Windows Bug Via Message Boxes Gives Security Team Holiday Headaches

By Scott M. Fulton, III, BetaNews

December 22, 2006, 3:06 PM

A proof-of-concept code fragment that turned up on a Russian security software engineers' forum wasacknowledged today by Microsoft’s response team. It showed that the MessageBox API function that enables Windows applications to give simple alerts to users, if subjected to repeated calls, can leave an open handle to free memory.

So far, the problem isn’t being rated as critical. Though the usual suspects are flagging this vulnerability as another “zero-day,” no exploits regarding this proof-of-concept have yet been acknowledged by Microsoft or other sources, BetaNews found evidence of the source of the problem lurking as far back as early 1999.

Clues such as this, along with a security advisory from last October that points to possible memory corruptions in similar circumstances, may have served as the inspiration for security engineers to find this memory hole. Otherwise, although the exploit’s underlying concept is simple, it isn’t exactly the kind that someone hunting for new exploits would be likely to find on his own. In fact, its apparent discoverer wrote that he believes the problem could be due to some debugging procedure that has never been cleared out. If that’s accurate, it could be testament to the sheer amount of “legacy” code in Windows whose actual purpose, years after its creation, may have been long forgotten.

Once you see the code for yourself (BetaNews’ policy is not to publish possible exploits), you might think it was excerpted from a beginners’ level book on straight C development. Whenever the text of an alert message is preceded with the characters \??\ (both backslashes being sent deliberately using the \\ sequence), then when that message is sent repeatedly (even though message boxes are typically modal), using a flag that has Windows bypass the application scheme and send the message directly to the user via the operating system, memory becomes corrupted.

Engineers at Determina Security Research investigated the Russian site’s proof-of-concept, and concluded that for unknown reasons, whenever that character sequence is used in the message box text or caption, and that certain flag is set, the program generates a pointer to free memory. When the message box terminates and is cleared, its own memory cleanup routines apparently pave the way for that spurious pointer to point to a free and empty memory cache that should have been reclaimed. An exploit could conceivably write binary code into that cache and run it.

However, for the flag to be utilized within the source code, Windows must already have authenticated the program as an “impersonated” user – meaning, a process running with a user’s account as though it were managed by a person – with high-level security privileges. This little snippet has no such function for passing itself off, so a real world exploit would need to be capable of showing itself through the security gate, as it were, then using this snippet as a tool to deliver its payload.

“Currently we have not observed any public exploitation or attack activity regarding this issue,” writes Microsoft’s Michael Howard on the MSRC blog today. “While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date. As always, we here at the MSRC encourage everyone to enable a firewall, apply all security updates, and install anti-virus and anti-spyware software.”