research takes a different set of skills. He began researching the Win.32k environment last fall and reported the first bugs in the kernel to Microsoft in October.
“This particular component hadn’t been looked at by others,” he said. “That was one motivating factor,” for choosing it. “I knew that the module had certain complex components,” which meant there was a greater chance for finding bugs.
Still, he was surprised at the number he found because the component had been around since 1997. But because complex operating systems are built up over time on legacy components, problems will persist if the code is not carefully examined.
“In order to have a secure operating system, you need people to look into the components,” he said, and “not many people are doing it.”
He called his discoveries eye-opening. “Whatever software you look at there will always be problems,” he said, but he did not expect to find as many problems as he did. “It is surprising that there have been so many vulnerabilities present in the Windows kernel.”
Because the fundamental problem is buried in an old element of the Windows kernel, Microsoft’s response to date has been to mitigate individual vulnerabilities through patches. Mandt said he is not aware of any exploits in the wild for vulnerabilities he has discovered, but that regular patching is important because of the likelihood that new vulnerabilities will continue to be reported.
William Jackson is a Maryland-based freelance writer.