Linked by Thom Holwerda on Sat 31st Dec 2005 16:55 UTC
Windows Microsoft acknowledged late Wednesday the existence of a zero-day exploit for Windows Metafile images, and said it was looking into ways to better protect its customers. Even worse, by the end of the day nearly 50 variants of the exploit had already appeared. One security company said the possibilities were endless on how the flaw could be exploited. 'This vulnerability can be used to install any type of malicious code, not just Trojans and spyware, but also worms, bots or viruses that can cause irreparable damage to computers,' said Luis Corrons of Panda Software.
Thread beginning with comment 80494
To read all comments associated with this story, please click here.
please forgive me for continuing
by ZaNkY on Sat 31st Dec 2005 22:50 UTC
Member since:

That is so true. I abhor the thought about destroying computers ;)

I lost the link that I had earlier that showed how to switch to ring0, but I found many, many more on Google. This is one off of Phrack, if anyone knows them.

I'm a security enthusiast, it's kinda my job to know what can and can't be done.

The link as promised ;)

You don't need to download the entire magazine, just Crtl-F for "ring0".

I'm not going to link to any potentially destructive code, although I will assure you, it exists.

My point being, that:

1) It is possible to enter ring0 execution (easily at that)
2) It is possible to damage hardware, although it would be incredibly hard. Keyword: POSSIBLE

I also want to apologize for going way off track, but it is always necessary to consider the worse case scenario, isn't it? Yes, someone malicious enough, knowledgeable, and cruel, could bring about chaos by inlineing ring0 execution code, that fries CPUs with some over-clocking, upping vcore, shutting down fans (while still making sure that safeguards don't shut the system down), or some combinations thereof, into some wmf file, that is placed on Google, MSN, and yahoo's front pages through some DNS poisoning technique, web defacing, or other random method.

What a run-on sentence ;) P

Again, forgive me for going off track, this will be the last comment I place in this news article relating to the above. I strongly believe that this issue is not being taken as serious as it should be. Patch up!


(note: this wmf thing is sort of like that GDI JPEG exploit thing, correct me if Iím wrong )

Reply Score: 1

borat Member since:

a security enthusiast should do more research.

in windows xp, you need administrator privilege to access DevicePhysicalMemory. a properly administered system is at no risk to this "ring0" attack. if you have administrator privilege, you can install and access device drivers anyway.

in windows server 2003 sp1, the object can't be accessed with any privilege.

this is just like having access to /dev/kmem in linux with root privilege.

i think you are right though with regards to physical damage in that it is remotely possible. some systems support live changes to voltages and fans. almost all the manufacturers implement it differently. assuming some silly user is browsing the web as a administrator, and gets hit with arbitrary execution of code vulnerability and that vulnerability just happened to have code designed to get kernel level access and be designed to work with that user's exact hardware, it could be possible. it would be quite a feat to see that pulled of. consider much work and how many NDA's the author of Motherboard Board Monitor had to sign, just to get the mobo specific code to read temps and fan speeds.

Reply Parent Score: 2

hal2k1 Member since:

On Windows it is my observation that a driver can be installed on the system by a simple executable on a CDROM. The executable runs, places some files in temporary locations, and schedules a task to be run on next boot to finish off the installation process. This is part of the reason why Windows requires a re-boot so often when installing new software.

OK, if an "install program" on a CDROM can arrange for a ring0 driver (or indeed as Sony demonstrated even a rootkit) to be installed into the system on next boot, why can't a malware executable from who-knows-where-on-the-web do exactly the same thing?

Next time you boot the system it destroys itself.

Reply Parent Score: 1

hal2k1 Member since:

"i think you are right though with regards to physical damage in that it is remotely possible."

It is actually quite easy - just changing some BIOS settings will do it.

I had a go at one time at "overclocking". The instructions said to increase the BIOS settings for clock speeds, multipliers and bus speed until the machine would no longer boot. After that it was necessary to re-set the CMOS RAM (using a jumper on the motherboard), then manually put back all the settings and back off on the clock speeds back to the highest values that still worked.

Given all that - it is therefore possible for any software that can change BIOS settings to render a machine unbootable to the extent that over 95% of computer users would have to take the machine back to a store to get it operational again.

Edited 2006-01-01 01:39

Reply Parent Score: 2