MS Traces Duqu Zero-Day To Font Parsing In Win32k

yuhong writes "MS has traced the Duqu zero-day to a vulnerability in font parsing in win32k. Many file formats like HTML, Office, and PDF support embedded fonts, and in NT4 and later fonts are parsed in kernel mode! Other possible attack vectors, for example, include web pages visited using web browsers that support embedded fonts without the OTS font sanitizer (which recent versions of Firefox and Chrome have adopted)." Adds reader Trailrunner7: "This is the first time that the exact location and nature of the flaw has been made public. Microsoft said that the permanent fix for the new vulnerability will not be ready in time for next week's November patch Tuesday release."

Kernel mode

[Tomato42]

And they told me that Linux is monolithic... But I'm damn sure that the kernel doesn't parse fonts.

Re:Kernel mode

[nepka]

In fact it does. For example fbcon is part of kernel and handles, along other things, text rendering. It's not wise to assume things.

Besides, font rendering is quite common task and needs to be fast. That's why it also needs to be so low level. Yes, you could isolate everything to higher levels, but that only results in bloat and slowness. This was especially true in NT4.0 days, which this exploit dates back from.

Re:Kernel mode

[Arlet]

Does fbcon render true type fonts, or only simple bitmaps ?

 

Re:Kernel mode

[Barefoot+Monkey]

Parsing, not rendering. Does fbcon parse font files? Or is that done in user space?

Re:Kernel mode

[marcansoft]

The kernel doesn't parse fonts. A userspace program parses the fontfile (which could easily be TrueType if someone feels like supporting that, though it would have to be monospaced). The kernel only gets a raw monochrome bitmap data array for the characters, a width and height, and optionally a character map. No parsing is done in the kernel.

KDFONTOP ioctl arguments:
struct console_font_op {
                unsigned int op; /* KD_FONT_OP_* */
                unsigned int flags; /* KD_FONT_FLAG_* */
                unsigned int width, height;
                unsigned int charcount;
                unsigned char *data; /* font data with height fixed to 32 */
};

fbcon blitting rectangular blobs onto the screen doesn't even remotely qualify as "parsing fonts". Doing TrueType in the kernel, which is what Windows does here, is patently insane.

Re:Kernel mode

[hairyfeet]

TFA also doesn't point out that they already have a workaround that is as simple as clicking a button that says "fix it". No CLI mess, no trying to explain it to Suzy the checkout girl, the CLI is also listed if you want to do that, but for everyone else there is this simple fix it page.

I don't know about everyone else but I'll be testing this on my own system for a few hours and if there are no adverse effects i'll be shooting an email to my users with the link.

Re:Kernel mode

[BitZtream]

Sigh, the userland program is just a preprocessor, the kernel still has to parse and validate the memory it gets passed to it. The compiler does most of the parsing code for you thanks to those neat things called structures.

The two kernels may do things differently, but they are both most certainly parsing fonts. You just seem to think that if the compiler does it for you or that if its done exclusively in memory that its not parsing, which is just silly logic.

Re:Kernel mode

[Burpmaster]

Sadly for your worldview, accessing fields at fixed offsets from a pointer isn't parsing. To say that it is redefines absolutely everything that software does as parsing.

Re:Kernel mode

[amorsen]

Sigh, the userland program is just a preprocessor, the kernel still has to parse and validate the memory it gets passed to it.

How difficult exactly is it to parse the Linux kernel font format? It's 5 ints plus an array which the kernel doesn't even need to understand (only boundary check)! Good luck exploiting that. Most ordinary programs/users don't even have ACCESS to the console; even if there was a bug you'd need to log in and run programs on the text console to exploit it. It is somewhat unusual to run word processors on the text console these days, you may have noticed.

Compare that to a Turing-complete hint format where you need to implement a virtual machine as part of the font parser, accessible and used by practically every GUI program.

Re:Kernel mode

[shutdown+-p+now]

Besides, font rendering is quite common task and needs to be fast. That's why it also needs to be so low level.

Doing something in kernel space does not magically make it faster. What it does is, it gets it all closer to other kernel space code, and so you don't need to waste time on userspace-to-kernelspace transitions if you need it.

In this case, I suspect the fonts are in the kernel because high-level graphics (i.e. GDI) is in the kernel, which in turn is because the graphics driver is in the kernel. It's a design that dates back to the earliest NT versions, where this kind of thing was very much justified if you wanted a responsive UI. These days, not so much.

Re:Kernel mode

[DeathFromSomewhere]

The claim:

the kernel doesn't parse fonts.

The counter:

fbcon is part of kernel and handles, along other things, text rendering

Your response:

fbcon only handles bitmap fonts

If you want to agree with someone, why be so snarky?

Nearly as insane as executing code in images

[dbIII]

NT4 and later fonts are parsed in kernel mode!

It looks like somebody was half asleep that day as well and the long "focus on security" didn't go deep enough.

Re:Nearly as insane as executing code in images

[The+Askylist]

Nope - it was definitely a deliberate decision to make most of the GUI run in kernel mode on NT4.

If you remember what 3.5 and 3.51 were like, it's possible to have some sympathy for this, but IIRC it was highlighted at the time as a bit of a silly thing to do.

Re:Nearly as insane as executing code in images

[moderators_are_w*nke]

I am surprised they haven't gone back to the old model now the hardware is up to it. It would make a lot of sense.

Re:Nearly as insane as executing code in images

[gmueckl]

Well, the graphics drivers were moved out of the kernel and into a special user-space-like environment with Vista. This allows Windows to restart crashed graphics drivers on the fly (and this even works most of the time). Looks like other parts of the graphics subsystem are still where the don't belong, though.

Re:Nearly as insane as executing code in images

[yuhong]

I once suggested to Larry Osterman of MS that this be done, now that there is a *separate CSRSS for each session* and has been since NT4 TSE. If one of them crashes, only the session is lost.

Re:Nearly as insane as executing code in images

[yuhong]

Yea, partly because of the need to support old XP display drivers. The good news is support for that is eliminated in Windows 8, which may even allow the DWM to be part of the new CSRSS.

brb banging head against wall

[admiralranga]

FFS microsoft, I'm a highschooler and I think that a really bad idea. How do mistakes like that get through q&a?

