Forgot your password?
typodupeerror
Security Windows Bug IT

MS Traces Duqu Zero-Day To Font Parsing In Win32k 221

Posted by timothy
from the if-only-smarts-and-ethics-went-together dept.
yuhong writes "MS has traced the Duqu zero-day to a vulnerability in font parsing in win32k. Many file formats like HTML, Office, and PDF support embedded fonts, and in NT4 and later fonts are parsed in kernel mode! Other possible attack vectors, for example, include web pages visited using web browsers that support embedded fonts without the OTS font sanitizer (which recent versions of Firefox and Chrome have adopted)." Adds reader Trailrunner7: "This is the first time that the exact location and nature of the flaw has been made public. Microsoft said that the permanent fix for the new vulnerability will not be ready in time for next week's November patch Tuesday release."
This discussion has been archived. No new comments can be posted.

MS Traces Duqu Zero-Day To Font Parsing In Win32k

Comments Filter:
  • NT4 and later fonts are parsed in kernel mode!

    It looks like somebody was half asleep that day as well and the long "focus on security" didn't go deep enough.

    • Re: (Score:3, Informative)

      by The Askylist (2488908)
      Nope - it was definitely a deliberate decision to make most of the GUI run in kernel mode on NT4.

      If you remember what 3.5 and 3.51 were like, it's possible to have some sympathy for this, but IIRC it was highlighted at the time as a bit of a silly thing to do.

    • I am surprised they haven't gone back to the old model now the hardware is up to it. It would make a lot of sense.

      • by gmueckl (950314)

        Well, the graphics drivers were moved out of the kernel and into a special user-space-like environment with Vista. This allows Windows to restart crashed graphics drivers on the fly (and this even works most of the time). Looks like other parts of the graphics subsystem are still where the don't belong, though.

        • by yuhong (1378501)

          Yea, partly because of the need to support old XP display drivers. The good news is support for that is eliminated in Windows 8, which may even allow the DWM to be part of the new CSRSS.

      • by yuhong (1378501)

        I once suggested to Larry Osterman of MS that this be done, now that there is a *separate CSRSS for each session* and has been since NT4 TSE. If one of them crashes, only the session is lost.

  • FFS microsoft, I'm a highschooler and I think that a really bad idea. How do mistakes like that get through q&a?
    • by jimicus (737525) on Saturday November 05, 2011 @07:32AM (#37956762)

      Very easily.

      The world was a different place in the early days of NT 4 - and remember this design dates back to before then, because the design decision would have been made some time before NT 4 was released.

      NT 4 was, arguably, the first version of Windows to really enjoy any sort of success in the server room. The Internet was only just starting to attract attention outside of academic circles; it would be some years before it became apparent how bad Windows was security-wise. Microsoft's priority wasn't security, it was making an OS with a sophisticated GUI you could install on a 486 with 16MB of RAM that could act as a server to a whole network. Historically it's always been somewhat quicker to run code in the kernel; NT 4 moved most of the GUI to the kernel for exactly this reason. Security? Why would that even appear on the radar?

      • by snowgirl (978879) on Saturday November 05, 2011 @07:39AM (#37956794) Journal

        This right here. The world was a different place back then. One could leave their house without locking their doors, and all that nonsense.

        The WMF vulnerability was borne out of the same situation. When designed, there was no consideration made for remote-code execution, because "remote" didn't really exist. Your worries were boot-sector viruses and executable viruses coming in on that floppy of Doom you "borrowed" from your friend. You didn't get viruses from the internet, heck, you were lucky if your computer connected to the internet at all!

        To end all this, this design decision clearly and loudly screams: GET OFF MY LAWN!!!

      • by Tom (822) on Saturday November 05, 2011 @08:15AM (#37956926) Homepage Journal

        The world was a different place in the early days of NT 4

        No, it wasn't. NT4 was released in 1996. By that time, many people here on /. had been exploiting bugs like that for 10 or 20 years already. Granted, mostly for fun or to cheat in (single-player) games, but still...

        NT4 already had a security architecture. There was a different place available (basically anywhere outside ring0) and it should have been put there, and it definitely should have been obvious to anyone with three grams of brains that stuff like this doesn't belong into ring0.

