Monday, November 7, 2011

Fonts in kernel mode?

I try not to comment on Microsoft's fumbles unless I've directly experienced it, like some functionality that seems totally broken to me, or behavior that seems inconsistent. However, I couldn't ignore this one.

You may have heard recently about the Duqu malware, making the rounds. It appeared in the guise of a specially crafted Word document that, when opened, would compromise your Windows PC. It was all over the news last week.

This morning, I received one of those "you're not really on our mailing list, but it's not really spam" emails from Redmond Magazine, "the independent voice of the Microsoft IT community". It linked to their full article, but the email summary said:
The Duqu zero-day exploit has had Microsoft twisting, turning and churning for a solution. Duqu exploits a hole in the Windows kernel and lets hackers remotely access and control your unfixed computer. 
That's until Microsoft came out with a workaround last week. The stopgap solution can protect the kernel with just a few lines of code and a one click-install. That's some pretty efficient code.
(Emphasis mine)

Yes, that's some pretty efficient code, wrapping a fix into a one-click install.

I guess I'd be more impressed if I didn't know what allowed the Duqu exploit in the first place: Windows parses fonts in kernel mode. That's maybe not the best practice. Kind of blows your whole "pretty efficient code" out of the water with "spectacularly stupid security."

This, from the company who claimed in 2005 to be "investing heavily in security", focusing on the security pillars of:
  • Fundamentals: provide a built-in level of safety and security, improvements to the security of software code through the Engineering Excellence initiative, and investments in technologies.
  • Threat and vulnerability mitigation: industry-leading integrated security technologies, defense-in-depth protection.
  • Identity and access control: technologies that verify user identity, control what resources users are allowed to access based on policy, allow management of users, and protect access to data.
I'd say this Duqu exploit demonstrates a failure on all three levels.

1 comment:

  1. Wow. I thought maybe MS was finally making progress when they put in some sensible time management/manipulation routines (only 30+ years later than UNIX). I don't know if they've fixed their stupid "store local time in the RTC" feature though. The driver architecture was also improved and there's a slow shift to using user-mode drivers. I guess there are still other issues with their crappy kernel. I can't imagine why anyone would want to parse fonts in kernel space.


Note: Only a member of this blog may post a comment.