Is Vista Really Bug-Plagued as the NY Times Claims?

By Scott M. Fulton, III, BetaNews

December 26, 2006, 6:36 PM

(continued from previous page)

At first, we attempted to address this matter by compiling the proof-of-concept code in Visual C++ Express in Vista, though we were precluded from doing so in short order, for reasons having more to do with integrating the old Win32 library into Vista than with the specific message box call. So we built a C++ project in Visual Studio 2005 under Windows XP using a compatible profile, and moved the resulting executable file into the Vista environment.

Indeed, after the third invocation of the MessageBox function, Vista did crash. Following a reboot, we noticed what appeared to be a corruption of the Security log files. Events were recorded during the period of the crash, including the "previous system shutdown...was unexpected" event. But not being able to detect what happened by virtue of a bug that corrupts the log file, is a serious problem.

With the Security log being corrupt, we then noticed certain critical administrative functions which would normally invoke UAC from a standard user account, in order to elevate privilege in order to run, simply denied access to the standard user account instead.

Our Windows XP Professional logs were not corrupted by the bug. However, in XP, no security events were recorded. Instead, the logs indicate that the application did attempt to have Windows record an event in a log file to which the application had not been granted access: specifically, SQL Server Express, whose services are not used by the application. XP's log files also acknowledged the unexpected system shutdown.

Based on the evidence we were able to see with our own eyes, here's what's appears to be happening:

An old Win32 function was designed to present messages to the user as though they came directly from the operating system, without any security checks beforehand (in the early '90s, few thought they'd ever be necessary). We know from searching existing documentation on the function that it does check the first one or two characters of message data for certain control characters, such as an exclamation point that indicates Unicode designed for typing right-to-left (called the RTL code, reserved for Arabic, Hebrew, and other scripts).

When the MessageBox function receives what may be a control code, specifically \??\, prior to the crash point, the application apparently attempts to access a log file. Maybe it's using an old method to gather this file, but in any event, it's the SQL Server Express log file (at least on our setup) that responds with an access denial. At some point when this attempt is repeated, Windows crashes.

Determina believes that this legacy code allocates a memory buffer, which it then leaves open after the application crashes. But since the crash apparently takes the system down with it, there doesn't appear to be a window of opportunity for a malicious user to execute random code.

Certainly there's a serious problem here -- one that has not been resolved in Windows Vista, despite a year-and-a-half of beta testing -- but our testing reveals no evidence of that problem fitting the standard template of a malicious user elevating his privilege and assuming control of Windows. Instead, any exploit involving this code would be limited to "nuisance code" that crashes Windows, and perhaps corrupts security files.

But this exploit code is not browser code, and that's important because it clearly falls outside the all-too-familiar profile, invoked by the Times description this morning, where "Web users could become infected with malicious software simply by visiting a booby-trapped site."