Vista Vulnerable
<p>A vulnerability has been discovered in the way the Windows Client/Server Runtime Server Subsystem (CSRSS) processes a type of system message referred to as the HardError message, reportedly allowing a logged on user to execute arbitrary code in the CSRSS.EXE process and elevate their privileges to SYSTEM level. The vulnerable code is present in the new Vista operating system, as well as Windows 2000, XP and 2003.</p>
<p>When certain events occur within the operating system, a HardError message is sent to CSRSS containing the caption and text of a message box to be displayed in order to notify the user of a critical system error. The HardError message is handled by a function in WINSRV.DLL which returns pointers to the caption and text of the message box. If the caption or text parameters are prefixed with certain characters, the function erroneously frees the buffer holding the text and returns a pointer to freed memory. After the message box is closed by the user, the same buffer is then freed again, resulting in what is known as a double-free vulnerability. </p>
<p>Microsoft has been notified and is working on a patch.</p>
http://www.symantec.com/enterprise/security_response/weblog/2006/12/vista_vulnerable.html
http://www.symantec.com/enterprise/security_response/weblog/2006/12/vista_vulnerable.html
Fri, 22 Dec 2006 20:22:52 -0800
Linear Mode
