Forgot your password?
typodupeerror
Bug Graphics Security Windows Technology

Microsoft Warns of Windows 7 Graphics Flaw 262

Posted by CmdrTaco
from the leaky-pipes-make-for-wet-basements dept.
Barence writes "A flaw with the graphics driver in Windows 7 could compromise the stability and security of PCs, Microsoft has warned. The vulnerability lies in the Windows Canonical Display Driver (cdd.dll) for the 64-bit versions of Windows 7 and Windows Server 2008 R2. Microsoft claims that the flaw could lead to machines rebooting or even allow a hacker to remotely execute code, although it claims either eventuality is improbable. Concerned users are being advised to disable Windows Aero until Microsoft can issue a fix."
This discussion has been archived. No new comments can be posted.

Microsoft Warns of Windows 7 Graphics Flaw

Comments Filter:
  • Servers (Score:5, Informative)

    by sopssa (1498795) * <sopssa@email.com> on Wednesday May 19, 2010 @09:40AM (#32264222) Journal

    and Windows Server 2008 R2

    This is why you don't use unnecessary things like Aero (and graphical displays) on servers. Granted Aero isn't enabled by default on Windows Server 2008, but it's still all unnecessary. Servers are meant to be configured and left running with minimal installs. You can do everything you need to from a command line, and sftp for editing those configuration files. When you have a minimalistic install there's also much less change of some random software having an exploitable bug.

    • GUI is still there for remote desktop and it's easier to configure then CMD only.

      • Re: (Score:2, Funny)

        by Anonymous Coward
        easier than cmd? you must be new here.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        GUI is still there for remote desktop and it's easier to configure then CMD only.

        That's because Microsoft has a crippled CLI, and yes, that included Powershell..

      • GUI is still there for remote desktop and it's easier to configure then CMD only.

        But a remote desktop shouldn't require any kind of display driver on the host.

        • by bhtooefr (649901)

          CDD (the affected driver) is for GDI (read: pre-Vista, although quite a lot of current software still uses GDI) applications to display on a display using the Desktop Window Manager. Disable Aero, and you're using XPDM instead of DWM, and it's GDI all the way.

          Although I believe the DWM disables itself for remote desktop, anyway.

      • Re: (Score:2, Insightful)

        by flyingfsck (986395)
        Well, that is the point where Microsoft copied X Windows wrongly. There is no need to run the windowing GUI on the remote machine if the local machine is already running a windowing GUI.
        • Re: (Score:3, Insightful)

          by kestasjk (933987) *
          If there's no need to do it why is X Windows the only windowing system that does it? Why does VNC/somethingX (the new one) exist for X Windows when X servers are available on all platforms?

          I don't know that you're wrong in calling Microsoft's approach wrong, or have more than an idea of why you might be wrong, but the fact that everyone else uses the "wrong" approach sets off the BS-meter.
          • There was no freely availalbe Xserver/XClient for Windows until recently .....

            VNC will work on any graphical system, Windows, X, And most others .... that's the point it is *not* tied to X and so can be universal

            The X approach is wrong (for various reasons)
            - But X is simple enough that it's inadequacies can be worked around
            Windows is wrong (for various other reasons)
            - But this is Windows so there is no way to work around it's inadequacies...

          • by Sir_Lewk (967686)

            Why?

            Because those that don't know X are doomed to reimplement it poorly, and those that do know X just use X.

      • by natehoy (1608657) on Wednesday May 19, 2010 @10:11AM (#32264576) Journal

        I can see that. Perhaps you are a small business and you don't want to train your network admins on CLI tools, so they use the "easier" (read: "requires less training") GUI rather than the faster CLI. Fair enough, not everyone can afford fully-trained network engineers to manage a few small in-house servers.

        But, seriously, Aero? Even the least experienced network admin doesn't need to enable Aero to administer the server. It's a waste of CPU and memory resources for something that (hopefully) you spend a few minutes a week on. If you insist on using a GUI to administer your servers, fine, but at least make it the simplest GUI you can use to get your job done.

