2010/05/24

Windows GDI, czyli jak nowe jest lepsze niż stare

Taki oto news przeczytałem:

http://www.heise-online.pl/security/news/item/Microsoft-ostrzega-przed-krytyczna-luka-w-64-bitowej-wersji-Windows-7-1003325.html

Z jednej strony BUG, z drugiej wymijające tłumaczenie M$ które można przeczytać na tej stronie:
http://www.microsoft.com/technet/security/advisory/2028859.mspx

Ciekawsze fragmenty:
What is the Canonical Display Driver (cdd.dll)?
The Canonical Display Driver (cdd.dll) is used by desktop composition to blend GDI and DirectX drawing. CDD emulates the interface of a Windows XP display driver for interactions with the Win32k GDI graphics engine.

Czyli nie tylko ja pisze nowe, lepsze, szybsze :D

oraz:
What might an attacker use this vulnerability to do?
In most scenarios, an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.

Why is code execution unlikely for this issue?
An attacker who attempts to exploit this issue for code execution would need to write executable content to a specific space in kernel memory. However, since the starting address will be random, the final pointer destination will be difficult to predict. The implementation of Address Space Layout Randomization (ASLR) by default on affected systems further complicates this prediction. In most scenarios, exploit code could much more likely result in a denial of service than in code execution.

What is Address Space Layout Randomization (ASLR)?
Systems implementing Address Space Layout Randomization relocate normally-predictable function entry points pseudo-randomly in memory. Windows ASLR re-bases DLL or EXE into one of 256 random locations in memory. Therefore, attackers using hardcoded addresses are likely to "guess correctly" one in 256 times. For more information regarding ASLR, visit the TechNet Magazine article, Inside the Windows Vista Kernel: Part 3.

Czyli ... drogi kliencie, kupując Windows 7 jesteś narażony na atak z dowolnej strony WWW. Znowu daliśmy d... tak jak kiedyś ze biblioteka do przetwarzania obrazów JPG (http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx), ale nie przejmuj się. Mamy przecież ASLR który umieszcza kod kernela w jednym z 256 lokacji, jesteś więc bezpieczny bo dobra ściema nie jest zła.
http://www.heise-online.pl/newsticker/news/item/Nowa-metoda-exploitowa-do-omijania-ochrony-pamieci-960185.html