Vista - Kernel vulnerability found in Vista

A flaw in Vista's networking has been found that can crash the system, but no fix is expected until the next service pack

A flaw has been found in Windows Vista that could allow rootkits to be hidden or denial-of-service attacks to be executed on computers using the operating system.
The vulnerability was found by Thomas Unterleitner of Austrian security company Phion and was announced Friday. Unterleitner told ZDNet UK on Friday that Phion told Microsoft about the flaw in October but that he understood a fix would only be issued in the next Vista service pack.

According to Unterleitner's disclosure of the flaw, the issue lies in the network input/output subsystem of Vista. Certain requests sent to the iphlpapi.dll API can cause a buffer overflow that corrupts the Vista kernel memory, resulting in a blue-screen-of-death crash.

"This buffer overflow could (also) be exploited to inject code, hence compromising client security," Unterleitner said.

Unterleitner told ZDNet UK via e-mail that the "exploit can be used to turn off the computer using a (denial-of-service) attack." He also suggested that, because the exploit occurs in the Netio.sys component of Vista, it may make it possible to hide rootkits.

Using a sample program, Unterleitner and his colleagues ascertained that Vista Enterprise and Vista Ultimate were definitely affected by the flaw, with other versions of Microsoft's operating system "very likely" to be affected as well. Both 32-bit and 64-bit versions are vulnerable. Windows XP is not affected.

Asked about the severity of the flaw, Unterleitner pointed out that administrative rights were needed to execute a program calling the function that would cause the buffer overflow. However, he also said it was possible--but not yet confirmed--that someone could use a malformed DCHP packet to "take advantage of the exploit without administrative rights."
"We have worked together with Microsoft Security Response Center in Redmond since October 2008 to locate, classify and fix this bug," Unterleitner wrote. "Microsoft will ship a fix for this exploit with the next Vista service pack."

Microsoft told ZDNet UK on Friday that it had investigated the issue, but was "currently unaware of any attacks trying to use the vulnerability or of customer impact." It could not, however, confirm the inclusion of a fix for the problem in the next as-yet-unreleased service pack for Vista, nor give the release date for that service pack.

Kernel vulnerability found in Vista | Security - CNET News

Another Bonus for having UAC enabled

Plus a DHCP flaw can only be done locally...It also seems 99% of Firewall software is able to block this type of attack.

If they cant release a patch and have to use a ServicePack update that means more then one component is responsible requiring a few files updated from different Teams to patch the flaw

That is why the service pack and everything else following on is not going to be released on the datelines previously thought. Too many 'gremlins'.

That sucks lol.

O well I hope the service pack help Vista even more

Hello guys; I just found this that says it will be fixed in SP2. Dated 24 November

Newly discovered Vista vulnerability to be fixed in SP2.

Three security researchers, Marius Wachtler, Michael Burgbacher, and Carson Hounshell recently found a vulnerability in Windows Vista (with or without SP1) that could allow an attacker to remotely take control of a PC.

Craggs and Unterleitner work for Phion AG, the security company that published details of the vulnerability. The problem, which is in the Device IO Control, affects both 32-bit and 64-bit editions of Vista (XP is unaffected). The problem can be exploited in two different ways to cause a buffer overflow that can corrupt the memory of the operating system's kernel.

The good news is in the requirements of the exploit, according to the Phion report: "To execute either the sample program or the route-add command, the user has to be member of the Network Configuration Operators group or the Administrators group." Phion notes that this diminishes the risk of a PC being exploited, though Unterleitner, the Austrian security vendor's director of endpoint security software, believes that it might be possible to produce the buffer overflow without administrative rights.

Read more at the source.


Later Ted

There are always going to be security holes in complicated systems. (Not just ones written by Microsoft).
However at least microsoft have tried to take steps to minimalise the risk by adding UAC and other small steps.
If people use the OS correctly i.e. not logged on as Administrator all the time and have UAC enabled there will be less risk of getting problems.

I have a question.

Has Microsoft really cut down on the amount of crap Vista can get over XP?

Like the Spyware and Viruses or just got around it by adding in protection?

The only way of getting around viruses on a platform designed for multiple hardware platforms is to write virus checkers and spyware checkers.

Microsoft have added UAC as an added layer.

There are all sorts of virus out in the wild, even for bluetooth phones. If it has memory and logic chips and comunicates with the outside world then it can get a virus.