        As GP said, the simpler your interface, the less likely there is to be an exploitable security flaw in it. The more complex you make your remote access capabilities, the more likely it is that someone else can find a vector in to them.

        SFTP/SSH exchanges very little data and has very few possible attack vectors. "Classic" GUI has a few more attack vectors and possible failures and exchanges a lot more data, but it adds simplicity for those not comfy with the CLI, so there's a logical trade-off there.

        Aero adds a lot more traffic, a lot more complexity, a lot more potential vectors for both failure AND attack, and does not make the GUI any more functional for administrative tasks.

        Now, if you're using Server 2008 on your desktop as your daily machine, and you like sexy GUI, OK, I can see Aero being enabled. But there's no reason to enable Aero on an actual server.

      • Does Aero even work if you remote desktop in?

        My guess is it drops back down to Basic.

      • Bah. I always switch to the classic mode anyway. It updates the screen faster, is more responsive, and seeing as how I grew up with this (see links), I already think it's pretty enough - http://toastytech.com/guis/c64g.html [toastytech.com] http://www.guidebookgallery.org/pics/gui/desktop/full/amigaos10.png [guidebookgallery.org]

        Question:

        Why does this flaw affect NT 6.1 and 6.2, but not 6.0 (vista)??? And why's the driver called "Canonical"?

      • by djdanlib (732853)

        Right - but Aero is not installed or enabled by default, and drivers that support Aero are not included in the box either. RDP won't show you Aero if it's not available on the system. So out of the box, you get a plain if a bit ugly GUI that a low-end graphics card can handle.

        Most servers do not come with a display adapter that supports Aero. I've tried just to see if it was even possible, but the ATI ES1000 that comes standard in my IBM xSeries servers just doesn't cut it :)

        So, most of the people using Ser

    • better yet (Score:5, Funny)

      by batistuta (1794636) on Wednesday May 19, 2010 @09:57AM (#32264420)

      This is why you don't use unnecessary things like Aero (and graphical displays) on servers.

      This is why you don't use unnecessary things like Windows Server 2008 R2 on servers.

      There. Fixed it for you

    • Re:Servers (Score:5, Insightful)

      by gotpaint32 (728082) * on Wednesday May 19, 2010 @09:58AM (#32264440) Journal
      Its called Windows 2008 Server Core and Powershell. But theres a time and place for everything, try running terminal services from a box with no GUI, I'm sure your users would be very happy with just greenscreen access.
      • Then don’t use stupid terminal services? Who came up with that crap anyway? You have a decent powerful CPU and graphics system right there on your system. Stop making excuses, and use it.

    • by dc29A (636871) *

      I guess you didn't bother checking out this [microsoft.com] or this [microsoft.com].

    • This is why you don't use unnecessary things like Aero (and graphical displays) on servers.

      Why on Earth would you connect a screen (be it CRT or LCD) to a server, in the first place? I cannot think of any reason for doing this, if it is a SERVER.

    • by pyrbrand (939860)
      For most server uses you're right, it doesn't make sense to use Aero, which is why it isn't turned on by default. However, aside from running a terminal server for your users to connect to (for example with a nightly build of an app you're building for testers to use), a lot of devs use WS as their desktop OS for development. This was even more common with WS2k3 as early versions of WS2k8 made it hard to do, but they've added back in optional "desktop services" to make it possible to do again. Think abou
  • ... machines could start spontaneously displaying goatse...
  • No way! (Score:5, Funny)

    by Lurchicus (1280666) on Wednesday May 19, 2010 @09:46AM (#32264306)
    You'll get Areo when you pry it out of my cold dead... damn... it rebooted again!
  • Oh, sure, fine... (Score:4, Interesting)

    by MediaCastleX (1799990) on Wednesday May 19, 2010 @09:47AM (#32264312) Journal
    ...This is why I wait to get my tech. I might be on the waning edge of things, but at least I get them when they work.
  • Worse yet, (Score:5, Funny)

    by Black Parrot (19622) on Wednesday May 19, 2010 @09:51AM (#32264362)

    it might render your porn poorly.

