Boom! They All Fall Down. M$ Does It Again.

Yet again we have the ultimate vulnerability discovered in that other OS, all supported versions except the GUI-less 2008. Just viewing a document with a TrueType font in it can give a remote thug complete control of a PC running that other OS.

What is that, about the 100th time that has happened? Some bad guy discovered a design flaw made by M$ and copied everywhere? Why are people traveling the ocean in leaky boats? Don’t they need a rest from the endless conveyor belt of malware?

I recommend Debian GNU/Linux for those who see the light and want to get off the Wintel treadmill.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

15 Responses to Boom! They All Fall Down. M$ Does It Again.

  1. oiaohm says:

    Phenom Until you look at the fix. Its not fixed. Its hacked so the example attack cannot work. The dll name the infection was depending on is disabled. The attack vector itself is not fixed. There are other ways of achieving the same results using the same code bug. Attackers are really not stopped form using that path.

    Phenom user with wine installed in binfnt-misc on Linux so .exe is just like any other executable. Executable attachments in email still don’t work.

    Reason lack of execute permission.

    Execute permission is a very old posix permission MS windows does not implement.

    Execute permission is one of the big differences between windows and Linux and it does major-ally change the infection rate.

    Selinux Hardered Linux’s running like redhat and fedora are even harder to breach. Because more applications have no-exe memory blocked for application data. So buffer flow attacks and other data altering attacks normally cannot allow you to run what ever code you want.

    Tech is a major difference between Windows and Linux when it comes to secuirty. Linux is more implemented like the old rainbow secuirty books than windows is.

  2. For starters, a download does not have the execute permission. For another, images and crap are not executable.

  3. Phenom says:

    Pogson, you are right for Linux. In 99% executable attachments will not work because of some dependency issue. Just like any other software, including the useful one.

    I won’t deny the security issue, it is there. Some confort is that a fix is already available.

  4. oiaohm says:

    Phenom to be correct the defect Robert Pogson was talking about when combind with outlook and windows mail features to use font included in email that are missing from the system without question. Viewing your email might see you as toast. Right to core of OS deep enough to root kit the OS so infection instantly goes invisible to your anti-virus software.

    Yes the scale of the Win32k truetype bug is massive. Phenom. Train wreck basically anything that can contain html is a vector to exploit it.

    There are very critical reasons why image modification should never be performed with kernel privilege if it can be avoided. The risks are massive. There are more than 1 bug in the MS truetype processing engine.

  5. Hey! Joe sent me an e-mail about the meeting. I will open the attached memo…. AWWWKKK!

    I suppose you never open an attachment? Some malware gets into e-mail accounts and sends relevant subjects to everyone on the list with attachments or URIs of malware. I know people who use that other OS are afraid of attachments but I use GNU/Linux and have no fear of that. That other OS has even become infected just by viewing the e-mail and not clicking on any attachment. Use GNU/Linux. It’s the right way to do IT.

  6. Phenom says:

    So, you need to open an e-mail attachment to get infected. I can’t believe you make such a fuss about that.

  7. Kolter says:

    Ivan,
    the bug you referenced having to do with fonts and Redhat is in a different category.

    it was found that installing a specially crafted font would open the rendering engine to run arb. code.
    you must be root to install the font. so let say your villainous sys admin put this font on your pc, the code will then execute with your privileges.

    the one cited in this article is: open a document you were emailed and run arb. code.
    since you’re odds of doing this are high, and your odds of also being a local admin on the box are also high, you get taken by it.

    the attack vectors don’t compare.

  8. oiaohm says:

    Ivan most FLOSS OS is more than 11 times less likely to be exposed to kernel level flaws because less is in there that is directly exposed to outside forces.

    Linux Freebsd …. Are low for gui processing in kernel mode. So harder.

    There are exceptions here of course. Like http://en.wikipedia.org/wiki/SkyFireOS . Yes there are some strange FLOSS edge OS’s out there.

    Yes the common FLOSS is the more secure stuff. Some of the exotic FLOSS OS you do have to treat more carefully.

    The fault that was just exposed would have been many times less harmful Ivan if the font processing had never been in kernel mode. That they have fixed 1 font processing fault does not mean there are not others.

    Linux world application processes font to images then send simple images to X11 Server then X11 Server sends images onto video card.

    Linux kernel internal fonts are bitmap based as well. So no truetype processing required. There is no valid reason to be using truetype font processing in kernel mode ivan. Video cards other than very old apple ones don’t process truetype so it has to be converted to bitmap before it can be displayed anyhow.

