Is Vista Really Bug-Plagued as the NY Times Claims?
Last week's discovery of a non-critical bug affecting the old 32-bit Windows API, which BetaNews reported on at the time, was picked up by The New York Times this morning, although its severity was substantially elevated in the process. Under the headline "Flaws Are Detected in Microsoft's Vista," the message box problem was touted as triggering "an early crisis of confidence in the quality of its Windows Vista operating system."
Yet tests of the flaw conducted by BetaNews suggest that, while the bug can crash Windows XP, its roots in the Win32 API dating back to Windows 3.1, coupled with the fact that the source code for the proof-of-concept appears to be straight ANSI C, directly contradict the Times' implication that the bug somehow afflicts Internet Explorer 7.0.
In fact, BetaNews' tests of the original proof-of-concept code, as posted to a Russian security researchers' group Web site, turned up a significant flaw in that code, which would prevent it from being compiled on a modern operating system.
It's a "type" violation, as in "type of variable:" The characters which the code passes to the MessageBox API function are declared in a standard 8-bit-per-character string that has not been terminated by a zero value. Versions of the API in use since Windows 95 use Unicode characters for strings instead, meaning the 8-bit string must be explicitly converted to a wider, 16-bit string before being passed to the newer function.
The omission of this critical conversion -- which is a single-line ANSI C macro, but an obvious one nonetheless -- suggests that perhaps security engineers and journalists alike merely took the programmer at his word without questioning his accuracy first.
Still, after we made that small modification to the code, it did indeed crash Windows XP. The code makes up to 10 repeated calls to the MessageBox function with the use of a particular flag whose purpose is to bypass the home application, so that the message is displayed as though it were being sent by the operating system itself. After the seventh call to that function within the loop, XP displays the infamous Blue Screen of Death.
But what a check of the event log failed to reveal was any evidence of an elevation of privilege, which is the event that the Times report claims the Russian developer warned about. In fact, both the original post and a mailing list message apparently written by the same developer which links to that post, merely specify that the bug causes memory corruption, perhaps due to a fault with event logs processing - evidence of which BetaNews was able to detect in the logs. The developer's mailing list post warns of the possibility of a "potential remote exploitation vector," but does not list details.
In fact, it was the Determina security advisory which posited that a logged on user could be enabled to run arbitrary code with system-level privileges. However, it did not go on to explain how such a feat would be possible after the system crashed.
A recent Secunia security advisory lists the bug as "less critical," acknowledging reports of its having apparently been witnessed on Windows Vista, but refraining from saying that the bug affects Vista explicitly. Instead, it lists recent versions of Windows XP, Windows Server 2003, and Windows 2000, but intentionally leaves out Windows NT.
Next: BetaNews tests the proof-of-concept code for itself