ASLR (Address space layout randomization) , UAC, Windows Firewall Outbound Protection, Windows Defender, and a few hundred other hidden changes basically stops most spyware and adware from infecting a Vista system
You can see from the kernel vulnerability above that you need UAC disabled or the application elevated to admin (if UAC enabled) to use this hack...

I will try explain why UAC prevents this flaw...They added Integrity Level tags to each programming object, FileSystem Object and API, For an application to use these objects they must specify their access and their Integrity Level when you launch the application...(1) or (2) or (3) but cant be more than one at runtime..

Here is a basic example and Principals of how UAC works and protects users: (the best I can explain them anyway)

Trusted Installer or Kernel Access aka XP Computability mode = 0
System & Admin accounts = 1
User = 2
Guest = 3

Guest(3) and User(2) can not talk to System or Admin(1) Protected Objects, FileSystem Objects or APIs without UAC permission(1)...

System and Admin Accounts(1) can talk to User(2) and Guest(3) Objects since its elevated...

System and Admin Accounts(1) after logging on by default use User Access(2) until the application or function is elevated by UAC(1)...unless UAC is disabled then it uses TrustedInstaller & Kernel Access aka XP Compat mode(0)....

Guest(3) and User Accounts(2) by default use their Access level until elevated by UAC(1)

TrustedInstaller & KernelAccess aka XP Compat mode(0) protects all System Files and System Objects and Elevation API`s from Admins with UAC Enabled(2) also Users (2) and Guests(3) Untill that application is elevated(1)

This flaw needs direct access to the Networking Stack(0) to call an invalid network subnet mask(1) so having UAC enabled and running as Admin means your running as User(2) until that process or exploit is elevated(1)

No Applications need (0) Level Access so Microsoft was able to use UAC to set SystemFiles with Access(1), The System and Admin groups as (2) by default and give you the choice of elevating an application(1) if they did require access.

The highest Access is reserved for TrustedInstaller & KernelAccess aka XP Compat mode(0)...
It only gives Read Access to System & Admin (1), Read Access to Users(2) and Read Access to Guests(3) until ownership of that XP Compat mode(0) is taken by System & Admin (1) and if that admin chooses it can then be given to Users (2) or Guests (3)

Internet Explorer Runs as (1) but firefox runs as (2) so a Firefox flaw can be exploited to exploit this flaw(0) and gain admin (1), the same is said for Flash because it runs with (2)...

Many other System objects run with (2) by default When UAC is enabled but if its disabled then they run with the Highst Access of (0)

I may have explained this way more complicated than it has to be but it works really well and its as easy as specifying the access level you require at runtime (by default (2) unless elevation required(1) but can not be done automatically without the users Permission, It cant be done Remotely because all System Components run with (2) access unless you have UAC disabled then everything runs with (0)

You just see an "annoying" prompt however its making sure you have access to that object, that object was not requested remotely and makes sure it wasn't an automated prompt

It also doesnt mean Microsoft dont fix these flaws because they still represent a Security Flaw and problem under specific circumstances, It means using UAC gives them a few weeks to design and test a reliable solution that solves the problem once and for all without breaking anything and rushing out an untested and problematic patch that can cause more problems...While leaving you protected (unless you always click Continue on UAC prompts without checking the cause and completely defeat the purpose of UAC)

Antivirus software is reactive to threats so the programmer can just keep changing his applications signature everytime it starts detecting it while continuing to exploit the flaw, UAC was mainly designed to "fill the gap" and harden the system from remote and local user exploits

These technologys and over a hundred more built into every API and System Object give Vista the smallest Attack Surface of any Windows OS ever made and secure the system damm well, I was talking with another moderator here JohnGalt about this when he mentioned some "Hack the Workstation" competition in the US last year when Apple`s OSX 10.5 Security was bypassed in two minutes using two linux of AppleScript to gain a root shell(been vunruble to this since 2000 and stil is vunerable to this day) Vista had taken two days to bypass thawting nearly all exploits and Linux on the same day but a few hours later thawting nearly all exploits...

That was last year, the improvements since then have made it hader to explot anything since a few more flaws where found and patched but its hundreds less then XP or other WIndows OS releases at the same time period after being RTM

I think they did the impossible with UAC and brought Linux security to Windows..In the future they will eventually prevent Spyware/Malware or trojens from taking over your system but this will take time untill developers stop using unsecure code and start using tags on their Objects to prevent exploits


Microsoft must have seen Chopper Reid down here in Australia and got anoyed with Linux being more secure so they decided to "Harden the **** up"