14 DAY TRIAL // The vulnerability affecting the Client Server Run-Time Subsystem in Windows Vista, but also other operating systems from Microsoft including Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2, has received a medium risk assessment level from McAfee.
Microsoft has confirmed both the vulnerability and the existence of exploit code in the wild since December 20, 2006, but has failed to issue a patch addressing the flaw. The Redmond Company's slow reaction to patch a vulnerability that is spread across an array of its operating environments is illustrative of the moderate risks associated with the flaw. The fact that exploit code was available as early as December 20, and the Proof-of-Concept code was published on December 31, without resulting in widespread attack is another argument which ensures that a successful exploit will not have a major impact on the operating system.
The NtRaiseHardError PoC published on the last day of 2006, has been tested by eEYE Research and was confirmed as a fully functional public Zero-day Windows Vista exploit. eEYE Research has also attributed a medium risk level to the vulnerability. However, eEYE Research claims that a successful exploit of this vulnerability allows for local elevation of privilege on the affected operating systems and that this will permit remote code execution.
"Although this vulnerability requires an attacker to already be logged in or executing other code on a host, this does allow for the attacker to elevate his/her privileges to SYSTEM, allowing for complete system compromise no matter what credentials were used launch this vulnerability," revealed eEYE Research.
McAfeem reveals that the vulnerability conducts to privilege escalation without user interaction, and states that another alternative is a denial of service attack.
"The Microsoft Windows MessageBox API allows for messages to be sent by non-interactive services to the Windows Client/Server Runtime Server Subsystem (CSRSS) to alert of an error. A vulnerability exists in Microsoft Windows Client/Server Runtime Server Subsystem (CSRSS) that may allow for a local denial of service or privilege escalation. The flaw lies in processing of specially-crafted LPC requests which begin with a "??" or contain a "Device" ANSI string, sent by the MessageBox function. Code execution resulting from successful exploitation would be at SYSTEM level," reads McAfee's description of the vulnerability.