Latest patched Windows exploit is a golden oldie
We've seen Microsoft patch vulnerabilities in Windows that we swear we'd seen before, and sometimes they all look so much alike that they tend to run together. But this one really is a classic: a buffer overrun triggered by a fake image file.
Who can forget the tumultuous days of 2004, when what was then considered a major threat to Windows loomed large: a way to easily trigger a buffer overrun in GDI+, Microsoft's once-improved Graphics Device Interface library? While patches were finally distributed that September, it seemed the company's eventual solution -- a completely new graphics foundation, WPF -- couldn't come too soon.
Four years later, the possibility of an uncontrolled exploit to GDI+ -- still a principal 2D graphics library in Windows -- apparently remains imminent. So perhaps the most important security fix in this month's Patch Tuesday from Microsoft includes a new patch for GDI+, to address possible buffer overrun exploits that can be triggered using maliciously crafted GIF, BMP, Windows Metafile (WMF), and Enhanced Metafile (EMF) images, as well as Vector Markup Language (VML) images that include gradients.
"The vulnerability is caused by a heap-based buffer overrun when GDI+ improperly processes gradient sizes handled by the vector graphics link library," reads Microsoft's bulletin this morning.
The September 2004 exploit is looked upon as the textbook example of the heap-based buffer overrun principle, though in this case involving JPEG images. In low-level programming, there are two types of storage buffers for the data that a program may need to use. A pointer keeps track of which item is the next to be recalled, and a "pop" instruction pulls that item from memory. For a stack, data is written to memory in such a way that the first item in becomes the last item out. A heap works differently,
more less like a stack of papers on one's desk: the first item in becomes the first item out.
The heap situation is said to be a little easier to exploit because whatever memory element can trigger the overflow can be added first and exploited immediately. Still, that doesn't explain why it took four years to realize that the same technique a maliciously crafted JPEG file would use to overflow a buffer, couldn't be used by a GIF file or a WMF file.
On the other hand, it could be said Microsoft has already produced the ultimate solution to the heap-based overrun problem: 64-bit Windows Vista, whose reformed kernel includes multiple features that could theoretically have broken apps running in a similarly reformed 32-bit kernel, such as heap corruption prevention. Sixty-four-bit versions of both Vista and Windows Server 2008 were included on Microsoft's list of software not susceptible to the vulnerability.
Separate fixes issued today address remote code execution exploits for Windows Media Encoder 9, a media content production tool that was not updated along with Media Players 10 and 11; and separately, WMP 11. There's also a curious potential exploit affecting the OneNote component of some higher-end editions of Microsoft Office, where a malformed URL entered into a note could trigger a validation error that could somehow (the specific means have not been explained) lead to an elevation of privilege for a malicious user.