RSSLatest patched Windows exploit is a golden oldie
By Scott M. Fulton, III | Published September 9, 2008, 4:41 PM
We've seen Microsoft patch vulnerabilities in Windows that we swear we'd seen before, and sometimes they all look so much alike that they tend to run together. But this one really is a classic: a buffer overrun triggered by a fake image file.
Who can forget the tumultuous days of 2004, when what was then considered a major threat to Windows loomed large: a way to easily trigger a buffer overrun in GDI+, Microsoft's once-improved Graphics Device Interface library? While patches were finally distributed that September, it seemed the company's eventual solution -- a completely new graphics foundation, WPF -- couldn't come too soon.
Four years later, the possibility of an uncontrolled exploit to GDI+ -- still a principal 2D graphics library in Windows -- apparently remains imminent. So perhaps the most important security fix in this month's Patch Tuesday from Microsoft includes a new patch for GDI+, to address possible buffer overrun exploits that can be triggered using maliciously crafted GIF, BMP, Windows Metafile (WMF), and Enhanced Metafile (EMF) images, as well as Vector Markup Language (VML) images that include gradients.
"The vulnerability is caused by a heap-based buffer overrun when GDI+ improperly processes gradient sizes handled by the vector graphics link library," reads Microsoft's bulletin this morning.
The September 2004 exploit is looked upon as the textbook example of the heap-based buffer overrun principle, though in this case involving JPEG images. In low-level programming, there are two types of storage buffers for the data that a program may need to use. A pointer keeps track of which item is the next to be recalled, and a "pop" instruction pulls that item from memory. For a stack, data is written to memory in such a way that the first item in becomes the last item out. A heap works differently, more less like a stack of papers on one's desk: the first item in becomes the first item out.
The heap situation is said to be a little easier to exploit because whatever memory element can trigger the overflow can be added first and exploited immediately. Still, that doesn't explain why it took four years to realize that the same technique a maliciously crafted JPEG file would use to overflow a buffer, couldn't be used by a GIF file or a WMF file.
On the other hand, it could be said Microsoft has already produced the ultimate solution to the heap-based overrun problem: 64-bit Windows Vista, whose reformed kernel includes multiple features that could theoretically have broken apps running in a similarly reformed 32-bit kernel, such as heap corruption prevention. Sixty-four-bit versions of both Vista and Windows Server 2008 were included on Microsoft's list of software not susceptible to the vulnerability.
Separate fixes issued today address remote code execution exploits for Windows Media Encoder 9, a media content production tool that was not updated along with Media Players 10 and 11; and separately, WMP 11. There's also a curious potential exploit affecting the OneNote component of some higher-end editions of Microsoft Office, where a malformed URL entered into a note could trigger a validation error that could somehow (the specific means have not been explained) lead to an elevation of privilege for a malicious user.
The entire story is a 'golden oldie'!
Same tune, with just an additional verse with slightly varied lyrics.
Score: 0
|Even after editing that is not a very good description of the heap and the stack. The heap is not a first in first out structure.
The terms "heap" and "stack" as used here refer to two areas of memory that are allocated in the process address space. One is allocated from near the base of the address space upwards (heap), the other near the end of address space downwards (stack), at least typically. When a process calls functions or non-static variables are declared in the code allocations are normally made on the stack. When a process makes a large dynamic memory allocation it generally allocates from the heap and some information about the allocation will also be stored there. Heap overflow exploits enable an attacker to subvert the normal execution of the program by writing past the end of an allocated block and into the metadata associated with the next block. Depending on the memory management code, overwriting the data here enables the attacker to write an address that the CPU instruction pointer will follow (i.e. by means of an implied jump as part of a function call), an address into some memory where the attacker has managed to place their malicious code (e.g. in the same block they have just managed to overflow). Once this is achieved the malicious code runs in the same context as the exploited process.
Read more at Heise:
http://www.heise-online....Risk--/features/74634/0
Regarding your comment, "Still, that doesn't explain why it took four years to realize that the same technique a maliciously crafted JPEG file would use to overflow a buffer, couldn't be used by a GIF file or a WMF file."
.. Microsoft in fact corrected a WMF heap overflow in GDI back in 2006. See MS06-026. As it turns out though software is complex and there are many places unexpected problems can occur if you're not very, very careful. Saying that because someone found a similar issue years earlier Microsoft should magically have been able to find every similar defect immediately is misguided. This is not the same as broken functionality. All it takes for a heap overflow is for a pointer bound to be off by one anywhere in the code, and Microsoft has a lot of code to be sure. This doesn't excuse them, but the headline is a bit uncalled for.
Score: 0
|"A heap works differently, more like a stack of papers on one's desk: the first item in becomes the first item out."
Heh. In an ideal world it works like papers on my desk.
Depends if you actually bother putting the newer jobs at the bottom of the pile though.
Score: 0
|Thanks for noticing that, Paul, I screwed up my description (got the FIFO and FILO right, though), but I've fixed it.
-SF3
Score: 0
|