They's just after me money!"
Posted on 08/07/2010 9:16:32 AM PDT by dayglored
Researchers have identified a kernel-level vulnerability in Windows that allows attackers to gain escalated privileges and may also allow them to remotely execute malicious code. All versions of the Microsoft OS are affected, including the heavily fortified Windows 7.
The buffer overflow, which was originally reported here, can be exploited to escalate privileges or crash vulnerable machines, IT research company Vupen said. The flaw may also allow attackers to execute arbitrary code with kernel privileges.
The bug resides in the “CreateDIBPalette()” function of a device driver known as “Win32k.sys.” It is exploited by pasting a large number of color values into an improperly allocated buffer, potentially allowing attackers to sneak in malicious payloads, vulnerability tracking service Secunia warned.
It affects fully patched installations of every supported Windows platform, from Windows XP SP 3 to Windows Vista, 7, and Server 2008. The latter three versions contain several defenses designed to lessen the effect of security vulnerabilities. It wouldn't be surprising if code execution attacks were possible only on earlier versions that don't have the defenses, which include DEP, or data execution prevention, and ASLR, short for address space layout randomization.
There are no reports of the vulnerability being exploited in the wild. Microsoft said it is investigating the reports but didn't have additional information.
HOWEVER, some caveats: The researchers indicated this would be hard to exploit in Win7. There are currently no exploits for it in the wild. And Microsoft is studying it and is expected to produce a patch for it, although not in the coming record-breaking Patch Tuesday release.
Another caveat (personal): I take all warnings from so-called "security firms" (such as Secunia) with a large grain of salt. While the facts may be true, they are selling products with fear, and their statements should be read with that in mind.
PLEASE NOTE: This thread is for discussion of security issues, how they arise, how they may be mitigated, and related topics. It is NOT for bashing Microsoft or Windows, nor for pointless comparisions between operating systems. There's plenty of that on Slashdot for those of a mind to have flamewars.
Reasonable comments are welcome from all tech-minded FReepers regardless of computer persuasion, but trolls of all flavors are asked to avoid starting trouble.
Thanks, all.
Tech pings please?
No doubt. Which I'm sure is the reason we're suddenly hearing about all these major vulnerabilities lately, Microsoft has probably known about them for a while but what better time to talk about them when you're trying to get people to upgrade?
This doesn't look like it's going to spawn any huge exploits in a hurry, at least on recent releases like Win7. But of course the "security firms" are having a field day...
Are you gearing up for Tuesday's August 2010 Patch Tuesday Release? It promises to be a biggie -- 34 vulnerabilities / 14 bulletins -- a record. I know what I'll be doing for a day or two next week... *sigh*
Since last year sometime nearly every Microsoft update has caused me some amount of problems - from slow running computers to loss of functionality. All the Microsoft brethren can flame me all they want, but I am convinced Microsoft is deliberately trying to force the XP people like me onto newer systems.
Right now, between virus attacks and Microsoft mischief, I fear Microsoft more. JMO
Well, SURE they are. They're not making any money off you as it stands, right? They're in business to make money from people like you -- they're not in it for their health. :)
And there's nothing wrong or surprising about that. We should expect that Microsoft, like Apple and other high-tech firms, have a primary responsibility to their stockholders (to return on investment), and a secondary responsibility to their customers (to produce stuff that has value).
Anyone who imagines that Microsoft is going to happily allow XP to exist forever is deluded. No offense intended to present company of course! :) I think your concern is warranted and sensible.
OTOH, remember that the weakest link in the chain is not the OS or your firewall -- it's the operator. Stay vigilant!
Maybe... OTOH, upgrading has so far been good to me. I've taken most of my XP systems at home and work up to Win7 with very few problems, and reaped some significant benefits in performance and stability.
XP is ultimately doomed (I expect MS to pull the rug the rest of the way out from under it pretty soon). Unless you have ancient hardware, or want to move away from Windows to something like OS-X or Linux, Win7 is a good step upward and quite worthwhile, IMO.
You may be onto something. We know that MS hates for us to cling to our XP, so what better than to “bug” it.
One thing I have discovered, after one of the updates (don’t know which as for a while back they were coming daily, Win updates that is), I can no longer Restore even to a point made specifically. No doubt if I dump and reinstall XP, there will remain some hidden bug.
I get that too. This morning when I logged on my computer had a totally different window. I hate it and don't know how to get rid of it.
A lot of people agree with you but I haven't noticed it. XP is faster for me and as far as stability I can't remember the last time I've had a crash on it.
With Windows 7 it's still got bugs that need to be worked out. One particularly annoying one is how the mouse pointer will sometimes stick on the Taskbar for a few seconds. The fact that I have to use third party applications like ShellFolderFix to maintain each folder's desired size is also a pain.
But I do agree that it's the OS of the future because Microsoft's business model is forced obsolescence and they're not about to change.
Well they need to enjoy themselves because we were down to two programs that require Windows, and when we can find alternatives - Microsoft is GONE.
I have no problem with Microsoft, but they refuse to listen to their customers and I am sick of upgrading every few years to more bloatware with a bewildering array of useless features that 99% of the users will never touch. If they’d offer the system many of us want, I’d upgrade my home computers and all of the ones at work tomorrow.
“heavily fortified”....
You can build a fence around a pile of crap but it’s still gonna be crap.
LOL! Ya got that right!
IMO, one of the largest weaknesses in the entire NT-based line (NT4, 2000, XP, Vista, Win7) is that the original architecture was intentionally compromised for the sake of interactive performance. Thousands of functions that were in userland -- and belonged there -- were migrated into the kernel itself to improve response (which in the original NT3.1/3.5 sucked swamp water). The kernel was turned into a plate of spaghetti layered with swiss cheese.
The result was that any hope of architectural security and stability were compromised -- no, make that "devastated". Over the years, all the original architects, designers, and eventually even the managers quit in disgust.
That's the "crap" you refer to. The internals of Windows are a mess, and there's no fixing it, short of a total re-write.
The project originally called "Windows 7" -- the one that has the NT codebase version "7.0" -- was supposed to be that re-write. But the name "7" was co-opted by the patch-up of Vista (NT6.0 -> NT6.1) that has been marketed as Win7. Win7 is good, very good, but it's still the same old NT codebase.
I'm now holding out hope for Windows 8 (codebase NT7.0), to see if they manage to do the complete re-write for that version.
It's a decade overdue.
“Win7 is a good step upward and quite worthwhile, IMO.”
For a former XP fan I have to agree with you completely.
Yep, it was like putting VMS through a Chinese/Walmart bicycle factory.
I find it incredibly ironic that Windows (based on NT) was generally regarded as a security nightmare, whereas VMS was generally regarded as one of the most secure OSes in history. Ironic, since Dave Cutler designed them both, and indeed NT had much in common with VMS... until the hacks at Microsoft bitched it up (or so the story goes). Cutler still works for Microsoft (developing Azure), so probably we won't know the whole story until he retires and writes his memoirs...
Right in the middle of development of NT, Bill Gates saw how popular Windows 3.1 was and told Cutler to change direction, dump their new high-speed API and use use a 32-bit version of the Windows 3.1 API instead to make NT compatible.
At that point it lost all hope of being a modern VMS.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.