Next Page >>
Vista SP1
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Server 2003 SP2 for Itanium-based systems
Windows Vista
Windows Vista SP1
Windows Vista SP2
Windows Vista x64 Edition
Windows Vista x64 Edition SP1
Windows Vista x64 Edition SP2
Windows Server 2008 x32
Word document, the victim's Office Word application is compromised.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in the
Embedded OpenType Font Engine for Windows Vista SP1 (T2EMBED.DLL
version 6.0.6001.18000) and Windows XP SP3 (T2EMBED.DLL version
5.1.2600.5512). Previous versions may also be affected.
Microsoft comfirms/reports the following products are vulnerable:
Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated.
Affected versions
Theorically verified on: Windows 2000, XP, Server 2003, Vista, Server 2008.
Successfully exploited on: Microsoft Windows Vista SP1 with latest security updates.
Analysis
A condition exists with srv.sys and npfs.sys wherein a specially crafted WRITE_ANDX SMB (http://msdn.microsoft.com/en-us/library/aa302278.aspx) packet may cause a kernel Denial Of Service.
. Internet Explorer 6sp1 on Windows 2000 sp4
. Internet Explorer 6sp2 on Windows XP sp2
. Internet Explorer 6sp2 on Windows XP sp3
. Internet Explorer 7 on Windows XP sp2
. Internet Explorer 7 on Windows XP sp3
. Internet Explorer 7 on Windows Vista sp1
. Internet Explorer 7 on Windows Vista sp2
. Internet Explorer 7 on Windows Server 2003 sp2 if
Protected Mode is OFF and not using Enhanced Security Configuration
. Internet Explorer 7 on Windows Server 2008 i
if Protected Mode is OFF and
> > > > process. After some back and forth, there was silence, and I let
> > them
> > > > know I
> > > > was going to release this information to the community.
> > > >
> > > > This was tested on Windows Vista SP1 (32-bit).
> > > >
> > > > --
> > > > Abe Getchell
> > > > me@abegetchell.com
> > > > https://abegetchell.com/
> > > process. After some back and forth, there was silence, and I let
> them
> > > know I
> > > was going to release this information to the community.
> > >
> > > This was tested on Windows Vista SP1 (32-bit).
> > >
> > > --
> > > Abe Getchell
> > > me@abegetchell.com
> > > https://abegetchell.com/
As somewhat indicated in the paper itself, these types of physical DMA attacks are possible against any PC-based OS, not just Windows. If that's true, why is the paper titled around Windows Vista?
I guess it makes headlines faster. But isn't as important, if not more important, to say all PC-based systems have the same underlying problem? That it's a broader problem needing a broader solution, instead of picking on one OS vendor to get headlines?
[Disclaimer: I'm a full-time Microsoft employee.]
Roger
*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
4.1. *Vulnerable platforms*
. Microsoft Windows 2000 up to and including Service Pack 4
. Microsoft Windows Server 2003 up to and including Service Pack 2
. Microsoft Windows XP up to and including Service Pack 3
. Windows Vista up to and including Service Pack 1 (not exploitable
with IE running with Protected mode on)
. Windows Server 2008
5. *Non-vulnerable packages*
> > > process. After some back and forth, there was silence, and I let
> them
> > > know I
> > > was going to release this information to the community.
> > >
> > > This was tested on Windows Vista SP1 (32-bit).
> > >
> > > --
> > > Abe Getchell
> > > me@abegetchell.com
> > > https://abegetchell.com/
> > process. After some back and forth, there was silence, and I let
them
> > know I
> > was going to release this information to the community.
> >
> > This was tested on Windows Vista SP1 (32-bit).
> >
> > --
> > Abe Getchell
> > me@abegetchell.com
> > https://abegetchell.com/
forging a trap frame.
The final requirement involves predicting the address of the second-stage BIOS
call handler. The address is static in Windows 2003, XP and earlier operating
systems, however, Microsoft introduced kernel base randomisation in Windows
Vista. Unfortunately, this potentially useful exploit mitigation is trivial
to defeat locally as unprivileged users can simply query the loaded module list
via NtQuerySystemInformation().
--------------------
Affected Software
Application: Microsoft Outlook Express
Microsoft Windows Mail
Platforms: Windows 2000
Windows XP
Windows Vista
Windows server 2003
Windows Server 2008 SR2
Exploitation: Remote Exploitable
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger@banneretcs.com or rogrim@microsoft.com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger@banneretcs.com or rogrim@microsoft.com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************
/usr/lib/vmware/settings
(Note that "settings" is the file name, not another directory name.)
On Windows (except Windows Vista), the default pathname for this file is:
C:\Documents and Settings\All Users\Application
Data\VMware\VMware Workstation\settings.ini
/usr/lib/vmware/settings
(Note that "settings" is the file name, not another directory name.)
On Windows (except Windows Vista), the default pathname for this file is:
C:\Documents and Settings\All Users\Application
Data\VMware\VMware Workstation\settings.ini
machine) to plant a malicious executable with a specific name on the local
drive and wait for this executable to get launched when another user logs
on to the virtual machine.
While this scenario is usually blocked on default VMware Tools'
installations on Windows XP, Windows Vista and Windows 7 due to the
default file system ACLs, a non-administrative local attacker can launch
the attack against virtual machines where VMware Tools were installed on
non-default locations, e.g., on a non-system drive. Additionally, the
attack is always possible on pre- Windows XP systems such as Windows 2000.
