14 DAY TRIAL // Old Saint Nick went inside his coal stash and delivered Microsoft a zero-day vulnerability for Windows Vista. Proof-of-Concept code has been spreading in the wild starting with December 15, 2006, but it was initially published on a Russian forum. The zero-day vulnerability affects a wide range of Microsoft operating systems and, in the eventuality of a successful exploit it allows for escalation of privileges.
"Determina Security Research has discovered a vulnerability in the way the Windows Client/Server Runtime Server Subsystem (CSRSS) processes HardError messages. This vulnerability allows a logged on user to execute arbitrary code in the CSRSS.EXE process and elevate their privileges to SYSTEM level. The vulnerable code is present in Windows 2000, XP, 2003 and Vista," revealed Determina Security Research.
According to data made public by Secunia, the vulnerability extends to Windows Vista, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Windows XP Home Edition and Windows XP Professional.
As far as the initial security reports are concerned, none of them considers the Windows Vista zero-day vulnerability of great risk. In fact, Secunia gives the flaw only a rank of Less Critical.
"If the MB_SERVICE_NOTIFICATION flag is specified when calling the MessageBox function from the Windows API, it will use the NtRaiseHardError syscall to send a HardError message to CSRSS. This message contains the caption and text of a message box to be displayed by CSRSS on behalf of the caller. This functionality is designed to allow non-interactive services to notify the user of critical errors. The HardError message is handled by the UserHardError function in WINSRV.DLL. It calls GetHardErrorText to read the message parameters from the address space of the sender. The GetHardErrorText function returns pointers to the caption and text of the message box," are the scarce technical details made public by Determina Security Research.
In this regard, if the "??" prefix is at the start of either the caption or the text parameters; the immediate result is that - via the function - a pointer is returned to freed memory following the freeing of the buffer. At this point in time, reports inform that the zero-day vulnerability is related to memory corruption in kernel. As a consequence of an exploit attempt, the attacked system will crash.