  • by HopefulIntern (1759406) on Wednesday May 19, 2010 @09:56AM (#32264412)
    When I am playing BC2 it sometimes interrupts my game to tell me I have run out of memory and Aero is turning off. I cannot imagine why, I have 1GB GPU and 6GB RAM....

    It seems there are some flaws in Aero on 64 bit systems.
    • Re: (Score:3, Informative)

      by ZosX (517789)

      BC2 is probably trying to cache everything into your available video ram, hence aero shutting down because it is out of ram. It does require 128megs, so perhaps BC2 is trying to utilize the whole 1 gig since its there.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        You are correct, lots of games will try to claim all available video ram when running in fullscreen. It's generally a good idea to turn of aero when gaming, although it's kind of a hassle. There is a method for apps to request Aero to shutdown without the need for user intervention (of all games Civ IV actually does this) but very few games seem to make use of it.

        • Re: (Score:3, Informative)

          by ZosX (517789)

          You can just right click and go to the compatability tab and select disable windows themes. It will turn off aero automatically.

    • by tweak13 (1171627)
      Maybe they changed this in 7 and I didn't notice, but in Vista if you are running a fullscreen 3D program aero should get disabled automatically.
      • by Spad (470073)

        It doesn't if you're running a multi-monitor setup.

        • Correct. In fact, having several monitors has proven to screw around with other programs too. I loaded up SWAT4 again, to revisit a decent shooter, and it doesn't even launch until I disable the second monitor.
          • I'd prefer not launching to what the original Hitman does if you try to run it in windowed mode - it centers itself, meaning it's half on each monitor, and there's no title bar... of course fullscreen doesn't work properly either.

    • by EvilIdler (21087)

      I have disabled Aero (I think it's ugly) on my gaming system, and I still run into issues related to it. When starting certain games, a "helpful" bubble pops up to tell me Aero has been disabled, but its appearance causes the game to end before it even has finished loading. At least Microsoft is an equal opportunity employer, with all those mentally handicapped developers. "Look at me! I detected a USB device!"

      Will a future edition of Windows have a TREAT button for the system to be rewarded whenever it doe

  • Yawn, (Score:2, Insightful)

    by Massacrifice (249974)

    Why do I have the feeling this is overblown? I'm running W2K8R2 x64 as a Workstation OS, it is rock stable, possibly the best OS MS ever produced. Yet I'm sure there are _plenty_ of bugs like this one. Doesn't Microsoft issue bug reports like this every month? Doesn't _any_ OS company produce bug reports like this every month? Why is this one so special? Cause, I'd like to know.

    I'm not saying it's should'nt be fixed, reported, or taken care of. I'm not saying Windows is the best OS. OS X can be pwned throug

    • Re: (Score:3, Insightful)

      by Sycraft-fu (314770)

      I think it's special because there haven't been all that many bugs with Windows NT 6.1 OSes (7 and R2). They seem to have less security issues than past Windows OSes, and are doing quite well compared to other OSes out.

      However, this is Slashdot and the editors do not like Windows at all as evidenced by the broken Windows logo the Gates Borg logo and so on. They often go out of their way to find things wrong with Windows to post as front page news. Hence something like this makes the news since there hasn't

  • There is talk of useing GPU Computing in them and will something like this make easier to hack them?

  • My box will randomly crash. The screen wigs out and then the box reboots. It's not even a BSoD, the whole screen goes completely crazy for about 5 seconds before it reboots, and it occurs at totally random times. I have triple (probably quadruple at this point) checked that all hardware is compatible, all software is completely up-to-date, all drivers are up-to-date, and I have paid top-of-the-line antivirus software. I finally gave up and chalked it up to Win7 64-bit....looks like I was right.
    • You might want to verify that you don't have a hardware problem there. Graphical corruption caused by software bugs is certainly far from unknown; but "screen wigs out, system dirt-naps" is classic dying GPU behavior. I saw it all the time when dealing with a batch of laptops with the NVIDIA GPU package fault issue.
    • by Itninja (937614)
      I would recommend you swap out some hardware, namely the graphics card. What you describe sounds less like a Windows issue and more like a graphics card issue (though I don't know what you mean by 'wigs out'). Get yourself a different graphics card and swap it out and see if the issue goes away. And honestly, who pays for AV on a non-corporate machine?
    • by CAIMLAS (41445)

      I have paid top-of-the-line antivirus software.