Re:brb banging head against wall

[jimicus]

Very easily.

The world was a different place in the early days of NT 4 - and remember this design dates back to before then, because the design decision would have been made some time before NT 4 was released.

NT 4 was, arguably, the first version of Windows to really enjoy any sort of success in the server room. The Internet was only just starting to attract attention outside of academic circles; it would be some years before it became apparent how bad Windows was security-wise. Microsoft's priority wasn't security, it was making an OS with a sophisticated GUI you could install on a 486 with 16MB of RAM that could act as a server to a whole network. Historically it's always been somewhat quicker to run code in the kernel; NT 4 moved most of the GUI to the kernel for exactly this reason. Security? Why would that even appear on the radar?

Re:brb banging head against wall

[snowgirl]

This right here. The world was a different place back then. One could leave their house without locking their doors, and all that nonsense.

The WMF vulnerability was borne out of the same situation. When designed, there was no consideration made for remote-code execution, because "remote" didn't really exist. Your worries were boot-sector viruses and executable viruses coming in on that floppy of Doom you "borrowed" from your friend. You didn't get viruses from the internet, heck, you were lucky if your computer connected to the internet at all!

To end all this, this design decision clearly and loudly screams: GET OFF MY LAWN!!!

Re:brb banging head against wall

[Zamphatta]

It's not a mistake, it's a feature -- for Windows users & for hackers! ;-)

Re:brb banging head against wall

[Tom]

The world was a different place in the early days of NT 4

No, it wasn't. NT4 was released in 1996. By that time, many people here on /. had been exploiting bugs like that for 10 or 20 years already. Granted, mostly for fun or to cheat in (single-player) games, but still...

NT4 already had a security architecture. There was a different place available (basically anywhere outside ring0) and it should have been put there, and it definitely should have been obvious to anyone with three grams of brains that stuff like this doesn't belong into ring0.

Re:brb banging head against wall

[gmueckl]

They still supported non-x86 architectures back then. And on those, there is only a kernel mode and a user mode. Rings 1 and 2 don't exist there. So putting the graphics in ring 1 or 2 would have hurt portability. OS/2, on the other hand, actually started to put stuff in all 4 rings because it was designed to run only on 386 and up.

Re:brb banging head against wall

[cynyr]

no we weren't thrilled... lots of sites stopped working anywhere other than in IE, and certainly not in Slackware! NOW GET OF MY LAWN!!! PULL UP YOUR PANTS!

Re:brb banging head against wall

[kantos]

The world was a different place in the early days of NT 4

Arguably true... but only for the monolithic win 9x series releases, which aren't relevant to this topic since the NT kernel was developed independently within Microsoft by Dave Cutler from DEC. It was Microsoft's first truly modern operating system. As many comm enters above me have mentioned NT originally did have functions such as font rendering in userspace due to its heavy hardware abstraction. As the pending issues with 9x loomed however MS could read the writing, on the wall; porting 9x to Unicode (it was ANSI throughout, a separate "Layer for Unicode" had to be used to run Unicode programs on 9x machines) as well as supporting newer hardware (AHCI, USB, true Plug and Play) was going to be nearly impossible (the attempt was called Windows ME). So Microsoft began with NT4 to prep for the mass migration from 9x. Since the average consumer at the time didn't want to drop $3k for a workstation that would be able to run the NT model correctly, Microsoft made some compromises to the OS for the sake of speed.

No, it wasn't. NT4 was released in 1996. By that time, many people here on /. had been exploiting bugs like that for 10 or 20 years already. Granted, mostly for fun or to cheat in (single-player) games, but still...

NT4 already had a security architecture. There was a different place available (basically anywhere outside ring0) and it should have been put there, and it definitely should have been obvious to anyone with three grams of brains that stuff like this doesn't belong into ring0.

You however are making the assumption that everybody in Microsoft talks to each other. A most incorrect assumption. The reality is most likely that WinDiv (The division responsible for the OS) made the assumption that fonts would not be loaded from insecure sources, e.g. Word documents. The Office division however faced the problem of what do you do when some user uses a font that is not on another users system? So they made the decision to allow the embedding of fonts into the file format, along with a bunch of other really bad decisions in hindsight (remember the Melissa virus?) that would have been caught if they had had the same security reviews as WinDiv did. To compound the problem, Office used unpublished and most likely unhardened APIs (it probably still does in parts) that allowed it the capabilities to do things like on the fly font loading something that wasn't exposed to the rest of us until Windows 2000 (NT 5.0). My point being that at the time it WAS a safe decision as far as WinDiv was concerned. Should they have been a little more careful with those unpublished APIs... yes they should have, it would have prevented a lot of anti-trust issues, but they weren't. So here we are with yet another security bug.

Re:brb banging head against wall

[buglista]

Bollocks. I remember saying it was a stupid idea at the time, and for stability as well as security reasons. Microkernels looked like a good way to go at the time, whereas MS were doing the exact opposite of what good design principles dictate. Have you not read Structured Computer Organisation?

Re:brb banging head against wall

[dbIII]

The world was a different place in the early days of NT 4

It wasn't really. Things like this were well known to be a bad idea and were only done to cut corners. Stuff as mainstream as Scientific American had articles on computer viruses in the early 1970s for fuck sake and a few hacking movies let alone popular novels had come out before NT4.

Security? Why would that even appear on the radar?

It was nineteen fucking ninety six and personal computer users had been worried about computer viruses for about a decade.

Re:brb banging head against wall

[Spazntwich]

I'm a college dropout and have no idea what any of this means... so... uh... kudos to you; you have my envy, younger yet superior nerd.

Seriously. I feel like this post comes across as sarcastic but I mean it.

Re:brb banging head against wall

[jimicus]

It was nineteen fucking ninety six and personal computer users had been worried about computer viruses for about a decade.

