Linked by Eugenia Loli-Queru on Wed 27th Dec 2006 01:25 UTC, submitted by Sphinx
Microsoft is facing an early crisis of confidence in the quality of its Windows Vista operating system as computer security researchers and hackers have begun to find potentially serious flaws in the system that was released to corporate customers late last month. On Dec. 15, a Russian programmer posted a description of a flaw that makes it possible to increase a user's privileges on all of the company's recent operating systems, including Vista. Update by Thom: Ars thinks the situation is hot air, mostly, something I agree with (a cracker already has to have login credentials for the flaws to be of any use).
Permalink for comment 196398
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:
2005-07-06
http://www.betanews.com/article/Is_Vista_Really_BugPlagued_as_the_N...
"Based on the evidence we were able to see with our own eyes, here's what's appears to be happening:
An old Win32 function was designed to present messages to the user as though they came directly from the operating system, without any security checks beforehand (in the early '90s, few thought they'd ever be necessary). We know from searching existing documentation on the function that it does check the first one or two characters of message data for certain control characters, such as an exclamation point that indicates Unicode designed for typing right-to-left (called the RTL code, reserved for Arabic, Hebrew, and other scripts).
When the MessageBox function receives what may be a control code, specifically ??, prior to the crash point, the application apparently attempts to access a log file. Maybe it's using an old method to gather this file, but in any event, it's the SQL Server Express log file (at least on our setup) that responds with an access denial. At some point when this attempt is repeated, Windows crashes.
Determina believes that this legacy code allocates a memory buffer, which it then leaves open after the application crashes. But since the crash apparently takes the system down with it, there doesn't appear to be a window of opportunity for a malicious user to execute random code."