Fifteen-year Windows kernel bug patched at last

February 12, 2015 | 12:13

Tags: #insecurity #jasbug #patch-tuesday #privilege-escalation #security #update-tuesday #vulnerability #windows #windows-10

Companies: #microsoft

Details of another long-running flaw in Microsoft's Windows operating system have emerged this week, following the release of a patch for the bug on Patch Tuesday.

Microsoft's list of updates for its Windows platform, released to the public as part of its regular Patch Tuesday update cycle earlier this week, included a patch for a decade-old flaw known as Jasbug. Described as a 'fundamental design flaw,' the security vulnerability - rated Critical by Microsoft, its highest designation - took Microsoft and discoverer JAS Global Advisors a year to resolve post-discovery. Now, details of another bug in the platform have been released by Breaking Malware - and this one stretches back even further, up to fifteen years.

A privilege escalation vulnerability marked as Important to Critical by Microsoft, the vulnerability was discovered by researchers several months ago but only made public once the patch was released this week. Covering all versions of Windows, the flaw allows for all security measures against exploitation - from sandboxing and kernel segregation through to memory randomisation and user-access control - to be entirely bypassed by flipping just one single bit of the operating system.

'We have verified this exploit against all supported Windows desktop versions,' the group explained in its analysis of the flaw, 'including Windows 10 Technical Preview.' The vulnerability exists in the graphical user interface (GUI) code of the Windows kernel, and is supposed to control the appearance and positioning of scrollbars - not an obvious place to find a major security hole. Manipulation of a single bit is enough to gain access to the window's properties, and from there control its access to the underlying system, adjust the size of a buffer and achieve a buffer overflow - bypassing anti-malware protections and elevating the attacker's privilege to system-level.

'After some work we managed to create a reliable exploit for all versions of Windows – dating back as of Windows XP to Windows 10 preview (With SMEP and protections turned on),' the team has claimed. 'We have shown that even a minor bug can be used to gain complete control over any Windows Operating System. We think that Microsoft efforts to make the its operating system more secure raised the bar significantly and made writing reliable exploits far harder than before. Unfortunately, these measures are not going to keep attackers at bay. We predict that attackers will continue incorporating exploits into their crime kits, making compromise inevitable.'

The team's analysis also pulled up 'dead code,' long-since bypassed, which had been in the Windows kernel for the past fifteen years 'doing absolutely nothing' - something Microsoft has likely addressed in its patch. Users of supported Windows releases are advised to update with the KB3036220 patch as soon as possible; those still on unsupported platforms like Windows XP will not receive the patch.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04