They had. But this is Microsoft we're talking about here, and their ability to predict the future has always been notoriously terrible; the great majority of viruses at the time were assembler-written things that did all sorts of clever stuff bypassing the OS entirely - and they were able to do that because memory protection was scant at best on DOS/Win3.x/Win9x. Few viruses even worked in NT, and with a proper security model, how could they?

Re:brb banging head against wall

[MobileTatsu-NJG]

Umm, yeah, so we also have no excuse for kitting our asses kicked in an alien invasion, right?

Re:brb banging head against wall

[dbIII]

It wasn't about predicting the future - it was about learning from the lessons of the past! Unix and others had been cracked in all directions by students before NT was even thought of which is one reason why security was a consideration there, in VMS and in earlier versions of NT.

Re:brb banging head against wall

[yuhong]

Well, when they designed ActiveX, they did realize that there would be security issues, which is why they created code signing and "safe for scripting" and "safe for initialization" etc... One of the problems however was that back in 1996 buffer overflows etc was not well-known security threats, which is now one of the biggest reasons why nowadays MS is adding kill bits in security updates.

Re:brb banging head against wall

[Gr8Apes]

NT 4 was, arguably, the first version of Windows to really enjoy any sort of success in the server room.

Only for the first 42 days or 2^20 page outs....

Re:brb banging head against wall

[yuhong]

And in particular it took until IE4 in 1997 before MS's own web browser supported embedded fonts.

Re:brb banging head against wall

[yuhong]

Note here that MSDN has completely get rid of compatibility info for any Windows versions before Win2000. Look in the old Platform SDK for WinServer 2003 SP1 from 2005 for the true compatiblity info.

Re:brb banging head against wall

[BitZtream]

The reality is most likely that WinDiv (The division responsible for the OS) made the assumption that fonts would not be loaded from insecure sources, e.g. Word documents.

The bug here is a kernel level exploit by user land code, not administrative, just normal users. If the kernel team doesn't expect fonts to be loaded from 'insecure' locations then the API should have required special access, as it is, any user can root the machine, Internet or no Internet, Word or no Word. I can write an app to exploit this, just need to get someone to run it.

Thats not a miscommunication issue, thats a fucking huge mistake, it doesn't MATTER what the word team tried, it shouldn't have worked.

Second, the kernel should validate ALL INCOMING DATA before doing anything with it. If you can't do this at fast enough rates, you preprocess it and let the kernel put it somewhere in the VM.

You ALWAYS validate data coming into the kernel from userland. Always. No exceptions. ALWAYS.

Re:brb banging head against wall

[peppepz]

Microkernels don't do drivers and file systems.

Re:brb banging head against wall

[dryeo]

I don't think that OS/2 ever used ring 1 and ring 2 was used for DOS compatibility, allowing DOS device drivers to work in a DOS virtual machine.

Re:brb banging head against wall

[CODiNE]

Alrightie, quick question for you since you clearly have been doing this longer than I have.

Back in 1996 when I was learning C it was pointed out many times that gets() was dangerous and should not be used. It was common knowledge by then.

So when and who started making a big fuss out of gets and the danger of buffer overflows? I find it strange that a teenager back then knew of them when Microsoft apparently didn't think it was a problem.

Re:brb banging head against wall

[yuhong]

FYI, a series of blog articles on this:
http://rdist.root.org/2010/05/03/why-buffer-overflow-exploitation-took-so-long-to-mature/

Re:brb banging head against wall

[sjames]

If someone in WinDiv allowed anything in ring0 to depend on anything unprivileged to keep it from being exploited (such as depending on Office to not load insecure fonts), then they were wrong, full stop. No exceptions, no excuses. Whoever made that decision needs to wear the paper bag now.

Ideally, a privileged gatekeeper would get the request from unprivileged processes, parse it out and sanitize it, simplify it and pass it up to ring 0.

Re:brb banging head against wall

[gmueckl]

Seems you almost got it right. A quick Google search turned up the information that ring 1 was unused and ring 2 was home for parts of the graphics and printing system.

Re:brb banging head against wall

[shutdown+-p+now]

It wasn't done to "cut corners" - remember that earlier version of NT (3.1, 3.5) did it all in user space. It was moved to kernel space, deliberately, so that it would sit there together with the graphics driver for maximum rendering perf. On the hardware of that time, it did make a visible difference, and let it run well on less powerful machines.

You can argue that choosing speed over safety was a wrong priority, especially for a server OS. And I would agree with that. But it wasn't done just for giggles, or because someone was that stupid.

Re:brb banging head against wall

[shutdown+-p+now]

FFS microsoft, I'm a highschooler and I think that a really bad idea. How do mistakes like that get through q&a?

If you're a highschooler, I bet you never had to write code that's supposed to run a 486 with 8Mb of RAM and a crappy S3 video card that barely does 2D. Try that, then have your clients come screaming at you about how your OS is so slow as to be unusable (sure it is, when you've almost got a microkernel there and nice isolation levels for all stuff, including graphics!) - then get back to us.

Re:brb banging head against wall

[antdude]

Q&A = Questions & Answers. :P

How did that easy mistake get through you? :P

How to deactivate custom fonts in a browser?

[muon-catalyzed]

Any idea how to turn-off custom fonts in webpages? Can't find that setting in Firefox at the moment. You are only vulnerable if custom fonts are enabled.

Re:How to deactivate custom fonts in a browser?

install GNU/Linux

Re:How to deactivate custom fonts in a browser?

[thejynxed]

http://support.mozilla.com/en-US/kb/Changing%20fonts%20and%20colors

Read that page.

Re:How to deactivate custom fonts in a browser?

[muon-catalyzed]

Turning off "allow pages to choose their own font" switch should quench this flaming 0-day.

http://support.mozilla.com/en-US/kb/Changing%20fonts%20and%20colors

Thanks!!

Re:How to deactivate custom fonts in a browser?

[yuhong]

I think recent versions of Firefox uses the OTS font sanitizer which tries to prevent attacks.

WTF

[arkhan_jg]

Whiskey Tango Foxtrot Microsoft. What genius thought font parsing belonged in ring 0?

