Title

Microsoft Windows Kernel Security Bypass Vulnerability (Cat I impact)

Discussion

Microsoft has released a security bulletin addressing a vulnerability in the Microsoft Windows Kernel. The Windows Kernel is the core of the operating system. It provides system level services such as device management and memory management, allocates processor time to processes, and manages error handling. To exploit this vulnerability, an attacker would be required to bypass the SafeSEH security feature and take advantage of the security bypass vulnerability addressed in this notice to execute arbitrary code in another vulnerability. in a software application. The attacker would then use another vulnerabilities to leverage the structured exception handler to execute arbitrary code. If successful exploited, this vulnerability would allow an attacker to bypass security features to leverage other vulnerabilities and execute arbitrary code resulting in the compromise of the affected systems. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Windows Kernel SafeSEH Bypass Vulnerability - (CVE-2012-0001): A security feature bypass vulnerability exists in Windows due to the way the kernel loads the structured exception handling tables. The vulnerability is caused when the Windows kernel loads a structured exception handling table into the "Load Configuration" PE header during binary execution. An attacker who successfully exploited this vulnerability could bypass the SafeSEH defense-in-depth mechanism to facilitate exploitation of other vulnerabilities.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS12-001 (2644615). Vulnerable Applications/Systems: Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64, and Itanium) Windows Vista SP2 (x86 and x64) Windows Server 2008 SP2 (x86*, x64*, and Itanium) Windows 7 (x86 and x64) Windows 7 SP1 (x86 and x64) Windows Server 2008 R2 (x64* and Itanium) Windows Server 2008 R2 SP1 (x64* and Itanium) *Server Core installation affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Ntdll.dll Windows XP SP2 (x64) – 5.2.3790.4937 Windows 2003 SP2 – 5.2.3790.4937 Windows Vista SP2 – 6.0.6002.18541 or 22742 Windows Server 2008 SP2 – 6.0.6002.18541 or 22742 Windows 7 / 2008 R2 – 6.1.7600.16915 or 21092 Windows 7 SP1 / 2008 R2 SP1 – 6.1.7601.17725 or 21861

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-30998

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.