        • by gmueckl (950314)

          They still supported non-x86 architectures back then. And on those, there is only a kernel mode and a user mode. Rings 1 and 2 don't exist there. So putting the graphics in ring 1 or 2 would have hurt portability. OS/2, on the other hand, actually started to put stuff in all 4 rings because it was designed to run only on 386 and up.

          • by dryeo (100693)

            I don't think that OS/2 ever used ring 1 and ring 2 was used for DOS compatibility, allowing DOS device drivers to work in a DOS virtual machine.

            • by gmueckl (950314)

              Seems you almost got it right. A quick Google search turned up the information that ring 1 was unused and ring 2 was home for parts of the graphics and printing system.

        • by kantos (1314519)

          The world was a different place in the early days of NT 4

          Arguably true... but only for the monolithic win 9x series releases, which aren't relevant to this topic since the NT kernel was developed independently within Microsoft by Dave Cutler from DEC. It was Microsoft's first truly modern operating system. As many comm enters above me have mentioned NT originally did have functions such as font rendering in userspace due to its heavy hardware abstraction. As the pending issues with 9x loomed however MS could read the writing, on the wall; porting 9x to Unicode (it was ANSI throughout, a separate " Layer for Unicode [wikimedia.org]" had to be used to run Unicode programs on 9x machines) as well as supporting newer hardware (AHCI, USB, true Plug and Play) was going to be nearly impossible (the attempt was called Windows ME). So Microsoft began with NT4 to prep for the mass migration from 9x. Since the average consumer at the time didn't want to drop $3k for a workstation that would be able to run the NT model correctly, Microsoft made some compromises to the OS for the sake of speed.

          No, it wasn't. NT4 was released in 1996. By that time, many people here on /. had been exploiting bugs like that for 10 or 20 years already. Granted, mostly for fun or to cheat in (single-player) games, but still...

          NT4 already had a security architecture. There was a different place available (basically anywhere outside ring0) and it should have been put there, and it definitely should have been obvious to anyone with three grams of brains that stuff like this doesn't belong into ring0.

          You however are making the assumption that everybody in Microsoft talks to each other. A most incorrect assumption. The reality is most likely that WinDiv (The division responsible for the OS) made the assumption that fonts would not be loaded from insecure sources, e.g. Word documents. The Office division however faced the problem of what do you do when some user uses a font that is not on another users system? So they made the decision to allow the embedding of fonts into the file format, along with a bun

          • by yuhong (1378501)

            Note here that MSDN has completely get rid of compatibility info for any Windows versions before Win2000. Look in the old Platform SDK for WinServer 2003 SP1 from 2005 for the true compatiblity info.

          • by BitZtream (692029)

            The reality is most likely that WinDiv (The division responsible for the OS) made the assumption that fonts would not be loaded from insecure sources, e.g. Word documents.

            The bug here is a kernel level exploit by user land code, not administrative, just normal users. If the kernel team doesn't expect fonts to be loaded from 'insecure' locations then the API should have required special access, as it is, any user can root the machine, Internet or no Internet, Word or no Word. I can write an app to exploit this, just need to get someone to run it.

            Thats not a miscommunication issue, thats a fucking huge mistake, it doesn't MATTER what the word team tried, it shouldn't have wo

          • by sjames (1099)

            If someone in WinDiv allowed anything in ring0 to depend on anything unprivileged to keep it from being exploited (such as depending on Office to not load insecure fonts), then they were wrong, full stop. No exceptions, no excuses. Whoever made that decision needs to wear the paper bag now.

            Ideally, a privileged gatekeeper would get the request from unprivileged processes, parse it out and sanitize it, simplify it and pass it up to ring 0.

      • by dbIII (701233)

        The world was a different place in the early days of NT 4

        It wasn't really. Things like this were well known to be a bad idea and were only done to cut corners. Stuff as mainstream as Scientific American had articles on computer viruses in the early 1970s for fuck sake and a few hacking movies let alone popular novels had come out before NT4.

        Security? Why would that even appear on the radar?

        It was nineteen fucking ninety six and personal computer users had been worried about computer viruses for about a de

        • by jimicus (737525)

          It was nineteen fucking ninety six and personal computer users had been worried about computer viruses for about a decade.