Re:WTF

[impaledsunset]

It's a questionable decision, yes. However, the vulnerability wouldn't be any less worse if it was in userspace. And Microsoft weren't exactly the first. There was a time when the X11 server parsed fonts directly, and it was running as root, perhaps with some privileges dropped along the way. It wasn't kernel mode, but you still had a font parser running as root. So, they weren't the only geniuses who thought so.

But yeah, the X11 world has improved a lot since then, font parsing and rendering by the client, in userspace, and with an unprivileged account -- all great ideas that Microsoft might want to follow.

Re:WTF

[larien]

Wrong - if it was in userspace, it would be tied to the permissions granted the logged on user. I'm not 100% sure, but even as admin, UAC should still have blocked the worst of the behaviour. Once you're running code in the kernel, you can pretty much do whatever you want and the user's permissions and UAC become irrelevant.

Re:WTF

[TheRaven64]

The sane way of doing this would be to have a font service that would run as an unprivileged user, parse TrueType fonts and pass the beziers to the graphics subsystem in the kernel. This was possible with the NT security model from the start. This wouldn't even have cost anything in terms of performance - parsing the font file is not performance-critical, only rendering the resulting glyphs is.

There was a time when the X11 server parsed fonts directly, and it was running as root, perhaps with some privileges dropped along the way

Kind of. It did, but only of fonts installed on the X server. This meant that it was not parsing untrusted font data. This approach was problematic, because it meant that if you installed an office suite on a server then you needed to install all of its fonts on every thin client machine, or it needed to do all of the font rendering and then just send images to the X servers. Modern (i.e. for about the last decade) X systems have done font parsing and rendering on the client but stored the rendered glyphs on the server, where they can be composited quickly. This also has the advantage that the same rendering code can be used for any font format without the display server needing to know how it works.

Re:WTF

[NeoMorphy]

X server runs as root because it needs to directly access your video hardware.

Re:WTF

[ultranova]

Once you're running code in the kernel, you can pretty much do whatever you want and the user's permissions and UAC become irrelevant.

UAC is irrelevant, since it doesn't tell the user what the program is actually trying to do, so the choices are to accept and hope everything goes well, or deny and have the program not work. Add the fact that random programs will require admin rights at random times, and the only real effect of UAC adds up to blame shifting.

Re:WTF

[shutdown+-p+now]

UAC is irrelevant, since it doesn't tell the user what the program is actually trying to do, so the choices are to accept and hope everything goes well, or deny and have the program not work.

Well, it's exactly like su/sudo, and Unix world has somehow managed to live with that for decades.

Then again, it didn't have large quantities of users whose first reaction to the file named amateur_lesbian_threesome.jpg.exe was to click it (and then click "Yes, just fuck off!" in every warning dialog that would appear).

Re:let me guess...

[nzac]

It says it just a true type font parsing.

I don't know why but image and font file parsing and thumb-nailing is a common security problem (about once a month or so my distro has a security update for a potential hole).

I think they generally work by tricking the computer to run arbitrary code from elsewhere rather than contain the code themselves.

There are a lot of Microsoft shills here...

[bmo]

... And I want at least one of them to give a good reason why parsing fonts in kernel mode is a good idea. Speed is not a good reason. Not even on 10 year old equipment it's not.

--
BMO

Re:There are a lot of Microsoft shills here...

[Fred+Or+Alive]

Seeing as speed (on 15+ year old equipment) was the reason they did it, you're not going to get an answer you like.

People said Windows NT was too slow on their 486s, so one of the things Microsoft did to try and fix that was to move the GDI into the kernel. They didn't think the security and stability side through however, and I doubt if many people are going to call it the greatest decision ever made in the design of an OS.

Re:There are a lot of Microsoft shills here...

[Old+Sparky]

I've been bitching about the Microsoft Shill Takeover of Slashdot for awhile now.
Glad to see someone else "gets it".
And again, we see that Microsoft doesn't.

Re:There are a lot of Microsoft shills here...

[Old+Sparky]

Ooo! You must have lots of Microsoft Skin in your game, Mr Anonymous. Or should we call you Mr. Ballmer?

Re:There are a lot of Microsoft shills here...

[TheRaven64]

Seeing as speed (on 15+ year old equipment) was the reason they did it, you're not going to get an answer you like.

Sorry, but that reason is bullshit. Rendering fonts is performance-critical. Parsing the fonts is not. The vulnerability is in the code responsible for turning a font file into a set of bezier paths that the display subsystem can render. This code is not performance critical, nor does it need to run with any privileges other than the ability to read the font file (or read font data from a pipe or memory buffer) and write the bezier paths somewhere.

Moving the code that takes the output from this bit of code into the kernel makes sense, because that really is performance critical. Rendering text is one of the most CPU-intensive things a modern windowing system does. Parsing font files is not.

Re:There are a lot of Microsoft shills here...

[peppepz]

Fixed-length bitmap buffers cannot be "parsed". All the kernel has to do is to check that the referenced memory does exist, which is a kernel's primary job, and then load it into the VGA registers.

True type fonts need to be decoded, parsed, and interpreted.

The two things are completely incommensurable.

Re:There are a lot of Microsoft shills here...

[peppepz]

Please provide an example of how I can parse a sequence of pixels.

Re:There are a lot of Microsoft shills here...

[Ant+P.]

Rendering precompiled bitmap data to screen.

That's a very bullshit definition of "parse fonts" you have there, MS apologist.

Re:There are a lot of Microsoft shills here...

[johanatan]

But you know that splitting the parsing logic from the rendering logic and creating the interface between would take precious keystrokes from a programmer with limited time on his hands (and this was probably only one of many such points where splits would have to be made). Looks like they did the quick and easy thing by putting the GDI subsystem as a whole into the kernel.

Re:There are a lot of Microsoft shills here...

[peppepz]

The sequence of pixels is not stored in a file, it is already loaded in a buffer of the required length and in the machine format.

Re:There are a lot of Microsoft shills here...

[bmo]

Funny, I haven't had mod points in 2 weeks.

Oh look, it's apk projecting again.

You got modded down because you're a fucking spammer.

--
BMO

Re:There are a lot of Microsoft shills here...