    The attack dll is the extension to true-type processing engine. Worst damage something like that could do on linux the glyph cache get corrupted. No elevation of rights is possible. Windows design elevation of rights is possible right to max privilege.

    This is the problem this font engine breach on Windows make every single freetype breach effecting OS X, Linux, BSD, RIM… yes every non MS OS uses the same font processing engine to process fonts Ivan. MS is the last OS using there own dreamed up version of font processing.

    So yes attacker could really have a big party if somewhere allowed elevation of rights and other stupidity with freetype.

    Risks of badly design font processing are getting worse. Why web browsers now can download fonts from untrusted sites to render site using the OS font engine.

    MS need to get the font processing engine out of Win32k asap. There are other image processing as well in Win32k that has no sane reason to be in kernel mode either.

  9. Ivan says:

    “I would say FLOSS is 11 times less likely to expose me to such a vulnerability.”

    Sure it is.

    “Also, I can envisage setting up a server without those fonts. M$ did not think of that until 2008…”

    Sure, but your desktop will look terrible without those fonts.

  10. oiaohm says:

    Ivan Linux normally does not run a font library in kernel space with max access permission to everything. These days. Historically issues of running font processing too high.

    There was a bad old days when the font processing engine was in the X11 server running as Root. But that code is long gone since it was a secuirty risk.

    KMS is about getting rid of root from being require to run a X11 server at all. All about lowering the secuirty level of items like font rendering and what they are interfacing with so lowering risk.

    Apple OS X also moved font processing from kernel space to userspace. OS 9 had it in kernel space. But this is pre 2000. Yes the X11 alteration was 2004.

    Yes there are issues in NT design that need to be addressed. Solving them is not going to be fun. Win32k in kernel space is a historic part of NT design. Yes there are a stack of other GUI parts in there as well.

    Basically MS has been kinda last to get the secuirty memo as normal. Get everything you can out of kernel space while maintaining sanity.

    X11 went one step too far. Don’t put video card memory manager in user space it brings trouble was learnt from X11. This is insanity.

    Really Ivan can you please make a case were font processing has to be in kernel space. I will tell you now it does not have to be.

    Reactos that is another NT designed OS manages shock horror to forward font processing requests from win32k to freetype.dll in userspace. So breach on reactos is in fact contained to application making the request not able to go system wide. FOSS developers have the solution to the current MS bug and have had for quite a few years.

    Now of course due to Reactos being GPL MS cannot copy the code without having to release theirs. There are quite a few minor alterations in Reactos that in fact stop known possible exploits in NT design.

    There are a few of the lower experimental FOSS OS’s that would be wise to learn from this mistake in design.

    Ivan is not the bug but why MS was still using a font processing engine in kernel space when font processing engines have repeatedly been found to contain bugs.

  11. oe says:

    Most GNU/Linux bugs seemed to be rated and treated as more severe than the true threat-level to your data, e.g. they tend to cry wolf…meanwhile Windows and MacOSX seem to hand-wave and dismiss the threat level of their bugs. Much better to have the former than the latter….

  12. Bug reported to Debian 2011-7-29 Bug fixed in Debian 2011-8-4 = 5 days.

    Bug reported to M$ 2011-9-9 and fixed on 2011-11-3 = 55 days

    I would say FLOSS is 11 times less likely to expose me to such a vulnerability. Also, I can envisage setting up a server without those fonts. M$ did not think of that until 2008…

  13. Ivan says:

    “Check your premises.”

    Oh I don’t know about that, he has me convinced. Open source would never let a vulnerability ship in a font library.

    http://www.securityfocus.com/bid/18326
    http://www.securityfocus.com/bid/42241
    http://www.kb.cert.org/vuls/id/275247
    https://www.redhat.com/archives/rhsa-announce/2011-July/msg00027.html

    Oh wait…

  14. oldman says:

    “I recommend Debian GNU/Linux for those who see the light and want to get off the Wintel treadmill.”

    Check your premises.

    Wintel is not a treadmill, it is a useful set of tools that plenty of people use successfully in spite of issues like these.

    You can recommend Linux from now until doomsday, but you can not gloss over the reality that Once again FOSS is not enough Pog.

    The problem will just be solved or mitigated, and we will go on from there.

  15. Kolter says:

    here’s my favorite part of the article:

    “Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.”

    “You bought a PC with our OS on it, and it’s broken and it cost you a bunch of money/lost all your data/killed a bunch of people? not our problem. Hey, you should buy our latest product!”

Leave a Reply