WatchGuard Wire
Improve Your Security IQ
Windows 7 image handling
component flaw causes BSOD or worse
20
May, 2010 -- Recently,
Microsoft released a security
advisory warning of an unpatched
security vulnerability in a Windows 7 and Windows Server 2008 R2 image
handling component. The flaw specifically lies within a component
called the Windows Canonical Display Driver (cdd.dll). The Canonical
Display Driver interacts with other graphics components, such as the Windows
Graphics Device Interface (GDI)
and Windows
Aero, to display images and
other graphics on your video screen.
Unfortunately, cdd.dll suffers
from a vulnerability having to do with its inability to properly parse
specially crafted image files. If an attacker can entice you to a
malicious web site containing a specially crafted image, or if he can
trick you into opening such an image within an application that uses
the flawed graphics APIs,
he can exploit this flaw to either cause your machine to crash and
reboot with a Blue
Screen
of Death (BSOD), or to execute
code on your machine with your privileges. Since most Windows users
have local administrative privilges, attackers could likely leverage
this flaw to gain complete control of a victim's PC.
In their alert, Microsoft
claims that code execution, though theoretically possible, is unlikely
due to a relatively new Windows security feature called Address
Space Layout Randomization (ASLR).
In a nutshell, this feature places key data structures in random areas
of memory, making it harder for attackers to leverage any memory
corruption flaws since they will have difficulty locating the
structures
they need. That said, other security researchers have released attacks
that were able to bypass
these memory protection features in the past.
So I'd still consider this a relatively serious issue.
Since Microsoft just recently learned
of this vulnerability, they have no patch for it yet. However, you
can implement an easy workaround if you are willing to forgo some
Windows 7 eye-candy. In the Suggested Action section of their
advisory,
Microsoft discribes how you can disable the Windows Aero Theme to
prevent attackers from exploiting this vulnerability against you. Until
Microsoft releases a patch, you should turn Aero off. I suspect
Microsoft might release a fix for this during next months patch day. If
they do, I will inform you via the MS Patch Day Wire posts and
WatchGuard's LiveSecurity alerts. --
Corey
Nachreiner,
CISSP
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