          They had. But this is Microsoft we're talking about here, and their ability to predict the future has always been notoriously terrible; the great majority of viruses at the time were assembler-written things that did all sorts of clever stuff bypassing the OS entirely - and they were able to do that because memory protection was scant at best on DOS/Win3.x/Win9x. Few viruses even worked in NT, and with a proper security model, how could they?

          • by dbIII (701233)
            It wasn't about predicting the future - it was about learning from the lessons of the past! Unix and others had been cracked in all directions by students before NT was even thought of which is one reason why security was a consideration there, in VMS and in earlier versions of NT.
        • Umm, yeah, so we also have no excuse for kitting our asses kicked in an alien invasion, right?

        • It wasn't done to "cut corners" - remember that earlier version of NT (3.1, 3.5) did it all in user space. It was moved to kernel space, deliberately, so that it would sit there together with the graphics driver for maximum rendering perf. On the hardware of that time, it did make a visible difference, and let it run well on less powerful machines.

          You can argue that choosing speed over safety was a wrong priority, especially for a server OS. And I would agree with that. But it wasn't done just for giggles,

      • Security? Why would that even appear on the radar?

        Computer security has been an issue since at least the 1960s, and it's been well-documented and understood since at least the 1980s (when the NSA Rainbow Books appeared). The Morris worm hit in 1988. None of this stuff should have come as a surprise, and there were many people talking about how Microsoft was repeating all the mistakes over and over again.

        As you say, the fact is, Microsoft wasn't concerned with security. I don't give them a free pass for that. The entire world has been paying for their m

        • by rrohbeck (944847)

          I can very well remember how many people criticized MS for moving the graphics subsystem into the kernel for a slight performance advantage. I liked NT3 with all its VMS heritage and it was clear that MS was spoiling the clean design.

      • by Gr8Apes (679165)

        NT 4 was, arguably, the first version of Windows to really enjoy any sort of success in the server room.

        Only for the first 42 days or 2^20 page outs....

      • by yuhong (1378501)

        And in particular it took until IE4 in 1997 before MS's own web browser supported embedded fonts.

    • I'm a college dropout and have no idea what any of this means... so... uh... kudos to you; you have my envy, younger yet superior nerd.

      Seriously. I feel like this post comes across as sarcastic but I mean it.

    • FFS microsoft, I'm a highschooler and I think that a really bad idea. How do mistakes like that get through q&a?

      If you're a highschooler, I bet you never had to write code that's supposed to run a 486 with 8Mb of RAM and a crappy S3 video card that barely does 2D. Try that, then have your clients come screaming at you about how your OS is so slow as to be unusable (sure it is, when you've almost got a microkernel there and nice isolation levels for all stuff, including graphics!) - then get back to us.

    • by antdude (79039)

      Q&A = Questions & Answers. :P

      How did that easy mistake get through you? :P

  • WTF (Score:5, Insightful)

    by arkhan_jg (618674) on Saturday November 05, 2011 @07:37AM (#37956782)

    Whiskey Tango Foxtrot Microsoft. What genius thought font parsing belonged in ring 0?

    • Re:WTF (Score:4, Informative)

      by impaledsunset (1337701) on Saturday November 05, 2011 @08:24AM (#37956958)

      It's a questionable decision, yes. However, the vulnerability wouldn't be any less worse if it was in userspace. And Microsoft weren't exactly the first. There was a time when the X11 server parsed fonts directly, and it was running as root, perhaps with some privileges dropped along the way. It wasn't kernel mode, but you still had a font parser running as root. So, they weren't the only geniuses who thought so.

      But yeah, the X11 world has improved a lot since then, font parsing and rendering by the client, in userspace, and with an unprivileged account -- all great ideas that Microsoft might want to follow.

      • by larien (5608)
        Wrong - if it was in userspace, it would be tied to the permissions granted the logged on user. I'm not 100% sure, but even as admin, UAC should still have blocked the worst of the behaviour. Once you're running code in the kernel, you can pretty much do whatever you want and the user's permissions and UAC become irrelevant.
        • by NeoMorphy (576507)

          X server runs as root because it needs to directly access your video hardware.

        • by ultranova (717540)

          Once you're running code in the kernel, you can pretty much do whatever you want and the user's permissions and UAC become irrelevant.

