Windows kernel-mode drivers vulnerabilities could allow remote code execution
Report ID: MS201110003
Date Published: 12 October 2011
Compromise Type: denial-of-service privilege-escalation remote-code-execution
Compromise From: local-system remote
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Four vulnerabilities identified in Windows kernel-mode driver could result in escalation of privilege, denial of service and remote code execution.
A security update addressing four vulnerabilities in Windows kernel-mode driver has been released. Upon exploitation, the vulnerabilities could either lead to an escalation of privilege, denial of service, or remote code execution for the most severe impact.
The four vulnerabilities are described below:
- Win32k null pointer de-reference vulnerability (CVE-2011-1985)
This escalation of privilege vulnerability was caused by improper validation of the input passed from user mode. To successfully exploit this vulnerability, the attacker must locally log on to the sytem before being able to run the specially crafted application used in the exploit.
- Win32k TrueType font type translation vulnerability (CVE-2011-2002)
This denial of service vulnerability was caused by improper handling of TrueType font. It could be exploited to cause an affected system to stop responding and restart.
- Font library file buffer overrun vulnerability (CVE-2011-2003)
This remote code execution vulnerability exists when a Windows kernel-mode driver fails to perform proper validation when writing into a buffer. Upon successful exploit, an attacker could execute arbitrary code and take complete control of an affected system.
- Win32k use after free vulnerability (CVE-2011-2011)
This escalation of privilege vulnerability was caused by improper management of kernel-mode driver objects. To successfully exploit this vulnerability, the attacker must locally log on to the system before being able to run the specially crafted application used in the exploit.
Each of the vulnerabilities mentioned above has been resolved in the latest security update, which implement correction on the way Windows kernel-mode drivers validate input passed from user mode, handle TrueType font, allocate the proper buffer size before writing to memory, and manage kernel-mode driver objects. Users are recommended to install the latest patch for applicable system as a protection from potential exploit.
CVE-2011-1985, CVE-2011-2002, CVE-2011-2003, CVE-2011-2011
Install the latest patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms11-077).