3. *Vulnerability Description*
Windows Movie Maker is a video creating/editing software, which is
included by default in Windows Vista and XP. Microsoft Producer is an
add-in for PowerPoint to create rich-media presentations.
A vulnerability was found in Windows Movie Maker and Microsoft Producer,
which can be triggered by a remote attacker by sending a specially
crafted file and enticing the user to open it. This vulnerability
While 'abo2' is generally considered not exploitable on Windows
operating systems the 'vp_abo2_launcher'[6] proof-of-concept tool shown
below demonstrates that it is indeed exploitable when running in Windows
XP Mode on Windows 7 or an Windows XP SP3 or Windows Vista guest OS in
Virtual PC.
/-----
#include <windows.h>
* Windows XP (x86) SP3, IE 7
* Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit)
* Windows XP x64 SP1, IE 7 (32-bit and 64-bit)
* Windows XP x64 SP2, IE 7 (32-bit and 64-bit)
* Windows XP x64 SP2, IE 8 (32-bit and 64-bit)
* Windows Vista (x86) SP2, IE 7
* Windows Vista (x86) SP2, IE 8
So far, I haven't been able to bypass the mitigation. I've tried 'for
(var n in document)' to discover the mangled method name (doesn't
enumerate it), I've tried 'document.x' in case the invalid surrogate
________________________________________________________________________
Vendor: Microsoft Corporation
Product: Microsoft Windows XP/Vista TCP/IP-Stack
Vulnerability: TCP/IP Orphaned Connections Vulnerability
Affected Releases: Windows Vista Business SP1/ Windows XP SP3
Severity: Moderate
CVE: CVE-2009-1926
________________________________________________________________________
Vendor communication:
1. General Information
Face Recognition feature is provided by Asus, Lenovo and Toshiba as
specialized software that is issued together with their laptops. This
feature is embedded into all laptop families having webcams and supporting
Windows Vista, XP operating system. Owners of laptops benefiting from this
technology do not have to type in their passwords or use their fingerprint
but to sit in front of their laptops to login.
Face-recognition is introduced by these vendors as a remarkable feature
which helps prevent unauthorized people breaking into laptops and ensure
a cascade of exceptions that culminates in a triple fault (reboot).
Fortunately, the critical window is small, and the exploit can take
steps to reduce these risks, and even relatively reckless exploitation
has proven to be reliable.
Windows Vista x64
As mentioned above, incrementing arbitrary kernel memory is not
possible on Windows Vista x64, because the "INC" instruction of
interest modifies a GS-relative DWORD directly (and therefore can only
increment a DWORD in user GS), rather than dereferencing a pointer
Microsoft VISTA TCP/IP stack buffer overflow
Summary
-----------------------------
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Affected Systems
-----------------------------
Using the sample program it was possible to verify this issue on following operating systems and configurations:
a cascade of exceptions that culminates in a triple fault (reboot).
Fortunately, the critical window is small, and the exploit can take
steps to reduce these risks, and even relatively reckless exploitation
has proven to be reliable.
Windows Vista x64
As mentioned above, incrementing arbitrary kernel memory is not
possible on Windows Vista x64, because the "INC" instruction of
interest modifies a GS-relative DWORD directly (and therefore can only
increment a DWORD in user GS), rather than dereferencing a pointer
> triage
> process. After some back and forth, there was silence, and I let them
> know I
> was going to release this information to the community.
>
> This was tested on Windows Vista SP1 (32-bit).
>
> --
> Abe Getchell
> me@abegetchell.com
> https://abegetchell.com/
2. Overwriting arbitrary kernel addresses.
:: Files affected
RTKVHDA.sys < 6.0.1.5605 (32-bit) Windows Vista
RTKVHDA64.sys (signed) < 6.0.1.5605 (64-bit) Windows Vista
:: Credits
Vulnerability discovered and researched by Ruben Santamarta.
Salut, Roger,
On Wed, 5 Mar 2008 16:30:35 -0500, Roger A. Grimes wrote:
> As somewhat indicated in the paper itself, these types of physical
> DMA attacks are possible against any PC-based OS, not just Windows.
> If that's true, why is the paper titled around Windows Vista?
That's very easy: because the specific attack was against Windows
Vista's activation mechanism.
The deficiencies of Firewire with regard to direct memory access have
wasn't a security vulnerability, but was likely a bug, and was passed
directly to the product team to investigate through their normal bug triage
process. After some back and forth, there was silence, and I let them know I
was going to release this information to the community.
This was tested on Windows Vista SP1 (32-bit).
--
Abe Getchell
me@abegetchell.com
https://abegetchell.com/
Correct. Power management in Windows Vista is apparently given a pass to
bypass local security policy, which is a bad thing, and sets a bad
precedence. I will leave it to others to exploit this security issue, given
that I know little about the programmatic aspect of power management in
Windows. There are people out there much more capable than me who, if they
feel it warranted, can research the issue further. I don't consider it, as
Jim Harrison would say, "wasting your time chasing things that 'might lead
to cats & dogs living together in sin'", but rather "security research" and
"sharing information". I don't consider Jim's reaction surprising at all,
though, as he works for Microsoft.
Next Page>>
|