      Well then. This is evidently your problem. :)

    • by Blakey Rat (99501)

      Anti-virus software can't do anything about your busted-ass overheating video card. (Which is exactly what you're describing.)

  • http://www.jwz.org/xscreensaver/toolkits.html [jwz.org]

    My favourite bit (at the moment):

    Let's suppose that down in the bowels of some particular version of some particular toolkit library, there lurks a bug. Let's suppose that the nature of this bug is something relatively obscure: say that it's something like, if you hold down 5 keys on the keyboard for 10 seconds then drag the middle mouse button, the text entry widget gets a SEGV. (In fact, I'm not making this up: I saw this very bug once, years ago.)

    Now, that's the sort of bug that is not likely to be noticed or fixed, because it's the sort of thing that people "never" do. If that bug was reported against, say, a web browser, nobody would much care: User: "I can crash my web browser by doing this crazy thing!" Developer: "Uh, don't do that then." And that's not a totally unreasonable response.

    However, in the context of security software, it matters, because then it's not merely a cute trick that crashes the program: now it's a backdoor password that unlocks the screen.

  • WinServer? (Score:4, Interesting)

    by Toreo asesino (951231) on Wednesday May 19, 2010 @11:13AM (#32265460) Journal

    Areo isn't even installed by default with Windows Server 2008 - you have to install it, reboot, and then enable it. That's hardly any attack vector at all IMO.

  • After installing it was to disable all of the extra GUI junk in the UI. It now looks like Windows 2000 and runs slightly better too.

    Truth be told if I could replace the GUI with the one from windows 95 I would, and why do they keep changing how control panel looks/works, I would like some freeking consistency.

    • why do they keep changing how control panel looks/works, I would like some freeking consistency.

      The not-so-savvy computer users out there won't notice or care about improvements under the hood. Making visual, easily noticeable changes is about the only way to ensure the average end-user even realizes it's a different OS.

      The annoying changes for you and me lead to more sales, in theory, from the layman.

  • by sohp (22984)

    Is Windows 7 still running the graphics driver in Ring 0? They moved it from Ring 3 (least privileged) to the most privileged mode in NT 4.0 as a performance hack. Still reaping the 'benefits' of that decision today.

    • by jack2000 (1178961)
      What? You can't trust your own video adapter card?
      True driver writers are morons but still...
    • by jpmorgan (517966)

      Since Vista, Microsoft have been moving most drivers back into userspace. In Vista and Win7, display drivers are hybrids: they contain a small kernel space (ring 0) driver that handles direct communication with the graphics device (i.e., scheduling DMA operations and such), and a user space (ring 3) driver that does all the heavy work.

      That's why, even in the early days of Vista when the drivers were terrible, it didn't actually blue-screen much. You'd get a screen flicker then a message informing you that t

    • by Blakey Rat (99501)

      Is Windows 7 still running the graphics driver in Ring 0? They moved it from Ring 3 (least privileged) to the most privileged mode in NT 4.0 as a performance hack.

      Windows Vista and 7 only run a small portion of the video driver in Ring 0... just the part that directly talks to the hardware. The rest runs in the same abstraction layer as the rest of the drivers on the system. That's why Vista and 7 can reboot a crashed video driver most of the time without requiring a reboot.

      BTW, NT4? Seriously? Why don't yo

  • "64-bit versions of Windows 7 and Windows Server 2008 R2. [...] Concerned users are being advised to disable Windows Aero until Microsoft can issue a fix."

    I recall that Microsoft made a huge deal about the new Aero look, back when Windows Vista was released, [microsoft.com] touting it as some kind of major revolution for PC computing (even though it was "just" a GUI.) They even used bullsh*t "hype" language that it would "enable you to manage the windows on your desktop by arranging them in a visually striking yet convenie

Save yourself! Reboot in 5 seconds!

Working...