          UAC is irrelevant, since it doesn't tell the user what the program is actually trying to do, so the choices are to accept and hope everything goes well, or deny and have the program not work. Add the fact that random programs will require admin rights at random times, and the only real effect of UAC adds up to blame shifting.

          • UAC is irrelevant, since it doesn't tell the user what the program is actually trying to do, so the choices are to accept and hope everything goes well, or deny and have the program not work.

            Well, it's exactly like su/sudo, and Unix world has somehow managed to live with that for decades.

            Then again, it didn't have large quantities of users whose first reaction to the file named amateur_lesbian_threesome.jpg.exe was to click it (and then click "Yes, just fuck off!" in every warning dialog that would appear).

      • The sane way of doing this would be to have a font service that would run as an unprivileged user, parse TrueType fonts and pass the beziers to the graphics subsystem in the kernel. This was possible with the NT security model from the start. This wouldn't even have cost anything in terms of performance - parsing the font file is not performance-critical, only rendering the resulting glyphs is.

        There was a time when the X11 server parsed fonts directly, and it was running as root, perhaps with some privileges dropped along the way

        Kind of. It did, but only of fonts installed on the X server. This meant that it was not parsing untrusted fon

  • by bmo (77928) on Saturday November 05, 2011 @08:02AM (#37956882)

    ... And I want at least one of them to give a good reason why parsing fonts in kernel mode is a good idea. Speed is not a good reason. Not even on 10 year old equipment it's not.

    --
    BMO

    • Seeing as speed (on 15+ year old equipment) was the reason they did it, you're not going to get an answer you like.

      People said Windows NT was too slow on their 486s, so one of the things Microsoft did to try and fix that was to move the GDI into the kernel. They didn't think the security and stability side through however, and I doubt if many people are going to call it the greatest decision ever made in the design of an OS.

      • by TheRaven64 (641858) on Saturday November 05, 2011 @11:34AM (#37958200) Journal

        Seeing as speed (on 15+ year old equipment) was the reason they did it, you're not going to get an answer you like.

        Sorry, but that reason is bullshit. Rendering fonts is performance-critical. Parsing the fonts is not. The vulnerability is in the code responsible for turning a font file into a set of bezier paths that the display subsystem can render. This code is not performance critical, nor does it need to run with any privileges other than the ability to read the font file (or read font data from a pipe or memory buffer) and write the bezier paths somewhere.

        Moving the code that takes the output from this bit of code into the kernel makes sense, because that really is performance critical. Rendering text is one of the most CPU-intensive things a modern windowing system does. Parsing font files is not.

        • My suspicion was that, when they moved GDI to kernel space back in NT4, it was done wholesale - likely because re-architecturing it completely to properly separate into things that had to go into the kernel for perf reasons, and things that could stay in userspace, and making them interoperate (since that now requires a bunch of new kernel calls) simply didn't fit the release schedule even after considerable stretching.

          • Yup, that's more plausible. It wasn't done because it was sensible, it was done because it was easy.
  • by Tom (822) on Saturday November 05, 2011 @08:09AM (#37956900) Homepage Journal

    in NT4 and later fonts are parsed in kernel mode!

    anyone who doesn't immediately realize this is a recipe for trouble? Parsing externally-supplied data in kernel mode. Yeah, like that never got anyone...

    For all the really, really smart people that MS employes, why do they keep on making the dumbest mistakes one could come up with if it were a "dumb idea of the month" challenge?

    • by Rockoon (1252108)
      Hello Mr Low ID number.

      I'll bet you anything that this code was in the kernel before you signed up here at slashdot. What does that say about your pretense that this was recently thought up?

      I await your snarky reply.
      • by dbIII (701233)

        What does that say about your pretense that this was recently thought up?

        You've lost me. Where outside some dark corner of your own mind with possible chemical assistance is that suggested? Please quote it.

        • What does that say about your pretense that this was recently thought up?

          You've lost me. Where outside some dark corner of your own mind with possible chemical assistance is that suggested? Please quote it.

          Dude, you are the one huffing glue. "keep on making" and "dumb idea of the month" imply a level of immediacy and concurrency that is absolutely unwarranted. The guy is hiding behind a 3 digit ID, thinking it shields him when he makes an asinine remark. It doesn't.