[shutdown+-p+now]

My suspicion was that, when they moved GDI to kernel space back in NT4, it was done wholesale - likely because re-architecturing it completely to properly separate into things that had to go into the kernel for perf reasons, and things that could stay in userspace, and making them interoperate (since that now requires a bunch of new kernel calls) simply didn't fit the release schedule even after considerable stretching.

Re:There are a lot of Microsoft shills here...

[TheRaven64]

Yup, that's more plausible. It wasn't done because it was sensible, it was done because it was easy.

I guess so..

[CFBMoo1]

"This is the first time that the exact location and nature of the flaw has been made public."

They want to push Metro out as the replacement. Anything that knocks down older technologies that even they sold at one time helps. Great way to push people off another possible Internet Explorer 6 so to speak for Windows 8.

Re:I guess so..

[BitZtream]

Why do you feel the need to force your crappy monospaced font on the rest of us when you post? Its not even a freaking attractive one for fucks sake.

Re:I guess so..

[Ant+P.]

They want to push Metro out as the replacement.

They do? Well it's about time they switched to a more stable system.

deserved

[Tom]

in NT4 and later fonts are parsed in kernel mode!

anyone who doesn't immediately realize this is a recipe for trouble? Parsing externally-supplied data in kernel mode. Yeah, like that never got anyone...

For all the really, really smart people that MS employes, why do they keep on making the dumbest mistakes one could come up with if it were a "dumb idea of the month" challenge?

Re:deserved

[Rockoon]

Hello Mr Low ID number.

I'll bet you anything that this code was in the kernel before you signed up here at slashdot. What does that say about your pretense that this was recently thought up?

I await your snarky reply.

Re:deserved

[dbIII]

What does that say about your pretense that this was recently thought up?

You've lost me. Where outside some dark corner of your own mind with possible chemical assistance is that suggested? Please quote it.

Re:deserved

[rocket+rancher]

What does that say about your pretense that this was recently thought up?

You've lost me. Where outside some dark corner of your own mind with possible chemical assistance is that suggested? Please quote it.

Dude, you are the one huffing glue. "keep on making" and "dumb idea of the month" imply a level of immediacy and concurrency that is absolutely unwarranted. The guy is hiding behind a 3 digit ID, thinking it shields him when he makes an asinine remark. It doesn't.

Re:deserved

[Waffle+Iron]

I'll bet you anything that this code was in the kernel before you signed up here at slashdot..

What was supposed to have happened during Microsoft's security "rebirth", where they put Longhorn development on ice for about a year so they could overhaul XP for Internet-worthy security robustness? What about since that time where they've supposedly been using the most advanced code verification tools on the planet to verify their OS?

Shouldn't they have reimplemented this feature in userspace at some point during that long process?

Re:deserved

[Tom]

I'll bet you anything that this code was in the kernel before you signed up here at slashdot. What does that say about your pretense that this was recently thought up?

I didn't say anywhere this was recent. Adding something like that to kernel code was an obviously stupid idea even at that time.

And yes, it is probably about two years older than my /. membership.

Re:deserved

[Tom]

"keep on making" and "dumb idea of the month" imply a level of immediacy and concurrency that is absolutely unwarranted.

Ah, I see the misunderstanding.

No concurrency was intended. "keep on making" was intended to cover basically the entire existence of MS, who have been doing stupid mistakes like this for as long as I can remember. And the "dumb idea of the month" is a figure of speech not referring to any specific month, neither present nor past.

The guy is hiding behind a 3 digit ID

No, the ID is too short to hide behind. :-)

Re:deserved

[dbIII]

Get your English teacher to look at the post and draw some pictures for you to explain what it means. Tell me if they contain a clock or calendar.
What is it with these idiots trying to get something out of nothing?

Re:deserved

[dbIII]

Why are you pretending to be too stupid to understand the above post? Surely you know to look at the words around the ones you've taken out of context?

Re:deserved

[Bender0x7D1]

No, the ID is too short to hide behind.

That is one of the greatest smack-talk comebacks of all time. My hat is off to you good Sir.

Re:deserved

[BitZtream]

Just curious, can you name an OS that doesn't do it in one form or another?

Keep in mind, just because you aren't parsing raw file data doesn't mean you aren't parsing. Parsing memory from an ioctl is still doing the same thing, might be a simpler file format, like say a C structure, but its still parsing.

Re:deserved

[Waffle+Iron]

Tell me how an application can tell whether a particular parsing task takes place ring 0 or in user space.

Re:deserved

[Tom]

Just curious, can you name an OS that doesn't do it in one form or another?

I can name two that had a font-rendering kernel exploit in 2009. You'd have thought their manufacturer would check his other products for the same or similar problems...

And yes, I know quite a few OS who don't do complex operations like that in kernel space, but push it into user land and reserve the kernel space part to simple operations that are more likely to be done with less bugs.

Yes, you need to do stuff with data, and sometimes that data comes from the outside. But name me one reason why font rendering - instead of the pixel result that the graphics card needs to know - has to happen in kernel space.

Re:deserved

[bill_mcgonigle]

For all the really, really smart people that MS employes, why do they keep on making the dumbest mistakes one could come up with if it were a "dumb idea of the month" challenge?

It's faster and easier and they're able to externalize the consequences.

NoScript helps

[impaledsunset]

That's why NoScript disables embedded fonts along with other possible attack vectors.

Even on GNU/Linux, font rendering is not to be assumed safe. In particular, freetype was never designed with the idea to parse fonts from various untrusted sources, so security in the font parser has always been secondary up until recently, so there might be many security holes in it lurking. It also had a vulnerability lately, of course it got quickly fixed.

http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/

Re:NoScript helps

[Tomato42]

Well, yes, X server still is run as root on many distros, but they are moving away from it.

Re:NoScript helps

[fatphil]

Worse than just being root, it has read and write access to /dev/mem. Which in theory means if it's stack smashed it could scan memory for sensitive information (such as the cached/saved passwords in your browser), and even rewrite the syscall vector table and handlers i.e. maliciously "patching" your kernel on-the-fly.

