Microsoft warns of critical hole in 64-bit version of Windows 7
Microsoft reports that a flawed Canonical Display Driver (CDD) for rendering images in the 64-bit versions of Windows 7 and Windows Server 2008 R2 x64, as well as Windows Server 2008 R2 for Itanium, can potentially be exploited to compromise a system. However, systems are only vulnerable if the Aero desktop is enabled; Aero is enabled by default in Windows 7 but requires manual installation in Windows Server 2008.
The problem is caused by a flawed parsing routine when copying information from user-land to kernel-land. Microsoft's advisory does not provide details about how exactly the flaw can be provoked. The vendor states that the flaw can only be exploited via applications that still use the (old) GDI API to render images. The CDD simply emulates a Windows XP interface for GDI graphics engine access. The old API, however, can launch older third-party applications.
Microsoft also seems to be uncertain about whether the flaw can be exploited remotely. The official advisory states that visiting a website which contains a specially crafted image is enough to fall victim to the attack. On the other hand, Bruce Dang and Jonathan Ness of Microsoft's Security Research Center write that there is currently no known scenario which allows the hole to be exploited remotely. According to Dang and Ness, the hole can only be exploited for privilege escalation.
Microsoft currently assumes that the Address Space Layout Randomisation (ASLR) feature of modern Windows versions is not as easy to exploit, and that an attack will only cause a system to freeze and reboot. During the recent Pwn2Own contest, however, hackers demonstrated how to make exploits functional despite ASLR and DEP.
Microsoft are working on a patch but recommend that users disable the Aero desktop or change their theme until the patch becomes available. To do this, choose a theme from "Basic and High Contrast Themes" in "Start/Control Panel/Appearance and Personalisation/Change Design".
- Vulnerability in Canonical Display Driver Could Allow Remote Code Execution, security advisory from Microsoft.
- Security Advisory 2028859 Released, a Microsoft Security Response Center blog post.
- CDD.dll vulnerability: Difficult to exploit, a Security Research & Defense blog post.
- Pwn2Own 2010: iPhone hacked, a report from The H.