          • by Tom (822)

            "keep on making" and "dumb idea of the month" imply a level of immediacy and concurrency that is absolutely unwarranted.

            Ah, I see the misunderstanding.

            No concurrency was intended. "keep on making" was intended to cover basically the entire existence of MS, who have been doing stupid mistakes like this for as long as I can remember. And the "dumb idea of the month" is a figure of speech not referring to any specific month, neither present nor past.

            The guy is hiding behind a 3 digit ID

            No, the ID is too short to hide behind. :-)

            • No, the ID is too short to hide behind.

              That is one of the greatest smack-talk comebacks of all time. My hat is off to you good Sir.

          • by dbIII (701233)
            Why are you pretending to be too stupid to understand the above post? Surely you know to look at the words around the ones you've taken out of context?
      • I'll bet you anything that this code was in the kernel before you signed up here at slashdot..

        What was supposed to have happened during Microsoft's security "rebirth", where they put Longhorn development on ice for about a year so they could overhaul XP for Internet-worthy security robustness? What about since that time where they've supposedly been using the most advanced code verification tools on the planet to verify their OS?

        Shouldn't they have reimplemented this feature in userspace at some point during that long process?

      • by Tom (822)

        I'll bet you anything that this code was in the kernel before you signed up here at slashdot. What does that say about your pretense that this was recently thought up?

        I didn't say anywhere this was recent. Adding something like that to kernel code was an obviously stupid idea even at that time.

        And yes, it is probably about two years older than my /. membership.

        • by BitZtream (692029)

          Just curious, can you name an OS that doesn't do it in one form or another?

          Keep in mind, just because you aren't parsing raw file data doesn't mean you aren't parsing. Parsing memory from an ioctl is still doing the same thing, might be a simpler file format, like say a C structure, but its still parsing.

          • by Tom (822)

            Just curious, can you name an OS that doesn't do it in one form or another?

            I can name two that had a font-rendering kernel exploit in 2009 [infoworld.com]. You'd have thought their manufacturer would check his other products for the same or similar problems...

            And yes, I know quite a few OS who don't do complex operations like that in kernel space, but push it into user land and reserve the kernel space part to simple operations that are more likely to be done with less bugs.

            Yes, you need to do stuff with data, and sometimes that data comes from the outside. But name me one reason why font renderi

    • For all the really, really smart people that MS employes, why do they keep on making the dumbest mistakes one could come up with if it were a "dumb idea of the month" challenge?

      It's faster and easier and they're able to externalize the consequences.

  • by crdotson (224356)

    Isn't this how people hacked the original xbox so many years ago (a font vulnerability)? It's not like they haven't been warned...

    • by BitZtream (692029)

      I'm fairly certain that since they've fixed this flaw so quickly that if they had known about it specifically, they probably would have fixed it.

    • by cbhacking (979169)

      I don't know about the Xbox vulnerability per se, but font parsing vulns are nothing new. For an actually pretty recent example, t least one of the iPhone jailbreaks used a very similar exploit to this one (and was embedded in a web page).

      That said, I know MS fuzzes the heck out of their font parsers. It's a little tricky since it's in kernel - if something breaks, it's slightly harder to debug and takes more time to go through repro steps, since you're basically intentionally bugchecking ("BSoDing") the bo

  • A Kaspersky Malware Lab expert blogged about this Here [securelist.com] on the 2nd November and even gave the suspected DLL file win32k.sys:

    Symantec and Microsoft still haven’t made the actual dropper file available to other antivirus companies yet, nor have they provided information about which Windows component contains the vulnerability that results in privilege escalation. However, indirect evidence suggests that the vulnerability is in win32k.sys.


    We discovered a similar vulnerability (see MS10-073) a year ag

  • In both Ie and FF. I'm sorry but those damn idiot web designers who insist that a 4px font is readable because they still use a 320x240 screen need to upgrade to something reasonable like 1024x768, means I've been forced to learn enough about CSS to begin creating my own overriding page to prevent those damn pesky and funky fonts/colors/sizes that make it impossible to read their sites. Of course, when I hit one of those sites, I add them to my block list though if I can get the custom css page working corr

UNIX was half a billion (500000000) seconds old on Tue Nov 5 00:53:20 1985 GMT (measuring since the time(2) epoch). -- Andy Tannenbaum

Working...