Xbox

[crdotson]

Isn't this how people hacked the original xbox so many years ago (a font vulnerability)? It's not like they haven't been warned...

Re:Xbox

[BitZtream]

I'm fairly certain that since they've fixed this flaw so quickly that if they had known about it specifically, they probably would have fixed it.

Re:Xbox

[crdotson]

Sorry, I was pointing out the attack vector, not this exact vulnerability. A specially crafted font file on the original Xbox allowed for complete control of the system despite the fact that the BIOS would only boot a signed kernel. Given that fonts can be shipped inside PDF files, web pages, etc. now, the Xbox hack could have served as a good warning.

Re:Xbox

[cbhacking]

I don't know about the Xbox vulnerability per se, but font parsing vulns are nothing new. For an actually pretty recent example, t least one of the iPhone jailbreaks used a very similar exploit to this one (and was embedded in a web page).

That said, I know MS fuzzes the heck out of their font parsers. It's a little tricky since it's in kernel - if something breaks, it's slightly harder to debug and takes more time to go through repro steps, since you're basically intentionally bugchecking ("BSoDing") the box - but it's possible, and they do it. On the other hand, nothing much is guaranteed in fuzzing. You can run a billion iterations without finding anything, and the billion-and-first one finds a arbitrary code execution bug like this. Sucks to be you, especially when some black-hat's fuzzer lucks out and finds that bug on the 30th iteration.

As for the argument that font parsing shoudl be moved out of the kernel, that's arguably true of an awful lot of Win32k.sys. The problem is, that thing is an ancient morass of absolutely critical code. By module, I believe it's responsible for more vulnerabilities than any other portion of Windows since Vista came out. Part of the reason is that a lot of it is so old and crufty, and the risk of regression so high, that it doesn't tend to get re-written or even modified except to fix bugs when they're found or add new features. I strongly suspect that a significant portion of it dates back to NT4, substantially unmodified in all the time since then. From a technical standpoint, Win32k.sys is probably the biggest security in modern Windows, certainly worse than recent versions of IE or Word or IIS. Yet it's so integral to the OS that they can't afford to rip it out and do it over.

Re:Xbox

[crdotson]

The gamesave vulnerabilities allowed you to execute arbitrary code from the game to install the hack (you could also do so by hot-plugging the HDD so that you could access it unlocked). However, I believe it is the font vulnerability that allows it to boot 'hacked' each time without a hardware modification, even though the BIOS loads a signed kernel.

Re:let me guess...

[Raenex]

Oh, go ahead, mod me down

I wish people would for your karma whoring. The "mod me down" is a standard trick to get modded up on Slashdot.

Re:win32000? What?

[rossdee]

I was wondering if it was Windows Version 32768 - and since they are only up to Win 8 now that has to be way in the future.
It will probably need a googolplex of RAM to run, and while it is booting up, you can go have lunch at Milliways

Re:Actually Apple made TTF fonts executable

[Fred+Or+Alive]

You seem to be attempting to engage in Apple bashing, and that's fine here as well. It's a pity the article you linked to doesn't back up your assertion that TTFs contain executable code, at least not in the normal sense (it mentions code for a virtual machine to run hinting, but not normal executable code). This doesn't seem to be any issue with the True Type format itself, just an issue with Microsoft's implementation of it.

They should have known better

[DragonHawk]

Security? Why would that even appear on the radar?

Computer security has been an issue since at least the 1960s, and it's been well-documented and understood since at least the 1980s (when the NSA Rainbow Books appeared). The Morris worm hit in 1988. None of this stuff should have come as a surprise, and there were many people talking about how Microsoft was repeating all the mistakes over and over again.

As you say, the fact is, Microsoft wasn't concerned with security. I don't give them a free pass for that. The entire world has been paying for their mistakes ever since. Their lackadaisical attitude towards security -- when they certainly could have learned from the literature and from history -- has cost the world billions, if not trillions of dollars.

Not okay.

Re:They should have known better

[jthill]

So it's ok to sell faulty armor into a war zone then.

Re:They should have known better

[cavreader]

This is a total BS comparison. It's not even an apple-orange type comparison it is more like an apple-Twinkies comparison. There is not a single operating system today that is 100%completely secure so are you willing to indict the entire industry? Software has always been a constantly and rapidly moving target. What was safe yesterday could very well be non-safe today. Hardware changes alone are frequent and require the existing software security at the OS level to be modified and re-tested. Changes from the client-server model to web based model also introduces numerous security issues. Hardware changes and computing architecture changes are required to provide backwards compatibility. You could end up making a OS so secure that it can not even run existing applications. Built-in system security is improving across the board because the main causes of security breeches now rely on social engineering, poor application development practices, and poor system administration practices.

Re:They should have known better

[jthill]

Give it up. There's a difference between not being perfect and deliberately introducing flaws. Not one of your other objections has any bearing at all.

Re:They should have known better

[rrohbeck]

I can very well remember how many people criticized MS for moving the graphics subsystem into the kernel for a slight performance advantage. I liked NT3 with all its VMS heritage and it was clear that MS was spoiling the clean design.

Re:They should have known better

[cavreader]

"deliberately introducing flaws" Do you have single variable instance of this happening or do you just create your on version of reality to compensate for your stupidity. And please point out what statement is factually incorrect in my previous post.

Re:They should have known better

[jthill]

"Deliberately introducing flaws": I don't know where the actual failure in their code was, but truetype rendering is done by a full virtual machine. This isn't an exaggeration. Do chase that link: that machine is not simple, not by any measure. They're firing up an arbitrary user-supplied VM image in the kernel, and yes I say that constitutes a conscious introduction of a security flaw. Nobody could possibly have thought that was safe.

True but obviously irrelevant statements "have no bearing" on the point. You might as well have said the air is cleaner now than it was then because we've had the EPA longer. It's true, but it's got nothing to do with them gratuitously importing an interpreter for an unusual, sophisticated VM into their kernel and then using that interpreter to run arbitrary VM images from userland. I gots a little clue for you: that was never, ever, ever safe, and they knew it. They did it deliberately.

