Microsoft is reportedly developing a global mitigation for a class of Windows vulnerabilities that have been affecting the operating system for more than twenty years.
The vulnerability class impacts Win32k component within Windows products, which is still implemented in Windows, even on 64-bit versions, allowing older apps to run on modern systems.
Earlier this week security researcher Gil Dabah has published a lengthy report describing multiple never previously seen methods for getting an elevation of privilege using the Win32k component.
The problem stems fr om how Win32k component evolved. In earlier versions of Windows, Win32k worked in the user-mode section of the Windows operating system, and when Microsoft realized that this crucial component should run in more secure environment it was already too late, because the component had grown in size and complexity, and a complete re-write would have broken backward compatibility for thousands of 32-bit apps.
“Since win32k was originally designed and written (in C) to run in user-mode and only later it was moved to the kernel, it must do many callbacks to user-mode to accomplish its original job. Any function that calls back to user-mode is prefixed with ‘xxx’ in its name to imply this potentially dangerous kernel to user roundtrip,” the researcher explained.
“A classic known use-after-free memory attacking technique on win32k objects can occur in cases wh ere a temporary lock (reference count increment) was forgotten on the object by the developer before a user-mode callback takes place. In such cases, the object can be destroyed and freed by an attacker from user-mode and when execution returns to the kernel and continues, the object is already freed, hence resulting in a UAF”.
Over the years, multiple security researchers have detailed methods and techniques that allow to gain admin rights by injecting malicious code in the Win32k component.
Dabah said that his year-long research has resulted in the discovery of 25 vulnerabilities, 11 of which have been already addressed by Microsoft, with the latest fixes released in February 2020. Proof-of-concept exploits for 13 of the 25 vulnerabilities are provided on GitHub.