Re:They should have known better

[cavreader]

Do you think a companies introduce functionality knowing before hand that it has exploits because they don't care? I would argue the exact opposite because of the time and money companies like MS, and many others as well, have had to expend to secure their systems. The only people quietly applauding security problems, besides those who exploit them for criminal purposes, are the companies who build the tools and sale the products to address security issues. Before the Melissa virus back in the dark ages there was no market for anti-virus products. After the virus was released it created a new and profitable industry overnight. I have always wondered if the person behind the Melissa virus had intended this to happen for the specific purpose of reaping the financial rewards. There have to be compromises and risk factors applied in any OS or application being developed. If no one released an OS because it *might* be exploitable there would not be a single OS in use. The font exploit vector in this thread requires manipulating the delivery method and getting specific user actions to activate the exploit. If you are talking about the overall security of the current state of all PC software architectures you could be correct. But how do you go about introducing a whole new paradigm and design architecture while still being able to support existing applications? At some point there will be a consumer OS that is designed from the ground up with no attempt to provide any backwards application compatibility but that won't be happening anytime soon. Even using a VM based approach which basically sandboxes the current operating systems and application processes require changes in the existing software systems. The heart of the matter is that a computers only purpose is to execute programs and malware falls into that category. The difficulty is trying to determine what operations are safe and what operations are not. When you get down to most basic OS level this determination becomes hard to identify.

Re:They should have known better

[jthill]

introduce functionality knowing before hand that it has exploits

What's with the red herrings, dude? Are you really unable to spot the gaping difference between that and what I actually said?

On second thought, never mind.

Re:Microsoft's already issued a FIX

[bmo]

Come at me, bro.

After you take your fucking meds.

--
BMO

Re:Let the Penguins "chew on this"

[Old+Sparky]

Hey Mr Anonymous - you sound more like Ballmer every minute. And hold Microsoft accountable for security issues? Hyuk! That's FUNeee raht thar!!!

Re:Actually Apple made TTF fonts executable

[flonker]

Pffft. Apple bashing is a perfectly respectable thing to do on slashdot these days.

NT4 was such an abomination...

[mosel-saar-ruwer]

in NT4 and later fonts are parsed in kernel mode

Sometimes I feel like I must be the only geezer remaining who actually had the opportunity to use NT 3.51, so let me tell you: It was a GLORIOUS operating system.

EVERYTHING was client/server, and all the client stuff ran in Ring 3/User Mode.

Heck, you could even kill Windows, and run it as a multi-user "DOS" box.

But, of course, that meant that the video/graphics subsystem also ran as a client service, in User Mode, which [I guess] the suits perceived as being "slow", and therefore as being an impediment to the gaming experience which would come with the impending merger of code bases that we now know as Windows XP [2001].

So in 1996, some genius at MSFT decided to throw out all of the beauty and elegance and stability and security that had been NT 3.51, and to serve up, instead, the great big steaming pile of sh!t which was NT 4.0 [with its video/graphics subsystem subsumed into the kernel].

And the world was never again the same...

Re:NT4 was such an abomination...

[Gr8Apes]

Actually, IIRC, it was Win NT 3.1 that had the initial full security model you ascribe to Win NT 3.5. Win NT 3.5 had already slid a good portion of the way down the slippery slope of Ring 0 code, including some of the graphics drivers. (Again, IIRC, it's been a while)

NT 4 moved a lot of user space Windows GDI functionality (as defined by Win 95/98/ME) into a kernel mode GDI API, which is single threaded btw, that persisted at least through all versions Windows XP, if not beyond. (This is one of the reasons why opening a 10MB networked file or attachment in Outlook causes your entire machine to lockup until it's done)

This was in contrast to OS/2, which continued to follow the original design criteria, and hence was perceived to be slower on the same hardware as NT 4 for single tasks, although multi-tasking was much faster on OS/2. I mention this because NT's original basis was the OS/2 criteria, which was then mutated to be able to support the Win 95/98/ME gaming solutions.

Re:NT4 was such an abomination...

[Gr8Apes]

The graphics drivers I mentioned had all their utilities directly interacting at Ring 0, instead of running in User Mode.

Re:NT4 was such an abomination...

[dryeo]

Back in the OS/2 1.x days, MS wanted to put the graphics stuff in ring 0, IBM flatly refused, which was one of the many reasons for the falling out between them.
OS/2 did its font parsing in user land with a DLL that was easily replaced with Freetype which was quite an improvement.

Re:NT4 was such an abomination...

[fatphil]

I'll see your NT3.51 and raise you OS/2. Yes, it (version 2.0, IIRC) was sloooow on my 486/33 with 16MB of RAM, but as we're now running machines more than 100 times more powerful than that, such concerns should be irrelevant.

Re:NT4 was such an abomination...

[yuhong]

BTW, GDI is no longer single threaded in Win7.

Re:NT4 was such an abomination...

[RCL]

To be fair, screens are also order of magnitude larger than they used to be (even more if you count memory and not pixels, since 99% of us have 32 bits per pixel these days and back then 8 bit was common), not to mention that having 2+ monitors is now standard for desktops. This, plus proliferation of antialased rendering offsets advancements in CPU power - to the point that navigating source code in QtCreator on my Linux box is not that smooth as I'd like it to be. Generally speaking, concerns about font rendering performance are still relevant.

Re:NT4 was such an abomination...

[shutdown+-p+now]

NT 4 moved a lot of user space Windows GDI functionality (as defined by Win 95/98/ME)

Did Win9x even have the concept of "user space" and "kernel space" as such?

This is one of the reasons why opening a 10MB networked file or attachment in Outlook causes your entire machine to lockup until it's done

That's bullshit. It doesn't "lockup your entire machine" - at best it would lock up Outlook, and that would be because it'd use a synchronous file API (open or read) for something that's on the network, from a UI thread. This doesn't have anything to do with GDI, or userspace/kernelspace distinctions.

Re:NT4 was such an abomination...

[Lorkki]

This, plus proliferation of antialased rendering offsets advancements in CPU power - to the point that navigating source code in QtCreator on my Linux box is not that smooth as I'd like it to be.

That almost certainly has more to do with either display sync issues (which sadly aren't uncommon on a composited X desktop especially with non-free drivers) or the various services of the IDE. Anti-aliased font and line drawing aren't that demanding to begin with, and can be GPU-accelerated with pretty much any hardware you might have picked up within the last five years or so.

Re:NT4 was such an abomination...

[Gr8Apes]

NT 4 moved a lot of user space Windows GDI functionality (as defined by Win 95/98/ME)

Did Win9x even have the concept of "user space" and "kernel space" as such?

Of course not, but these functions or their predecessors originally resided in user mode in the original version of NT. On that time's hardware, it was slower than molasses and only ran acceptably for office type applications.

This is one of the reasons why opening a 10MB networked file or attachment in Outlook causes your entire machine to lockup until it's done

That's bullshit. It doesn't "lockup your entire machine" - at best it would lock up Outlook, and that would be because it'd use a synchronous file API (open or read) for something that's on the network, from a UI thread. This doesn't have anything to do with GDI, or userspace/kernelspace distinctions.

You haven't tried this experiment on the appropriate software/hardware then. Downloading that through Outlook will lock up every other program that depends upon the GDI layer. This leaves any open Command Prompts responsive, and the Task Manager. You can't even open a new program from Task Manager because that also queues up in the GDI layer. From an open command prompt, you can run/launch anything that is not GDI bound. Alt-Tab still works, kind of. This particular pain is best experienced on a congested network with a large server load where a 10MB download can take 5 minutes or more.

And before you go calling BS again, not all GUI programs utilized the GDI layer. Besides Task Manager, PMMail was one, ported from OS/2, it followed OS/2 conventions on I/O, utilizing separate threads for input/output and network connectivity.

Re:NT4 was such an abomination...

[Gr8Apes]

I did say at least through all versions of XP, and as one commenter pointed out, this continued through Server 2003, which makes sense since XP64 (based on Server 2003) still exhibited this extremely annoying behavior.

I haven't used any MS products for my main desktop in over 5 years, so I can't comment on Vista or W7, except that my exposure to W7 and Server 2008 R2 was more than a little underwhelming on the architecture and performance sides. IOW, nothing had changed, or rather, some things had gotten worse.

Kaspersky may have pointde to the bug before MS

[AftanGustur]

A Kaspersky Malware Lab expert blogged about this Here on the 2nd November and even gave the suspected DLL file win32k.sys:

Symantec and Microsoft still haven’t made the actual dropper file available to other antivirus companies yet, nor have they provided information about which Windows component contains the vulnerability that results in privilege escalation. However, indirect evidence suggests that the vulnerability is in win32k.sys.

We discovered a similar vulnerability (see MS10-073) a year ago when analyzing the Stuxnet worm. Another interesting problem in win32k.sys (MS11-077) was fixed by Microsoft on 11 October this year – a code execution vulnerability than can be exploited through font files.

Re:HOW TO KILL Duqu (w/ tools U own)

[The+Askylist]

I've only been working with Windows boxes since NT3.1 beta, so excuse my ignorance when I say that the reason I don't run Windows personally is because I prefer *nix (having been a HP-UX user for years before they inflicted NT on me).

I'm sure that Windows now is much better than it was - in fact I'd go as far as to say that it's a pretty stable environment and OK for server use if the load's not too high. SQL Server's OK too, despite Microsoft rewriting bits of the Sybase code when it was stable to start with.

But why do you have to be so shrill in your defence of what is, after all, a jumped up desktop operating system with poor file serving and stability that is conveniently full of holes and subject to frequent exploits? Yes, you can fix your MBR and disable the rootkit-installed drivers, but why run something that can be so easily owned in the first place?

And on the point in question - NT pre version 4 really was a dog. Slow, unstable, prone to eating its own filesystem and becoming unbootable after a crash - NT4 was an improvement in terms of stability and speed, but at the cost of moving stuff like font parsing into the kernel, which people said at the time was stupid and dangerous, but Microsoft did it anyway.

I'm sure you'll come back with some pre-teen styled rant, but don't bother - I'm far too old to bother with kiddies.

Re:Sampo Kaasila an Apple employee

[peppepz]

Type-1 fonts are PostScript, hence executable, too.

There's nothing wrong with that as long as you set the appropriate operational limits.

Oh, and as an extra precaution, you might consider not parsing them in ring 0.

And this is why I have font downloading disabled

[fast+turtle]

In both Ie and FF. I'm sorry but those damn idiot web designers who insist that a 4px font is readable because they still use a 320x240 screen need to upgrade to something reasonable like 1024x768, means I've been forced to learn enough about CSS to begin creating my own overriding page to prevent those damn pesky and funky fonts/colors/sizes that make it impossible to read their sites. Of course, when I hit one of those sites, I add them to my block list though if I can get the custom css page working correctly, then I'll be a happy turtle.

Only MS

[bell.colin]

Only MS can have a font compromise security.

Somehow i was immediately reminded of this:

http://www.theregister.co.uk/2001/02/02/bofh_gets_to_the_back/

lol WTF???

[inode_buddha]

Parsing fonts in-kernel...???
Reminds me of how parts of IE were in kernel, or ActiveX.... I notice how much crap MS stuffed into their kernels over the years, and how each feature seems to correspond to a vuln.

Re:lol WTF???

[shutdown+-p+now]

How do you think ActiveX in the kernel would look like?

Actually, let me rephrase that: do you know what ActiveX even is?

Re:HOW TO KILL Duqu (w/ tools U own)

[The+Askylist]

Shot down? He merely reposted the same shit he'd already posted above, complete with shouty capitals, textish abbreviations and all the rest of the shit you expect from some paranoid and probably over-ritalined windows shill. I've only been programming since 1979, though, so perhaps he has done more than me. Wanker.

Re:Illogical off topic adhominem attacks?

[catman]

You are sounding more and more like the wintrolls on c.o.l.a.
Wipe the foam off your mouth and go to the rear of the class. You may come forward when you have gained some understanding of what you are talking about.